mirror of
https://github.com/apache/superset.git
synced 2026-04-19 16:14:52 +00:00
[security] Refactor security code into SupersetSecurityManager (#4565)
* move access permissions methods to security manager * consolidate all security methods into SupersetSecurityManager * update security method calls * update calls from tests * move get_or_create_main_db to utils * raise if supersetsecuritymanager is not extended * rename sm to security_manager
This commit is contained in:
timifasubaa
@@ -10,7 +10,7 @@ import unittest
|
||||
|
||||
import mock
|
||||
|
||||
from superset import app, db, security, sm
|
||||
from superset import app, db, security_manager
|
||||
from superset.connectors.connector_registry import ConnectorRegistry
|
||||
from superset.connectors.druid.models import DruidDatasource
|
||||
from superset.connectors.sqla.models import SqlaTable
|
||||
@@ -70,13 +70,14 @@ def create_access_request(session, ds_type, ds_name, role_name, user_name):
|
||||
else:
|
||||
ds = session.query(ds_class).filter(
|
||||
ds_class.datasource_name == ds_name).first()
|
||||
ds_perm_view = sm.find_permission_view_menu(
|
||||
ds_perm_view = security_manager.find_permission_view_menu(
|
||||
'datasource_access', ds.perm)
|
||||
sm.add_permission_role(sm.find_role(role_name), ds_perm_view)
|
||||
security_manager.add_permission_role(
|
||||
security_manager.find_role(role_name), ds_perm_view)
|
||||
access_request = models.DatasourceAccessRequest(
|
||||
datasource_id=ds.id,
|
||||
datasource_type=ds_type,
|
||||
created_by_fk=sm.find_user(username=user_name).id,
|
||||
created_by_fk=security_manager.find_user(username=user_name).id,
|
||||
)
|
||||
session.add(access_request)
|
||||
session.commit()
|
||||
@@ -89,21 +90,21 @@ class RequestAccessTests(SupersetTestCase):
|
||||
|
||||
@classmethod
|
||||
def setUpClass(cls):
|
||||
sm.add_role('override_me')
|
||||
sm.add_role(TEST_ROLE_1)
|
||||
sm.add_role(TEST_ROLE_2)
|
||||
sm.add_role(DB_ACCESS_ROLE)
|
||||
sm.add_role(SCHEMA_ACCESS_ROLE)
|
||||
security_manager.add_role('override_me')
|
||||
security_manager.add_role(TEST_ROLE_1)
|
||||
security_manager.add_role(TEST_ROLE_2)
|
||||
security_manager.add_role(DB_ACCESS_ROLE)
|
||||
security_manager.add_role(SCHEMA_ACCESS_ROLE)
|
||||
db.session.commit()
|
||||
|
||||
@classmethod
|
||||
def tearDownClass(cls):
|
||||
override_me = sm.find_role('override_me')
|
||||
override_me = security_manager.find_role('override_me')
|
||||
db.session.delete(override_me)
|
||||
db.session.delete(sm.find_role(TEST_ROLE_1))
|
||||
db.session.delete(sm.find_role(TEST_ROLE_2))
|
||||
db.session.delete(sm.find_role(DB_ACCESS_ROLE))
|
||||
db.session.delete(sm.find_role(SCHEMA_ACCESS_ROLE))
|
||||
db.session.delete(security_manager.find_role(TEST_ROLE_1))
|
||||
db.session.delete(security_manager.find_role(TEST_ROLE_2))
|
||||
db.session.delete(security_manager.find_role(DB_ACCESS_ROLE))
|
||||
db.session.delete(security_manager.find_role(SCHEMA_ACCESS_ROLE))
|
||||
db.session.commit()
|
||||
|
||||
def setUp(self):
|
||||
@@ -111,7 +112,7 @@ class RequestAccessTests(SupersetTestCase):
|
||||
|
||||
def tearDown(self):
|
||||
self.logout()
|
||||
override_me = sm.find_role('override_me')
|
||||
override_me = security_manager.find_role('override_me')
|
||||
override_me.permissions = []
|
||||
db.session.commit()
|
||||
db.session.close()
|
||||
@@ -133,7 +134,7 @@ class RequestAccessTests(SupersetTestCase):
|
||||
content_type='application/json')
|
||||
self.assertEquals(201, response.status_code)
|
||||
|
||||
