feat: RLS for SQL Lab (#19999)

* feat: RLS for SQL Lab * Small fixes * Pass username to security manager * Update docstrings * Add tests * Remove type from docstring
2026-04-18 15:44:57 +00:00 · 2022-05-12 11:03:01 -07:00
parent ded9122ceb
commit f2881e5bbd
8 changed files with 329 additions and 66 deletions
--- a/superset/sql_lab.py
+++ b/superset/sql_lab.py
@@ -31,7 +31,13 @@ from celery.exceptions import SoftTimeLimitExceeded
 from flask_babel import gettext as __
 from sqlalchemy.orm import Session

-from superset import app, results_backend, results_backend_use_msgpack, security_manager
+from superset import (
+    app,
+    is_feature_enabled,
+    results_backend,
+    results_backend_use_msgpack,
+    security_manager,
+)
 from superset.common.db_query_status import QueryStatus
 from superset.dataframe import df_to_records
 from superset.db_engine_specs import BaseEngineSpec
@@ -41,7 +47,7 @@ from superset.extensions import celery_app
 from superset.models.core import Database
 from superset.models.sql_lab import Query
 from superset.result_set import SupersetResultSet
-from superset.sql_parse import CtasMethod, ParsedQuery
+from superset.sql_parse import CtasMethod, insert_rls, ParsedQuery
 from superset.sqllab.limiting_factor import LimitingFactor
 from superset.utils.celery import session_scope
 from superset.utils.core import json_iso_dttm_ser, QuerySource, zlib_compress
@@ -176,7 +182,7 @@ def get_sql_results(  # pylint: disable=too-many-arguments
            return handle_query_error(ex, query, session)


-def execute_sql_statement(  # pylint: disable=too-many-arguments,too-many-locals
+def execute_sql_statement(  # pylint: disable=too-many-arguments,too-many-locals,too-many-statements
    sql_statement: str,
    query: Query,
    user_name: Optional[str],
@@ -188,7 +194,21 @@ def execute_sql_statement(  # pylint: disable=too-many-arguments,too-many-locals
    """Executes a single SQL statement"""
    database: Database = query.database
    db_engine_spec = database.db_engine_spec
+
    parsed_query = ParsedQuery(sql_statement)
+    if is_feature_enabled("RLS_IN_SQLLAB"):
+        # Insert any applicable RLS predicates
+        parsed_query = ParsedQuery(
+            str(
+                insert_rls(
+                    parsed_query._parsed[0],  # pylint: disable=protected-access
+                    database.id,
+                    query.schema,
+                    username=user_name,
+                )
+            )
+        )
+
    sql = parsed_query.stripped()
    # This is a test to see if the query is being
    # limited by either the dropdown or the sql.