superset-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From maximebeauche...@apache.org
Subject [incubator-superset] branch master updated: [security] make it easier to redefine Alpha/Gamma (#7036)
Date Tue, 02 Apr 2019 01:06:46 GMT
This is an automated email from the ASF dual-hosted git repository.

maximebeauchemin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
     new c5bdbc0  [security] make it easier to redefine Alpha/Gamma (#7036)
c5bdbc0 is described below

commit c5bdbc0964e4596b02f7524fca8957685ec03650
Author: Maxime Beauchemin <maximebeauchemin@gmail.com>
AuthorDate: Mon Apr 1 18:06:40 2019 -0700

    [security] make it easier to redefine Alpha/Gamma (#7036)
    
    * [security] make it easier to redefine Alpha/Gamma
    
    While talking about some security aspect and as to how you'd alter Alpha
    or Gamma role in a specific environment, I realized that these
    module-scoped constants would be much more useful as class attributes.
    
    This way, someone can override these sets in their security manager
    to alter base roles.
    
    * fix
    
    * flake8
---
 superset/security.py | 149 +++++++++++++++++++++++++--------------------------
 1 file changed, 74 insertions(+), 75 deletions(-)

diff --git a/superset/security.py b/superset/security.py
index 3c2ce32..3a766d4 100644
--- a/superset/security.py
+++ b/superset/security.py
@@ -27,73 +27,72 @@ from superset import sql_parse
 from superset.connectors.connector_registry import ConnectorRegistry
 from superset.exceptions import SupersetSecurityException
 
-READ_ONLY_MODEL_VIEWS = {
-    'DatabaseAsync',
-    'DatabaseView',
-    'DruidClusterModelView',
-}
-
-USER_MODEL_VIEWS = {
-    'UserDBModelView',
-    'UserLDAPModelView',
-    'UserOAuthModelView',
-    'UserOIDModelView',
-    'UserRemoteUserModelView',
-}
-
-GAMMA_READ_ONLY_MODEL_VIEWS = {
-    'SqlMetricInlineView',
-    'TableColumnInlineView',
-    'TableModelView',
-    'DruidColumnInlineView',
-    'DruidDatasourceModelView',
-    'DruidMetricInlineView',
-} | READ_ONLY_MODEL_VIEWS
-
-ADMIN_ONLY_VIEW_MENUS = {
-    'AccessRequestsModelView',
-    'Manage',
-    'SQL Lab',
-    'Queries',
-    'Refresh Druid Metadata',
-    'ResetPasswordView',
-    'RoleModelView',
-    'Security',
-} | USER_MODEL_VIEWS
-
-ALPHA_ONLY_VIEW_MENUS = {
-    'Upload a CSV',
-}
-
-ADMIN_ONLY_PERMISSIONS = {
-    'all_database_access',
-    'can_sql_json',  # TODO: move can_sql_json to sql_lab role
-    'can_override_role_permissions',
-    'can_sync_druid_source',
-    'can_override_role_permissions',
-    'can_approve',
-    'can_update_role',
-}
-
-READ_ONLY_PERMISSION = {
-    'can_show',
-    'can_list',
-}
-
-ALPHA_ONLY_PERMISSIONS = set([
-    'muldelete',
-    'all_datasource_access',
-])
-
-OBJECT_SPEC_PERMISSIONS = set([
-    'database_access',
-    'schema_access',
-    'datasource_access',
-    'metric_access',
-])
-
 