updated_override_me = sm.find_role('override_me')
|
||||
updated_override_me = security_manager.find_role('override_me')
|
||||
self.assertEquals(1, len(updated_override_me.permissions))
|
||||
birth_names = self.get_table_by_name('birth_names')
|
||||
self.assertEquals(
|
||||
@@ -150,7 +151,7 @@ class RequestAccessTests(SupersetTestCase):
|
||||
content_type='application/json')
|
||||
self.assertEquals(201, response.status_code)
|
||||
|
||||
updated_role = sm.find_role('override_me')
|
||||
updated_role = security_manager.find_role('override_me')
|
||||
perms = sorted(
|
||||
updated_role.permissions, key=lambda p: p.view_menu.name)
|
||||
druid_ds_1 = self.get_druid_ds_by_name('druid_ds_1')
|
||||
@@ -169,9 +170,9 @@ class RequestAccessTests(SupersetTestCase):
|
||||
self.assertEquals(3, len(perms))
|
||||
|
||||
def test_override_role_permissions_drops_absent_perms(self):
|
||||
override_me = sm.find_role('override_me')
|
||||
override_me = security_manager.find_role('override_me')
|
||||
override_me.permissions.append(
|
||||
sm.find_permission_view_menu(
|
||||
security_manager.find_permission_view_menu(
|
||||
view_menu_name=self.get_table_by_name('long_lat').perm,
|
||||
permission_name='datasource_access'),
|
||||
)
|
||||
@@ -182,7 +183,7 @@ class RequestAccessTests(SupersetTestCase):
|
||||
data=json.dumps(ROLE_TABLES_PERM_DATA),
|
||||
content_type='application/json')
|
||||
self.assertEquals(201, response.status_code)
|
||||
updated_override_me = sm.find_role('override_me')
|
||||
updated_override_me = security_manager.find_role('override_me')
|
||||
self.assertEquals(1, len(updated_override_me.permissions))
|
||||
birth_names = self.get_table_by_name('birth_names')
|
||||
self.assertEquals(
|
||||
@@ -218,8 +219,8 @@ class RequestAccessTests(SupersetTestCase):
|
||||
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
|
||||
self.assertFalse(access_requests)
|
||||
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
gamma_user.roles.remove(sm.find_role('test_role1'))
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
gamma_user.roles.remove(security_manager.find_role('test_role1'))
|
||||
|
||||
def test_clean_requests_after_alpha_grant(self):
|
||||
session = db.session
|
||||
@@ -234,8 +235,8 @@ class RequestAccessTests(SupersetTestCase):
|
||||
session, 'table', 'birth_names', TEST_ROLE_2, 'gamma2')
|
||||
ds_1_id = access_request1.datasource_id
|
||||
# gamma becomes alpha
|
||||
alpha_role = sm.find_role('Alpha')
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
alpha_role = security_manager.find_role('Alpha')
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
gamma_user.roles.append(alpha_role)
|
||||
session.commit()
|
||||
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
|
||||
@@ -245,8 +246,8 @@ class RequestAccessTests(SupersetTestCase):
|
||||
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
|
||||
self.assertFalse(access_requests)
|
||||
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
gamma_user.roles.remove(sm.find_role('Alpha'))
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
gamma_user.roles.remove(security_manager.find_role('Alpha'))
|
||||
session.commit()
|
||||
|
||||
def test_clean_requests_after_db_grant(self):
|
||||
@@ -256,7 +257,7 @@ class RequestAccessTests(SupersetTestCase):
|
||||
# Gamma gets database access, gamma2 access request granted
|
||||
# Check if request by gamma has been deleted
|
||||
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
access_request1 = create_access_request(
|
||||
session, 'table', 'long_lat', TEST_ROLE_1, 'gamma')
