feat: Dashboard Level Access : dashboard lists

.github/workflows/superset-python-dashboard-level-access.yml

@@ -0,0 +1,255 @@
+# Python unit tests
+name: Feature Flag - Dashboard Level Access
+
+on: [push, pull_request]
+
+jobs:
+  test-postgres-presto:
+      runs-on: ubuntu-18.04
+      strategy:
+        matrix:
+          # run unit tests in multiple version just for fun
+          python-version: [3.8]
+      env:
+        PYTHONPATH: ${{ github.workspace }}
+        SUPERSET_CONFIG: tests.superset_test_config_dashboard_level_access
+        REDIS_PORT: 16379
+        SUPERSET__SQLALCHEMY_DATABASE_URI:
+          postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
+        SUPERSET__SQLALCHEMY_EXAMPLES_URI:
+          presto://localhost:15433/memory/default
+      services:
+        postgres:
+          image: postgres:10-alpine
+          env:
+            POSTGRES_USER: superset
+            POSTGRES_PASSWORD: superset
+          ports:
+            # Use custom ports for services to avoid accidentally connecting to
+            # GitHub action runner's default installations
+            - 15432:5432
+        presto:
+          image: prestosql/presto:339
+          env:
+            POSTGRES_USER: superset
+            POSTGRES_PASSWORD: superset
+          ports:
+            # Use custom ports for services to avoid accidentally connecting to
+            # GitHub action runner's default installations
+            - 15433:8080
+        redis:
+          image: redis:5-alpine
+          ports:
+            - 16379:6379
+      steps:
+      - uses: actions/checkout@v2
+      - name: Setup Python
+        uses: actions/setup-python@v2.1.1
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        uses: apache-superset/cached-dependencies@b90713b
+        with:
+          run: |
+            apt-get-install
+            pip-upgrade
+            pip install -r requirements/testing.txt
+            setup-postgres
+      - name: Run celery
+        run: celery worker --app=superset.tasks.celery_app:app -Ofair -c 2 &
+      - name: Python unit tests (PostgreSQL)
+        run: |
+          ./scripts/python_tests.sh
+      - name: Upload code coverage
+        run: |
+          bash <(curl -s https://codecov.io/bash) -cF python
+
+  test-postgres-hive:
+    runs-on: ubuntu-18.04
+    strategy:
+      matrix:
+        # run unit tests in multiple version just for fun
+        python-version: [3.7, 3.8]
+    env:
+      PYTHONPATH: ${{ github.workspace }}
+      SUPERSET_CONFIG: tests.superset_test_config_dashboard_level_access
+      REDIS_PORT: 16379
+      SUPERSET__SQLALCHEMY_DATABASE_URI:
+        postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
+      SUPERSET__SQLALCHEMY_EXAMPLES_URI: hive://localhost:10000/default
+      UPLOAD_FOLDER: /tmp/.superset/uploads/
+    services:
+      postgres:
+        image: postgres:10-alpine
+        env:
+          POSTGRES_USER: superset
+          POSTGRES_PASSWORD: superset
+        ports:
+          # Use custom ports for services to avoid accidentally connecting to
+          # GitHub action runner's default installations
+          - 15432:5432
+      redis:
+        image: redis:5-alpine
+        ports:
+          - 16379:6379
+    steps:
+    - uses: actions/checkout@v2
+    - name: Create csv upload directory
+      run: sudo mkdir -p /tmp/.superset/uploads
+    - name: Give write access to the csv upload directory
+      run: sudo chown -R $USER:$USER /tmp/.superset
+    - name: Start hadoop and hive
+      run: docker-compose -f scripts/databases/hive/docker-compose.yml up -d
+    - name: Setup Python
+      uses: actions/setup-python@v2.1.1
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      uses: apache-superset/cached-dependencies@b90713b
+      with:
+        run: |
+          apt-get-install
+          pip-upgrade
+          pip install -r requirements/testing.txt
+          setup-postgres
+    - name: Run celery
+      run: celery worker --app=superset.tasks.celery_app:app -Ofair -c 2 &
+    - name: Python unit tests (PostgreSQL)
+      run: |
