From notifications-return-40449-archive-asf-public=cust-asf.ponee.io@superset.apache.org Wed May 6 14:08:17 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 1FF93180665 for ; Wed, 6 May 2020 16:08:17 +0200 (CEST) Received: (qmail 71269 invoked by uid 500); 6 May 2020 14:08:16 -0000 Mailing-List: contact notifications-help@superset.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@superset.apache.org Delivered-To: mailing list notifications@superset.apache.org Received: (qmail 71230 invoked by uid 99); 6 May 2020 14:08:16 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 May 2020 14:08:16 +0000 From: =?utf-8?q?GitBox?= To: notifications@superset.apache.org Subject: =?utf-8?q?=5BGitHub=5D_=5Bincubator-superset=5D_axelet_commented_on_issue_?= =?utf-8?q?=239532=3A_Row_Level_Security_filter_wildcard_for_all_tables_and_?= =?utf-8?q?multiple_table_filters?= Message-ID: <158877409651.26397.18310849223663750110.asfpy@gitbox.apache.org> Date: Wed, 06 May 2020 14:08:16 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit References: In-Reply-To: axelet commented on issue #9532: URL: https://github.com/apache/incubator-superset/issues/9532#issuecomment-624671462 @villebro As for now I posted a version (https://github.com/apache/incubator-superset/pull/9751) where we have the same filters for different tables grouped together in one filter with multiple tables (Solution 2 described above, except that it doesn't support any wildcard logic). I also added a test to ensure that it works. The original behaviour is not changed for now. However, this doesn't cover the security case I described before. As for your question about column not present in the table we can handle it by checking and filtering all clauses came from **_get_sqla_row_level_filters()** (if I got you correctly). We need them to have the filters specific columns, so we can check them in **SqlaTable.get_sqla_query()** and apply only appropriate ones. We have the **cols** dict with col_names, let's check the clauses to have the col_names. Or can we leave it as a user responsibility? For expr_qry and aliases I agree it can be circumvented as long as a potential admin grants the SQL Lab access to users. I'm not sure if it's possible without Sql Lab, could you provide any cases? So, I assume it could be done for users without SQL Lab rights (if only admins can create views). Please, correct me if I'm wrong. So, there is nothing we can do here if not introducing some wildcards for tables or schemas. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org For additional commands, e-mail: notifications-help@superset.apache.org