|
||||
create_access_request(
|
||||
@@ -265,13 +266,12 @@ class RequestAccessTests(SupersetTestCase):
|
||||
# gamma gets granted database access
|
||||
database = session.query(models.Database).first()
|
||||
|
||||
security.merge_perm(
|
||||
sm, 'database_access', database.perm)
|
||||
ds_perm_view = sm.find_permission_view_menu(
|
||||
security_manager.merge_perm('database_access', database.perm)
|
||||
ds_perm_view = security_manager.find_permission_view_menu(
|
||||
'database_access', database.perm)
|
||||
sm.add_permission_role(
|
||||
sm.find_role(DB_ACCESS_ROLE), ds_perm_view)
|
||||
gamma_user.roles.append(sm.find_role(DB_ACCESS_ROLE))
|
||||
security_manager.add_permission_role(
|
||||
security_manager.find_role(DB_ACCESS_ROLE), ds_perm_view)
|
||||
gamma_user.roles.append(security_manager.find_role(DB_ACCESS_ROLE))
|
||||
session.commit()
|
||||
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
|
||||
self.assertTrue(access_requests)
|
||||
@@ -281,8 +281,8 @@ class RequestAccessTests(SupersetTestCase):
|
||||
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
|
||||
|
||||
self.assertFalse(access_requests)
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
gamma_user.roles.remove(sm.find_role(DB_ACCESS_ROLE))
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
gamma_user.roles.remove(security_manager.find_role(DB_ACCESS_ROLE))
|
||||
session.commit()
|
||||
|
||||
def test_clean_requests_after_schema_grant(self):
|
||||
@@ -292,7 +292,7 @@ class RequestAccessTests(SupersetTestCase):
|
||||
# Gamma gets schema access, gamma2 access request granted
|
||||
# Check if request by gamma has been deleted
|
||||
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
access_request1 = create_access_request(
|
||||
session, 'table', 'wb_health_population', TEST_ROLE_1, 'gamma')
|
||||
create_access_request(
|
||||
@@ -302,21 +302,20 @@ class RequestAccessTests(SupersetTestCase):
|
||||
table_name='wb_health_population').first()
|
||||
|
||||
ds.schema = 'temp_schema'
|
||||
security.merge_perm(
|
||||
sm, 'schema_access', ds.schema_perm)
|
||||
schema_perm_view = sm.find_permission_view_menu(
|
||||
security_manager.merge_perm('schema_access', ds.schema_perm)
|
||||
schema_perm_view = security_manager.find_permission_view_menu(
|
||||
'schema_access', ds.schema_perm)
|
||||
sm.add_permission_role(
|
||||
sm.find_role(SCHEMA_ACCESS_ROLE), schema_perm_view)
|
||||
gamma_user.roles.append(sm.find_role(SCHEMA_ACCESS_ROLE))
|
||||
security_manager.add_permission_role(
|
||||
security_manager.find_role(SCHEMA_ACCESS_ROLE), schema_perm_view)
|
||||
gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE))
|
||||
session.commit()
|
||||
# gamma2 request gets fulfilled
|
||||
self.client.get(EXTEND_ROLE_REQUEST.format(
|
||||
'table', ds_1_id, 'gamma2', TEST_ROLE_2))
|
||||
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
|
||||
self.assertFalse(access_requests)
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
gamma_user.roles.remove(sm.find_role(SCHEMA_ACCESS_ROLE))
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
gamma_user.roles.remove(security_manager.find_role(SCHEMA_ACCESS_ROLE))
|
||||
|
||||
ds = session.query(SqlaTable).filter_by(
|
||||
table_name='wb_health_population').first()
|
||||
@@ -329,7 +328,7 @@ class RequestAccessTests(SupersetTestCase):
|
||||
if app.config.get('ENABLE_ACCESS_REQUEST'):
|
||||
session = db.session
|
||||
TEST_ROLE_NAME = 'table_role'
|
||||
sm.add_role(TEST_ROLE_NAME)
|
||||
security_manager.add_role(TEST_ROLE_NAME)
