| """A set of constants and methods to manage permissions and security""" |
| from __future__ import absolute_import |
| from __future__ import division |
| from __future__ import print_function |
| from __future__ import unicode_literals |
| |
| import logging |
| from flask_appbuilder.security.sqla import models as ab_models |
| |
| from superset import conf, db, sm |
| from superset.models import core as models |
| from superset.connectors.connector_registry import ConnectorRegistry |
| |
| |
| READ_ONLY_MODEL_VIEWS = { |
| 'DatabaseAsync', |
| 'DatabaseView', |
| 'DruidClusterModelView', |
| } |
| |
| GAMMA_READ_ONLY_MODEL_VIEWS = { |
| 'SqlMetricInlineView', |
| 'TableColumnInlineView', |
| 'TableModelView', |
| 'DruidColumnInlineView', |
| 'DruidDatasourceModelView', |
| 'DruidMetricInlineView', |
| } | READ_ONLY_MODEL_VIEWS |
| |
| ADMIN_ONLY_VIEW_MENUS = { |
| 'AccessRequestsModelView', |
| 'Manage', |
| 'SQL Lab', |
| 'Queries', |
| 'Refresh Druid Metadata', |
| 'ResetPasswordView', |
| 'RoleModelView', |
| 'Security', |
| 'UserDBModelView', |
| } |
| |
| ADMIN_ONLY_PERMISSIONS = { |
| 'all_database_access', |
| 'can_sql_json', # TODO: move can_sql_json to sql_lab role |
| 'can_override_role_permissions', |
| 'can_sync_druid_source', |
| 'can_override_role_permissions', |
| 'can_approve', |
| 'can_update_role', |
| } |
| |
| READ_ONLY_PERMISSION = { |
| 'can_show', |
| 'can_list', |
| } |
| |
| ALPHA_ONLY_PERMISSIONS = set([ |
| 'muldelete', |
| 'all_datasource_access', |
| ]) |
| |
| OBJECT_SPEC_PERMISSIONS = set([ |
| 'database_access', |
| 'schema_access', |
| 'datasource_access', |
| 'metric_access', |
| ]) |
| |
| |
| def merge_perm(sm, permission_name, view_menu_name): |
| # Implementation copied from sm.find_permission_view_menu. |
| # TODO: use sm.find_permission_view_menu once issue |
| # https://github.com/airbnb/superset/issues/1944 is resolved. |
| permission = sm.find_permission(permission_name) |
| view_menu = sm.find_view_menu(view_menu_name) |
| pv = None |
| if permission and view_menu: |
| pv = sm.get_session.query(sm.permissionview_model).filter_by( |
| permission=permission, view_menu=view_menu).first() |
| if not pv and permission_name and view_menu_name: |
| sm.add_permission_view_menu(permission_name, view_menu_name) |
| |
| |
| def is_user_defined_permission(perm): |
| return perm.permission.name in OBJECT_SPEC_PERMISSIONS |
| |
| |
| def get_or_create_main_db(): |
| logging.info("Creating database reference") |
| dbobj = ( |
| db.session.query(models.Database) |
| .filter_by(database_name='main') |
| .first() |
| ) |
| if not dbobj: |
| dbobj = models.Database(database_name="main") |
| dbobj.set_sqlalchemy_uri(conf.get("SQLALCHEMY_DATABASE_URI")) |
| dbobj.expose_in_sqllab = True |
| dbobj.allow_run_sync = True |
| db.session.add(dbobj) |
| db.session.commit() |
| return dbobj |
| |
| |
| def is_admin_only(pvm): |
| # not readonly operations on read only model views allowed only for admins |
| if (pvm.view_menu.name in READ_ONLY_MODEL_VIEWS and |
| pvm.permission.name not in READ_ONLY_PERMISSION): |
| return True |
| return (pvm.view_menu.name in ADMIN_ONLY_VIEW_MENUS or |
| pvm.permission.name in ADMIN_ONLY_PERMISSIONS) |
| |
| |
| def is_alpha_only(pvm): |
| if (pvm.view_menu.name in GAMMA_READ_ONLY_MODEL_VIEWS and |
| pvm.permission.name not in READ_ONLY_PERMISSION): |
| return True |
| return pvm.permission.name in ALPHA_ONLY_PERMISSIONS |
| |
| |
| def is_admin_pvm(pvm): |
| return not is_user_defined_permission(pvm) |
| |
| |
| def is_alpha_pvm(pvm): |
| return not (is_user_defined_permission(pvm) or is_admin_only(pvm)) |
