Incubator-superset: Database restriction in SQL Lab.

Created on 15 Jun 2018 · 16Comments · Source: apache/incubator-superset

Make sure these boxes are checked before submitting your issue - thank you!

[ ✅] I have checked the superset logs for python stacktraces and included it here as text if any
[ ✅] I have reproduced the issue with at least the latest released version of superset
[ ✅ ] I have checked the issue tracker for the same issue and I haven't found one similar

Superset version

0.24.0

I added a presto datasource named as PrestoVizs in this manner:
presto://presto_server_url:8080/catalog_name/db_name , where db_name is mlp_visualizations in this case .
to the list of databases.
However, In SQL Lab , all databases in the catalog are exposed.
screen shot 2018-06-15 at 12 01 13 pm

Is there any way to restrict the schemas, or in this case the 'databases' from my presto catalog exposed in SQL Lab editor just to the dbname ?
I tried this with an alpha + sql_lab user, apart from admin as well. Is there anyway there is a security role to do this?
Or does one have to change the source code to restrict to just a single schema? If so can you point me in the direction for the same?

inactive

Source

SanjayJosh

All 16 comments

There's no way to restrict that at the moment.

mistercrunch on 19 Jun 2018

I am thinking of changing/ hardcoding the GET api call for /schemas/<db_id> for now.

SanjayJosh on 19 Jun 2018

You could add a config entry callable filter_schemas(database, user, schemas) that returns a subset of the schemas.

mistercrunch on 19 Jun 2018

Alright. Where does that go though?

SanjayJosh on 19 Jun 2018

Add an entry like here, call it SQL_LAB_FILTER_SCHEMAS = None:
https://github.com/apache/incubator-superset/blob/master/superset/config.py#L333

Override in your local superset_config.py

Hook it up in /schemas/<db_id>

mistercrunch on 19 Jun 2018

👍1

Supersets allows you to limit access to a database. So why does it not filter out the databases you do not have permissions for. Say you have two databases, x and y. And your user only has access to x, by setting the rule database access on x. Why does supersets not filter out y in the list of databases in the sql editor?

The scenario I am running into is that I have multiple users who work in the same company but should not have access to certain databases. Like I shouldn't be able to see the finances database in the dropdown if I work in development department. I shouldn't even know that database exists. It definitely seems like a security concern.

I would say this is similar to the following issue. https://github.com/apache/incubator-superset/issues/1434

The logic for the fix to not show databases for slices/dashboards needs to be applied to the sql editor.

pbr0ck3r on 7 Nov 2018

@mistercrunch after doing some more research I have come to the understand that Supersets loads the databases into the localStorage when opening the SQL Editor. It loads them from... /databaseasync/api/read. That backend needs to filter the databases the current user has access to based on their roles.

pbr0ck3r on 7 Nov 2018

For the record, to get this to work, you'll have to implement a DatabaseFilter, similar to this SliceFilter https://github.com/apache/incubator-superset/blob/master/superset/views/core.py#L87, and bind it to the DatabaseModelView

mistercrunch on 8 Nov 2018

@mistercrunch created a PR for this issue. https://github.com/apache/incubator-superset/pull/6356

pbr0ck3r on 9 Nov 2018

👍1

Same issue in superset 0.27.0 version. Is there a way to prevent the restricted user from seeing the other data sources in sqllab

Damoddhar on 21 Nov 2018

@Damoddhar No there is not. The PR I committed and linked above fixes the issue.

pbr0ck3r on 21 Nov 2018

@pbr0ck3r No problem. I got database restriction in sqllab and list of databases when clicking Sources >>Databases.
Using your code changes and I did small changes in your code

Damoddhar on 22 Nov 2018

Hi folks, is it possible to progress the PR above to close the issue? It'd be really helpful for me. If there's a way to contribute, let me know!

tomaszj on 4 Apr 2019

👍1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.