|
||||
|
||||
# Case 1. Grant new role to the user.
|
||||
|
||||
@@ -341,8 +340,8 @@ class RequestAccessTests(SupersetTestCase):
|
||||
# Test email content.
|
||||
self.assertTrue(mock_send_mime.called)
|
||||
call_args = mock_send_mime.call_args[0]
|
||||
self.assertEqual([sm.find_user(username='gamma').email,
|
||||
sm.find_user(username='admin').email],
|
||||
self.assertEqual([security_manager.find_user(username='gamma').email,
|
||||
security_manager.find_user(username='admin').email],
|
||||
call_args[1])
|
||||
self.assertEqual(
|
||||
'[Superset] Access to the datasource {} was granted'.format(
|
||||
@@ -354,7 +353,7 @@ class RequestAccessTests(SupersetTestCase):
|
||||
# request was removed
|
||||
self.assertFalse(access_requests)
|
||||
# user was granted table_role
|
||||
user_roles = [r.name for r in sm.find_user('gamma').roles]
|
||||
user_roles = [r.name for r in security_manager.find_user('gamma').roles]
|
||||
self.assertIn(TEST_ROLE_NAME, user_roles)
|
||||
|
||||
# Case 2. Extend the role to have access to the table
|
||||
@@ -371,8 +370,8 @@ class RequestAccessTests(SupersetTestCase):
|
||||
# Test email content.
|
||||
self.assertTrue(mock_send_mime.called)
|
||||
call_args = mock_send_mime.call_args[0]
|
||||
self.assertEqual([sm.find_user(username='gamma').email,
|
||||
sm.find_user(username='admin').email],
|
||||
self.assertEqual([security_manager.find_user(username='gamma').email,
|
||||
security_manager.find_user(username='admin').email],
|
||||
call_args[1])
|
||||
self.assertEqual(
|
||||
'[Superset] Access to the datasource {} was granted'.format(
|
||||
@@ -383,21 +382,21 @@ class RequestAccessTests(SupersetTestCase):
|
||||
# request was removed
|
||||
self.assertFalse(access_requests)
|
||||
# table_role was extended to grant access to the long_lat table/
|
||||
perm_view = sm.find_permission_view_menu(
|
||||
perm_view = security_manager.find_permission_view_menu(
|
||||
'datasource_access', long_lat_perm)
|
||||
TEST_ROLE = sm.find_role(TEST_ROLE_NAME)
|
||||
TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME)
|
||||
self.assertIn(perm_view, TEST_ROLE.permissions)
|
||||
|
||||
# Case 3. Grant new role to the user to access the druid datasource.
|
||||
|
||||
sm.add_role('druid_role')
|
||||
security_manager.add_role('druid_role')
|
||||
access_request3 = create_access_request(
|
||||
session, 'druid', 'druid_ds_1', 'druid_role', 'gamma')
|
||||
self.get_resp(GRANT_ROLE_REQUEST.format(
|
||||
'druid', access_request3.datasource_id, 'gamma', 'druid_role'))
|
||||
|
||||
# user was granted table_role
|
||||
user_roles = [r.name for r in sm.find_user('gamma').roles]
|
||||
user_roles = [r.name for r in security_manager.find_user('gamma').roles]
|
||||
self.assertIn('druid_role', user_roles)
|
||||
|
||||
# Case 4. Extend the role to have access to the druid datasource
|
||||
@@ -409,17 +408,17 @@ class RequestAccessTests(SupersetTestCase):
|
||||
self.client.get(EXTEND_ROLE_REQUEST.format(
|
||||
'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
|
||||
# druid_role was extended to grant access to the druid_access_ds_2
|
||||
druid_role = sm.find_role('druid_role')
|
||||
perm_view = sm.find_permission_view_menu(
|
||||
druid_role = security_manager.find_role('druid_role')
|
||||
perm_view = security_manager.find_permission_view_menu(
|
||||
'datasource_access', druid_ds_2_perm)
|
||||
self.assertIn(perm_view, druid_role.permissions)
|
||||
|
||||
# cleanup
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
gamma_user.roles.remove(sm.find_role('druid_role'))
