Incubator-superset: Row Level Security

I think the caravel way is to pre-process your data and split it in multiple tables.

Thank you Riccardo.
Let us say the table has a column called USERID which tells which user is
authorized to see that row of data. Do you think there could be a way to
insert a "where clause" in the SQL which can insert something like
where user = USERID and Caravel will insert the currently logged in user
ID.
If this is something in the realm of a possibility which code will likely
need to be changed?

On Mon, Jun 27, 2016 at 4:33 PM, Riccardo Magliocchetti <
[email protected]> wrote:

I think the caravel way is to pre-process your data and split it in
multiple tables.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/airbnb/caravel/issues/660#issuecomment-228866599, or mute
the thread
https://github.com/notifications/unsubscribe/AAfwHxouu1MgsZn467jw3tQROv-JYBeTks5qQDOjgaJpZM4I8Zof
.

Il 27/06/2016 22:37, devbhosale ha scritto:

Thank you Riccardo.
Let us say the table has a column called USERID which tells which user is
authorized to see that row of data. Do you think there could be a way to
insert a "where clause" in the SQL which can insert something like
where user = USERID and Caravel will insert the currently logged in user
ID.
If this is something in the realm of a possibility which code will likely
need to be changed?

I don't think that's a good solution sorry :)

I am also curious about a solution to this requirement,
Is there any best practice here for carvel?
If we have 100 users, then to pre preprocess the data will generate 100 tables in this scenario and user might be a dynamic object and could change from time to time , how could we deal with this kind of things?
Thanks for your thoughts.
Sent using CloudMagic Email [https://cloudmagic.com/k/d/mailapp?ct=pi&cv=7.9.6&pv=9.3&source=email_footer_2]
On Tue, Jun 28, 2016 at 4:59 AM, Riccardo Magliocchetti [email protected] wrote:
Il 27/06/2016 22:37, devbhosale ha scritto:

Thank you Riccardo.
Let us say the table has a column called USERID which tells which user is
authorized to see that row of data. Do you think there could be a way to
insert a "where clause" in the SQL which can insert something like
where user = USERID and Caravel will insert the currently logged in user
ID.
If this is something in the realm of a possibility which code will likely
need to be changed?

I don't think that's a good solution sorry :)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub [https://github.com/airbnb/caravel/issues/660#issuecomment-228873730] , or mute the thread [https://github.com/notifications/unsubscribe/AABYGhUpiJU-EDa2KU2NpxKMH0L-r7Rkks5qQDnDgaJpZM4I8Zof] .

Views over tables here for sure, you don't need to materialize the data.

Another way would be to add a configuration item where you pick a role and table and define a filtering criteria. If the user has that role then you force the filtering criteria in the where clause.

We have this exact use case. We would like to implement with @JulieRossi this configuration item you talk about.

Another way would be to add a configuration item where you pick a role and table and define a filtering criteria. If the user has that role then you force the filtering criteria in the where clause.

@mistercrunch : Could you give us broad outlines on the steps we should take ?

To be more specific, our use case will be to add a WHERE clause based on a specific department in our organisation.

I was wondering if any features have changed to allow true row level security.

It's still not supported. I think this would require a SIP (Superset Improvement Proposal). I don't think this would be too hard to do though.

Essentially we need a new model "RowLevelSecurityFilter" that has a many-to-one relationship to "BaseDatasource", and many-to-one to "Roles". Then we need the CRUD to manage those (UI and REST API), FAB's ModelView can provide much of this for free.

After it's a matter of forcing the filter into the query method of each connector.

@pajachiet still interested in doing a SIP?

Sorry, not anymore. The BI project moved to another solution to deal with this issue.

bummer. This would be great feature.

I tried tons of open source bi such as Metabase, Redash, CBoard, etc. and RLS only available in enterprise version and just Metabase has it. Conclusion: no money no RLS😪