Comments (5)
The proposal for the Superset Security Model redesign focuses on creating a more intuitive, scalable, and manageable security framework. Key components include:
-
Introduction of a Structured Permission System: This aims to simplify the management of permissions, making them more aligned with user expectations and the actual architecture of Superset.
-
Implementation of a DSL for ABAC: A domain-specific language for attribute-based access control is proposed to allow for more granular and flexible access control policies, enhancing security measures like row-level security (RLS) and guest access.
-
Reducing Dependency on Flask App Builder (FAB): The redesign seeks to manage permissions, roles, and access checks within Superset more directly, moving away from reliance on FAB's models and methods.
-
Optimization of Permission Checks: By implementing efficient methods for permission checks, the proposal aims to improve performance and manageability of access control to various resources within Superset.
-
Adoption of a Hierarchical Naming Convention for Actions: This will help streamline the management of permissions and roles, making the system more intuitive and easier to navigate.
-
Establishment of a Governance Strategy: A strategy for creating, managing, and syncing roles and permissions is proposed to ensure that access control is both robust and flexible.
-
Development of a PolicyManager and UI: To facilitate the efficient management of policies and roles, including tools for creating, editing, and assigning roles and permissions, as well as visualizing access control policies.
-
Enhanced Security for Embedded and Guest Users: The proposal includes measures to ensure that embedded dashboards and guest users have restricted access based on predefined policies, improving overall security.
This summary encapsulates the main goals and strategies of the proposed Superset Security Model redesign, focusing on improving the system's intuitiveness, scalability, performance, and manageability.
Details
Sources
- [SIP-19] Simplify Superset's set of permissions
- [WiP][SIP-125] Proposal for Enhanced Data Access Permissions
- [SIP-126] Fine-grained access control to Superset entities
- [SIP-89] Integrate role, permission, user APIs on Flask-AppBuilder into Apache Superset
- [SIP-73] Proposal for Improving the security stucture and move to resource based model
- superset/security/manager.py
- docs/docs/security/security.mdx
- superset/explore/utils.py
- superset-frontend/src/features/rls/RowLevelSecurityModal.tsx
- superset/migrations/versions/2024-02-07_17-13_87d38ad83218_migrate_can_view_and_drill_permission.py
- superset/migrations/shared/security_converge.py
About Dosu
This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.
Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.
To continue the conversation, mention @dosu.
from superset.
For the DSL and ABAC selectors in the context of Apache Superset's security model redesign, it's beneficial to look into Superset's existing Row Level Security (RLS) feature. This feature already incorporates elements of a domain-specific language (DSL) for attribute-based access control (ABAC), demonstrating the application of complex permission scenarios through conditions like equality, sets, logical operators, and efficient translation into SQLAlchemy .where()
clauses. The RLS tests and implementation provide a practical example of how RLS filters can be defined with conditions and applied to SQL queries, showcasing the support for the required features in your ABAC DSL proposal.
The current RLS feature in Superset, as demonstrated in the integration tests, supports defining filters with various conditions, applying these filters based on user roles and dataset-specific rules, and translating these rules efficiently into SQL queries. This aligns with your goals for a DSL that supports equality, sets, negative flips, logical operators, and can be translated into efficient database queries.
Improving upon the current ABAC implementation could involve addressing any existing limitations, such as the complexity of maintaining the system, performance concerns with dynamic permission checks, limited attribute support, and integration challenges with external systems. Enhancing these aspects could lead to a more robust, efficient, and user-friendly ABAC system within Superset.
In summary, leveraging insights from Superset's RLS feature and addressing its limitations could provide a solid foundation for developing a new DSL and ABAC selectors that meet your objectives for a more intuitive, scalable, and manageable security framework.
Details
About Dosu
This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.
Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.
To continue the conversation, mention @dosu.
from superset.
@dosu can you help summarize this proposal into a few paragraphs?
from superset.
@dosu can you do some research and suggest similar DSLs or frameworks we may want either use or take inspiration from around our DSL and ABAC selecrors?
from superset.
Unsorted NOTEs from 5/14/24:
- DENY always takes precedence over ALLOW (?) "UNLESS! zindex !important"
- Reverse lookup - who can perform this action on this resource?
- What's in the JWT - size restriction - SHA?
-What's the set of starting resource attribute? ownership!- dashboard.is_published
- dashboard.is_owner
- PolicyManager performance - cache using a global EPOCH? by resource type? by user?
- sizing largest/most complicated envrionments? CAN THIS WORK IN MEMORY?
from superset.
Related Issues (20)
- [Bug] Unable to edit mail list of existing alert & reports HOT 5
- Improper Input Validation while creating dashboard and charts HOT 1
- Can not specify recipient for slack or email for Superset Reports HOT 5
- Problem Exporting Charts as Diagram HOT 4
- Cannot fetch schema list and table list in sqllab after setting values to table_cache_timeout and schema_cache_timeout HOT 1
- Customize loading spinner position and appereance HOT 1
- New permalinks retain previous permalink activeTab state HOT 1
- No table names shown in Dataset creation window / SQL Lab for Apache Kyuubi HOT 1
- Add button grayed out even tough all fields are filled HOT 4
- Unable to execute any Superset command in terminal HOT 1
- Datasource access HOT 6
- Typo in IBM DB2 image reference in README.md HOT 2
- Gauge chart interval bounds and colors not working properly when added to a dashboard HOT 1
- Dataset access HOT 3
- Method 405 not allowed for guest_token fetching HOT 4
- There was an error loading the schemas HOT 2
- UUID columns show up as NULL HOT 1
- 0.12.11 fails for helm install HOT 2
- sql query is different from chart results HOT 3
- Inconsistent spacing between viz gallery charts
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from superset.