|
||||
gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME))
|
||||
session.delete(sm.find_role('druid_role'))
|
||||
session.delete(sm.find_role(TEST_ROLE_NAME))
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
gamma_user.roles.remove(security_manager.find_role('druid_role'))
|
||||
gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME))
|
||||
session.delete(security_manager.find_role('druid_role'))
|
||||
session.delete(security_manager.find_role(TEST_ROLE_NAME))
|
||||
session.commit()
|
||||
|
||||
def test_request_access(self):
|
||||
@@ -427,9 +426,9 @@ class RequestAccessTests(SupersetTestCase):
|
||||
session = db.session
|
||||
self.logout()
|
||||
self.login(username='gamma')
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
sm.add_role('dummy_role')
|
||||
gamma_user.roles.append(sm.find_role('dummy_role'))
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
security_manager.add_role('dummy_role')
|
||||
gamma_user.roles.append(security_manager.find_role('dummy_role'))
|
||||
session.commit()
|
||||
|
||||
ACCESS_REQUEST = (
|
||||
@@ -461,14 +460,16 @@ class RequestAccessTests(SupersetTestCase):
|
||||
table_3_id = table3.id
|
||||
table3_perm = table3.perm
|
||||
|
||||
sm.add_role('energy_usage_role')
|
||||
alpha_role = sm.find_role('Alpha')
|
||||
sm.add_permission_role(
|
||||
security_manager.add_role('energy_usage_role')
|
||||
alpha_role = security_manager.find_role('Alpha')
|
||||
security_manager.add_permission_role(
|
||||
alpha_role,
|
||||
sm.find_permission_view_menu('datasource_access', table3_perm))
|
||||
sm.add_permission_role(
|
||||
sm.find_role('energy_usage_role'),
|
||||
sm.find_permission_view_menu('datasource_access', table3_perm))
|
||||
security_manager.find_permission_view_menu(
|
||||
'datasource_access', table3_perm))
|
||||
security_manager.add_permission_role(
|
||||
security_manager.find_role('energy_usage_role'),
|
||||
security_manager.find_permission_view_menu(
|
||||
'datasource_access', table3_perm))
|
||||
session.commit()
|
||||
|
||||
self.get_resp(
|
||||
@@ -500,14 +501,16 @@ class RequestAccessTests(SupersetTestCase):
|
||||
druid_ds_5_id = druid_ds_5.id
|
||||
druid_ds_5_perm = druid_ds_5.perm
|
||||
|
||||
druid_ds_2_role = sm.add_role('druid_ds_2_role')
|
||||
admin_role = sm.find_role('Admin')
|
||||
sm.add_permission_role(
|
||||
druid_ds_2_role = security_manager.add_role('druid_ds_2_role')
|
||||
admin_role = security_manager.find_role('Admin')
|
||||
security_manager.add_permission_role(
|
||||
admin_role,
|
||||
sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
|
||||
sm.add_permission_role(
|
||||
security_manager.find_permission_view_menu(
|
||||
'datasource_access', druid_ds_5_perm))
|
||||
security_manager.add_permission_role(
|
||||
druid_ds_2_role,
|
||||
sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
|
||||
security_manager.find_permission_view_menu(
|
||||
'datasource_access', druid_ds_5_perm))
|
||||
session.commit()
|
||||
|
||||
self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go'))
|
||||
@@ -520,8 +523,8 @@ class RequestAccessTests(SupersetTestCase):
|
||||
'<ul><li>{}</li></ul>'.format(approve_link_5))
|
||||
|
||||
# cleanup
|
||||
gamma_user = sm.find_user(username='gamma')
|
||||
gamma_user.roles.remove(sm.find_role('dummy_role'))
|
||||
gamma_user = security_manager.find_user(username='gamma')
|
||||
gamma_user.roles.remove(security_manager.find_role('dummy_role'))
|
||||
session.commit()
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user