+        ./scripts/python_tests.sh
+    - name: Upload code coverage
+      run: |
+        bash <(curl -s https://codecov.io/bash) -cF python
+
+  test-postgres:
+    runs-on: ubuntu-18.04
+    strategy:
+      matrix:
+        python-version: [3.7, 3.8]
+    env:
+      PYTHONPATH: ${{ github.workspace }}
+      SUPERSET_CONFIG: tests.superset_test_config_dashboard_level_access
+      REDIS_PORT: 16379
+      SUPERSET__SQLALCHEMY_DATABASE_URI:
+        postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
+    services:
+      postgres:
+        image: postgres:10-alpine
+        env:
+          POSTGRES_USER: superset
+          POSTGRES_PASSWORD: superset
+        ports:
+          # Use custom ports for services to avoid accidentally connecting to
+          # GitHub action runner's default installations
+          - 15432:5432
+      redis:
+        image: redis:5-alpine
+        ports:
+          - 16379:6379
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup Python
+      uses: actions/setup-python@v2.1.1
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      uses: apache-superset/cached-dependencies@b90713b
+      with:
+        run: |
+          apt-get-install
+          pip-upgrade
+          pip install -r requirements/testing.txt
+          setup-postgres
+    - name: Run celery
+      run: celery worker --app=superset.tasks.celery_app:app -Ofair -c 2 &
+    - name: Python unit tests (PostgreSQL)
+      run: |
+        ./scripts/python_tests.sh
+    - name: Upload code coverage
+      run: |
+        bash <(curl -s https://codecov.io/bash) -cF python
+
+  test-mysql:
+    runs-on: ubuntu-18.04
+    strategy:
+      matrix:
+        python-version: [3.7]
+    env:
+      PYTHONPATH: ${{ github.workspace }}
+      SUPERSET_CONFIG: tests.superset_test_config_dashboard_level_access
+      REDIS_PORT: 16379
+      SUPERSET__SQLALCHEMY_DATABASE_URI: |
+        mysql+mysqldb://superset:superset@127.0.0.1:13306/superset?charset=utf8mb4&binary_prefix=true
+    services:
+      mysql:
+        image: mysql:5.7
+        env:
+          MYSQL_ROOT_PASSWORD: root
+        ports:
+          - 13306:3306
+      redis:
+        image: redis:5-alpine
+        options: --entrypoint redis-server
+        ports:
+          - 16379:6379
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup Python
+      uses: actions/setup-python@v2.1.1
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      uses: apache-superset/cached-dependencies@b90713b
+      with:
+        run: |
+          apt-get-install
+          pip-upgrade
+          pip install -r requirements/testing.txt
+          setup-mysql
+    - name: Run celery
+      run: celery worker --app=superset.tasks.celery_app:app -Ofair -c 2 &
+    - name: Python unit tests (MySQL)
+      run: |
+        ./scripts/python_tests.sh
+    - name: Upload code coverage
+      run: |
+        bash <(curl -s https://codecov.io/bash) -cF python
+
+  test-sqlite:
+    runs-on: ubuntu-18.04
+    strategy:
+      matrix:
+        python-version: [3.7]
+    env:
+      PYTHONPATH: ${{ github.workspace }}
+      SUPERSET_CONFIG: tests.superset_test_config_dashboard_level_access
+      REDIS_PORT: 16379
+      SUPERSET__SQLALCHEMY_DATABASE_URI: |
+        sqlite:///${{ github.workspace }}/.temp/unittest.db
+    services:
+      redis:
+        image: redis:5-alpine
+        ports:
+          - 16379:6379
+    steps:
+    - uses: actions/checkout@v2
+    - name: Setup Python
+      uses: actions/setup-python@v2.1.1
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      uses: apache-superset/cached-dependencies@b90713b
+      with:
+        run: |
+          apt-get-install
+          pip-upgrade
+          pip install -r requirements/testing.txt
+          mkdir ${{ github.workspace }}/.temp
+    - name: Run celery
+      run: celery worker --app=superset.tasks.celery_app:app -Ofair -c 2 &
+    - name: Python unit tests (SQLite)
+      run: |
+        ./scripts/python_tests.sh
+    - name: Upload code coverage
+      run: |
+        bash <(curl -s https://codecov.io/bash) -cF python

