villebro opened a new pull request #10946: URL: https://github.com/apache/incubator-superset/pull/10946
### SUMMARY This PR adds two new fields to Row Level Security Filters (RLS): - **Filter type**: Currently RLS filters only apply additional filters if a user belongs to a role referenced by a RLS filter. This can cause leakage of sensitive data, as a person that doesn't satisfy any RLS filters will see all data (=no RLS filters applied). To fix this, a base filter type is added that can be used to apply a base filter for all users. This is especially useful for cases where by default we don't want to show any rows if a user doesn't belong to any roles that have RLS filters attached to them. In this case we can set a base filter of `1 = 0`, which will always be false. - **Grouping key**: currently RLS filters are always additive. This can be problematic in cases where a user belongs to many roles that are exclusive. If, for instance, a person belongs to departments A and B and there is a RLS filter for both departments, the user won't see any rows, as the where clause will be `department = 'A' AND department = 'B'`. For these cases a group key `department` can be assigned to both RLS filters, after which they are ORed together. Example: - We want all data in a table to be visible to the Admin role - For regular users, we should only show 1 year of data - For researchers, 10 years of data will be shown - Data for domestic region is available to all users - Data for foreign region is restricted to management only RLS filters: - Filter 1: type: Base, excluded roles: Admin, grouping key: "duration", clause: "date > now - 1 year" - Filter 2: Type: Regular, roles: Research, grouping key: "duration", clause: "date > now - 10 year" - Filter 3: Type: Base, excluded roles: Admin, grouping key: "region", clause: "region = 'domestic'" - Filter 4: Type: Regular, roles: Management, grouping key: "region", clause: "region = 'foreign'" This would render the following extra clauses: - Admin user: None - No roles: `(date > now - 1 year) AND (region = 'domestic')` - Research: `(date > now - 1 year OR date > now - 10 year) AND (region = 'domestic')` - Management: `(date > now - 1 year) AND (region = 'domestic' OR region = 'foreign')` - Management + Research: `(date > now - 1 year OR date > now - 10 year) AND (region = 'domestic' OR region = 'foreign')` This change is backwards compatible, meaning that current filters will continue to function as before. ### SCREENSHOTS  ### TEST PLAN CI + new tests ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: - [ ] Changes UI - [ ] Requires DB Migration. - [ ] Confirm DB Migration upgrade and downgrade tested. - [ ] Introduces new feature or API - [ ] Removes existing feature or API ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