 class SupersetSecurityManager(SecurityManager):
+    READ_ONLY_MODEL_VIEWS = {
+        'DatabaseAsync',
+        'DatabaseView',
+        'DruidClusterModelView',
+    }
+
+    USER_MODEL_VIEWS = {
+        'UserDBModelView',
+        'UserLDAPModelView',
+        'UserOAuthModelView',
+        'UserOIDModelView',
+        'UserRemoteUserModelView',
+    }
+
+    GAMMA_READ_ONLY_MODEL_VIEWS = {
+        'SqlMetricInlineView',
+        'TableColumnInlineView',
+        'TableModelView',
+        'DruidColumnInlineView',
+        'DruidDatasourceModelView',
+        'DruidMetricInlineView',
+    } | READ_ONLY_MODEL_VIEWS
+
+    ADMIN_ONLY_VIEW_MENUS = {
+        'AccessRequestsModelView',
+        'Manage',
+        'SQL Lab',
+        'Queries',
+        'Refresh Druid Metadata',
+        'ResetPasswordView',
+        'RoleModelView',
+        'Security',
+    } | USER_MODEL_VIEWS
+
+    ALPHA_ONLY_VIEW_MENUS = {
+        'Upload a CSV',
+    }
+
+    ADMIN_ONLY_PERMISSIONS = {
+        'all_database_access',
+        'can_sql_json',  # TODO: move can_sql_json to sql_lab role
+        'can_override_role_permissions',
+        'can_sync_druid_source',
+        'can_override_role_permissions',
+        'can_approve',
+        'can_update_role',
+    }
+
+    READ_ONLY_PERMISSION = {
+        'can_show',
+        'can_list',
+    }
+
+    ALPHA_ONLY_PERMISSIONS = set([
+        'muldelete',
+        'all_datasource_access',
+    ])
+
+    OBJECT_SPEC_PERMISSIONS = set([
+        'database_access',
+        'schema_access',
+        'datasource_access',
+        'metric_access',
+    ])
 
     def get_schema_perm(self, database, schema):
         if schema:
@@ -263,7 +262,7 @@ class SupersetSecurityManager(SecurityManager):
             self.add_permission_view_menu(permission_name, view_menu_name)
 
     def is_user_defined_permission(self, perm):
-        return perm.permission.name in OBJECT_SPEC_PERMISSIONS
+        return perm.permission.name in self.OBJECT_SPEC_PERMISSIONS
 
     def create_custom_permissions(self):
         # Global perms
@@ -359,21 +358,21 @@ class SupersetSecurityManager(SecurityManager):
 
     def is_admin_only(self, pvm):
         # not readonly operations on read only model views allowed only for admins
-        if (pvm.view_menu.name in READ_ONLY_MODEL_VIEWS and
-                pvm.permission.name not in READ_ONLY_PERMISSION):
+        if (pvm.view_menu.name in self.READ_ONLY_MODEL_VIEWS and
+                pvm.permission.name not in self.READ_ONLY_PERMISSION):
             return True
         return (
-            pvm.view_menu.name in ADMIN_ONLY_VIEW_MENUS or
-            pvm.permission.name in ADMIN_ONLY_PERMISSIONS
+            pvm.view_menu.name in self.ADMIN_ONLY_VIEW_MENUS or
+            pvm.permission.name in self.ADMIN_ONLY_PERMISSIONS
         )
 
     def is_alpha_only(self, pvm):
-        if (pvm.view_menu.name in GAMMA_READ_ONLY_MODEL_VIEWS and
-                pvm.permission.name not in READ_ONLY_PERMISSION):
+        if (pvm.view_menu.name in self.GAMMA_READ_ONLY_MODEL_VIEWS and
+                pvm.permission.name not in self.READ_ONLY_PERMISSION):
             return True
         return (
-            pvm.view_menu.name in ALPHA_ONLY_VIEW_MENUS or
-            pvm.permission.name in ALPHA_ONLY_PERMISSIONS
+            pvm.view_menu.name in self.ALPHA_ONLY_VIEW_MENUS or
+            pvm.permission.name in self.ALPHA_ONLY_PERMISSIONS
         )
 
     def is_admin_pvm(self, pvm):
@@ -395,7 +394,7 @@ class SupersetSecurityManager(SecurityManager):
                 'can_sql_json', 'can_csv', 'can_search_queries', 'can_sqllab_viz',
                 'can_sqllab',
             } or
-            (pvm.view_menu.name in USER_MODEL_VIEWS and
+            (pvm.view_menu.name in self.USER_MODEL_VIEWS and
              pvm.permission.name == 'can_list'))
 
     def is_granter_pvm(self, pvm):


Mime
View raw message