superset/cli.py

@@ -32,6 +32,7 @@
 
 from superset import app, appbuilder, security_manager
 from superset.app import create_app
+from superset.constants import Security as SecurityConsts
 from superset.extensions import celery_app, db
 from superset.utils import core as utils
 from superset.utils.celery import session_scope
@@ -73,6 +74,13 @@ def init() -> None:
     """Inits the Superset application"""
     appbuilder.add_permissions(update_perms=True)
     security_manager.sync_role_definitions()
+    from superset import is_feature_enabled
+    from superset.dashbaord_level_access_initializer import (
+        InitDashboardLevelAccessCommand,
+    )
+
+    if is_feature_enabled(SecurityConsts.DASHBOARD_LEVEL_ACCESS_FEATURE):
+        InitDashboardLevelAccessCommand().run()
 
 
 @superset.command()

superset/config.py

@@ -308,6 +308,7 @@ def _try_json_readsha(  # pylint: disable=unused-argument
     "TAGGING_SYSTEM": False,
     "SQLLAB_BACKEND_PERSISTENCE": False,
     "LISTVIEWS_DEFAULT_CARD_VIEW": False,
+    "DASHBOARD_LEVEL_ACCESS": False,
 }
 
 # Set the default view to card/grid view if thumbnail support is enabled.

superset/constants.py

@@ -62,3 +62,19 @@ class RouteMethod:  # pylint: disable=too-few-public-methods
     CRUD_SET = {ADD, LIST, EDIT, DELETE, ACTION_POST, SHOW}
     RELATED_VIEW_SET = {ADD, LIST, EDIT, DELETE}
     REST_MODEL_VIEW_CRUD_SET = {DELETE, GET, GET_LIST, POST, PUT, INFO}
+
+
+class Security:  # pylint: disable=too-few-public-methods
+    DASHBOARD_LEVEL_ACCESS_FEATURE = "DASHBOARD_LEVEL_ACCESS"
+
+    class AllDashboard:
+        VIEW_NAME = "all_dashboards"
+        ACCESS_PERMISSION_NAME = "can_access_dashboard"
+        EDIT_PERMISSION_NAME = "can_edit"
+
+    class Dashboard:
+        VIEW_NAME_FORMAT = "dashboard.[{obj.dashboard_title}](id:{obj.id})"
+        ACCESS_PERMISSION_NAME = "can_access_dashboard"
+
+    class AllDatasources:
+        VIEW_NAME = "all_datasource_access"

superset/dashbaord_level_access_initializer.py

@@ -0,0 +1,89 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+import logging
+
+from flask_appbuilder.security.sqla.models import (
+    assoc_permissionview_role,
+    PermissionView,
+    Role,
+    ViewMenu,
+)
+
+from superset import db, security_manager
+from superset.constants import Security as SecurityConsts
+from superset.models.dashboard import Dashboard
+
+logger = logging.getLogger(__name__)
+
+
+class InitDashboardLevelAccessCommand:  # pylint:disable=too-few-public-methods
+    def __init__(self) -> None:
+        self.__access_all_dashboards_permission_view = (  # pylint:disable=invalid-name
+            None
+        )
+        self.__session = db.session
+
+    def run(self) -> None:
+        self.__create_all_dashboards_permissions()
+        self.__add_all_dashboards_permissions_to_permitted_roles()
+        self.__create_permissions_for_current_dashboards()
+
+    def __create_all_dashboards_permissions(  # pylint:disable=invalid-name
+        self,
+    ) -> None:
+        logger.info("start create_all_dashboards_permissions")
+        self.__access_all_dashboards_permission_view = self.create_pmv()
+        logger.info("done create_all_dashboards_permissions")
+
+    @staticmethod
+    def create_pmv() -> PermissionView:
+        return security_manager.add_permission_view_menu(
+            SecurityConsts.AllDashboard.ACCESS_PERMISSION_NAME,
+            SecurityConsts.AllDashboard.VIEW_NAME,
+        )
+
+    def __add_all_dashboards_permissions_to_permitted_roles(  # pylint:disable=invalid-name
+        self,
+    ) -> None:
+        logger.info("start add_all_dashboards_permissions_to_permitted_roles")
+        roles = (
+            self.__session.query(Role)
+            .join(assoc_permissionview_role)
+            .join(PermissionView)
+            .join(ViewMenu)
+            .filter(
+                ViewMenu.name == SecurityConsts.AllDatasources.VIEW_NAME,
+                ViewMenu.name != SecurityConsts.AllDashboard.VIEW_NAME,
+            )
+            .all()
+        )
+        for role in roles:
+            role.permissions.append(self.__access_all_dashboards_permission_view)
+            self.__session.merge(role)
+        self.__session.commit()
+        logger.info("done add_all_dashboards_permissions_to_permitted_roles")
+
+    def __create_permissions_for_current_dashboards(  # pylint:disable=invalid-name
+        self,
+    ) -> None:
+        logger.info("start create_permissions_for_current_dashboards")
+        dashboards = self.__session.query(Dashboard).all()
+        for dashboard in dashboards:
+            security_manager.add_permission_view_menu(
+                SecurityConsts.Dashboard.ACCESS_PERMISSION_NAME, dashboard.view_name
+            )
+        logger.info("done create_permissions_for_current_dashboards")