| |
| |
| def is_gamma_pvm(pvm): |
| return not (is_user_defined_permission(pvm) or is_admin_only(pvm) or |
| is_alpha_only(pvm)) |
| |
| |
| def is_sql_lab_pvm(pvm): |
| return pvm.view_menu.name in {'SQL Lab'} or pvm.permission.name in { |
| 'can_sql_json', 'can_csv', 'can_search_queries'} |
| |
| |
| def is_granter_pvm(pvm): |
| return pvm.permission.name in {'can_override_role_permissions', |
| 'can_approve'} |
| |
| |
| def set_role(role_name, pvms, pvm_check): |
| logging.info("Syncing {} perms".format(role_name)) |
| role = sm.add_role(role_name) |
| role_pvms = [p for p in pvms if pvm_check(p)] |
| role.permissions = role_pvms |
| sesh = sm.get_session() |
| sesh.merge(role) |
| sesh.commit() |
| |
| |
| def create_custom_permissions(): |
| # Global perms |
| merge_perm(sm, 'all_datasource_access', 'all_datasource_access') |
| merge_perm(sm, 'all_database_access', 'all_database_access') |
| |
| |
| def create_missing_datasource_perms(view_menu_set): |
| logging.info("Creating missing datasource permissions.") |
| datasources = ConnectorRegistry.get_all_datasources( |
| db.session) |
| for datasource in datasources: |
| if datasource and datasource.perm not in view_menu_set: |
| merge_perm(sm, 'datasource_access', datasource.get_perm()) |
| if datasource.schema_perm: |
| merge_perm(sm, 'schema_access', datasource.schema_perm) |
| |
| |
| def create_missing_database_perms(view_menu_set): |
| logging.info("Creating missing database permissions.") |
| databases = db.session.query(models.Database).all() |
| for database in databases: |
| if database and database.perm not in view_menu_set: |
| merge_perm(sm, 'database_access', database.perm) |
| |
| |
| def create_missing_metrics_perm(view_menu_set): |
| """Create permissions for restricted metrics |
| |
| :param metrics: a list of metrics to be processed, if not specified, |
| all metrics are processed |
| :type metrics: models.SqlMetric or models.DruidMetric |
| """ |
| logging.info("Creating missing metrics permissions") |
| metrics = [] |
| for datasource_class in ConnectorRegistry.sources.values(): |
| metrics += list(db.session.query(datasource_class.metric_class).all()) |
| |
| for metric in metrics: |
| if (metric.is_restricted and metric.perm and |
| metric.perm not in view_menu_set): |
| merge_perm(sm, 'metric_access', metric.perm) |
| |
| |
| def sync_role_definitions(): |
| """Inits the Superset application with security roles and such""" |
| logging.info("Syncing role definition") |
| |
| get_or_create_main_db() |
| create_custom_permissions() |
| |
| pvms = db.session.query(ab_models.PermissionView).all() |
| pvms = [p for p in pvms if p.permission and p.view_menu] |
| |
| # cleanup |
| pvms_to_delete = [p for p in pvms if not (p.permission and p.view_menu)] |
| |
| for pvm_to_delete in pvms_to_delete: |
| sm.get_session.delete(pvm_to_delete) |
| |
| # Creating default roles |
| set_role('Admin', pvms, is_admin_pvm) |
| set_role('Alpha', pvms, is_alpha_pvm) |
| set_role('Gamma', pvms, is_gamma_pvm) |
| set_role('granter', pvms, is_granter_pvm) |
| set_role('sql_lab', pvms, is_sql_lab_pvm) |
| |
| if conf.get('PUBLIC_ROLE_LIKE_GAMMA', False): |
| set_role('Public', pvms, is_gamma_pvm) |
| |
| view_menu_set = [] |
| for datasource_class in ConnectorRegistry.sources.values(): |
| view_menu_set += list(db.session.query(datasource_class).all()) |
| create_missing_datasource_perms(view_menu_set) |
| create_missing_database_perms(view_menu_set) |
| create_missing_metrics_perm(view_menu_set) |
| |
| # commit role and view menu updates |
| sm.get_session.commit() |