feat(thumbnails): add support for user specific thumbs

[villebro]

SUMMARY

This PR adds support for generating user-specific thumbnails. This is a typical requirement in environments where some form of user impersonation is being used, and sharing thumbnails across all users with access to the same dashboards/charts could leak sensitive data.

This PR does the following:

• Renames ReportScheduleExecutor to ExecutorType so that it can be reused for thumbnails. Also moves the utils from the reports package to the tasks package, as it's shared with thumbnails now.
• Adds a new package thumbnails to contain the thumbs-specific types etc. Also move the thumbnail task module here and deprecate the old one (it will still work, but will now emit a deprecation warning).
• Adds a new executor type called CURRENT_USER which corresponds to the logged-in user that initiated the request. This user will be undefined for Alerts & Reports (=Celery has initiated those), but for thumbnails, this is the user that requested the thumbnail.
• Adds the following config options:
  • THUMBNAIL_EXECUTE_AS - similar config as for Alerts & Reports
  • THUMBNAIL_DASHBOARD_DIGEST_FUNC: callback for generating custom digests for dashboards. This is handy if a deployment wants to use different hashing functions or use advanced logic for deciding if a thumbnail can be shared across a larger user pool or not.
  • THUMBNAIL_CHART_DIGEST_FUNC: callback for generating custom digests for charts

By default the digests will stay unchanged, as the new default value for THUMBNAIL_EXECUTE_AS = [ExecutorType.SELENIUM]. However, when setting it to [ExecutorType.CURRENT_USER], the username will be added to the unique_string prior to hashing to make it unique per user.

AFTER

This chart thumbnail was cached using the following query on a Trino database connection using user impersonation with the following virtual dataset:

select concat('Database: ', current_user) as user, 1 as num union all
select 'Jinja: {{ current_username() }}' as user, 2 as num

As can be seen, both the current_user (rendered by Trino) and {{ current_username() }} (rendered by Superset) both show the user as being v_brofeldt, i.e. not a service account.

BEFORE

When I changed the chart to reference a postgres database with basic auth using the username postgres and THUMBNAIL_EXECUTE_AS = [ExecutorType.SELENIUM] (=same as current behavior), the result was as follows:

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

Merging #22328 (74981e5) into master (1014a32) will increase coverage by 0.01%.
The diff coverage is 81.36%.

@@            Coverage Diff             @@
##           master   #22328      +/-   ##
==========================================
+ Coverage   66.89%   66.90%   +0.01%     
==========================================
  Files        1847     1850       +3     
  Lines       70611    70677      +66     
  Branches     7749     7749              
==========================================
+ Hits        47233    47285      +52     
- Misses      21362    21376      +14     
  Partials     2016     2016              

Flag	Coverage Δ
hive	52.47% <36.64%> (-0.03%)	⬇️
mysql	77.97% <71.42%> (-0.01%)	⬇️
postgres	78.03% <71.42%> (-0.01%)	⬇️
presto	52.37% <36.64%> (-0.03%)	⬇️
python	81.23% <81.36%> (-0.01%)	⬇️
sqlite	76.50% <71.42%> (-0.01%)	⬇️
unit	50.92% <66.45%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
superset/reports/commands/exceptions.py	98.36% <ø> (-0.03%)	⬇️
superset/reports/types.py	100.00% <ø> (ø)
superset/tasks/thumbnails.py	39.02% <22.22%> (-6.14%)	⬇️
superset/charts/api.py	86.19% <62.50%> (+0.42%)	⬆️
superset/models/slice.py	85.85% <62.50%> (-0.29%)	⬇️
superset/config.py	91.46% <80.00%> (-0.47%)	⬇️
superset/models/dashboard.py	76.61% <80.00%> (+0.11%)	⬆️
superset/dashboards/api.py	92.57% <83.33%> (+0.04%)	⬆️
superset/tasks/utils.py	91.48% <91.48%> (ø)
superset/thumbnails/digest.py	93.54% <93.54%> (ø)
... and 4 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[villebro]

There is a similar method in Dashboard that bypasses the base filter

[villebro]

The reason why this function returns the username as a string, and not the User object, is because this function will be called frequently (e.g. when getting all charts/dashboards). Since we only know the selenium username in the config, we would otherwise have to fetch it from the metastore, causing unnecessary round trips to the metastore.

[villebro]

This file is really the same as superset/tasks/thumbnails.py before, just updated with the new logic (fetching the executor and overriding the username etc)

[villebro]

this is really just one added test for the new INITIATOR case, other than that it's just updating the test cases to conform to the new sig of get_executor

[villebro]

This was mostly moved from the previous tests/unit_tests/reports/test_utils.py file, just updating to new return types + adding new relevant test cases.

[kamalkeshavani-aiinside]

@villebro Thank you for implementation of this feature. Just sharing our usecase.
In our Superset, we keep the dashboard thumbnails cached everyday for all users for better user experience. We do plan to create a dashboard with user specific content, where we can use this feature of each user generating their own thumbnails.

But this implementation will force the thumbnail generation for all the dashboards for each user, which is not ideal for us.
An ideal solution for our usecase would be control of executor for each dashboard/chart, so the owner of dashboard/chart can decide if that particular dashboard/chart needs INITIATOR as executor for thumbnail. Whether it is actually feasible or not, I will let you decide.

[villebro]

Just sharing our usecase. In our Superset, we keep the dashboard thumbnails cached everyday for all users for better user experience. We do plan to create a dashboard with user specific content, where we can use this feature of each user generating their own thumbnails.

But this implementation will force the thumbnail generation for all the dashboards for each user, which is not ideal for us. An ideal solution for our usecase would be control of executor for each dashboard/chart, so the owner of dashboard/chart can decide if that particular dashboard/chart needs INITIATOR as executor for thumbnail. Whether it is actually feasible or not, I will let you decide.

@kamalkeshavani-aiinside we can certainly consider adding this in a future PR. All it would really require is adding a thumbnail_executor field in the Dashboard and Slice models and then add a dropdown in their respective modals (if undefined, it would default to the global config).

Would you be open to working on this feature? I'm happy to provide guidance and review help if needed.

[villebro]

This is the same type as the previous ReportScheduleExecutor, but with the added INITIATOR enum.

[villebro]

Since the digest may now be affected by who is logged in, all tests are updated to fetch the thumbnail URL via the API after login.

[kamalkeshavani-aiinside]

@kamalkeshavani-aiinside we can certainly consider adding this in a future PR. All it would really require is adding a thumbnail_executor field in the Dashboard and Slice models and then add a dropdown in their respective modals (if undefined, it would default to the global config).

Would you be open to working on this feature? I'm happy to provide guidance and review help if needed.

@villebro Thank you for the suggestion. Sure, I can try to work on this with your help.

[dpgaspar]

our current dashboard digest is:

    @property
    def digest(self) -> str:
        """
        Returns a MD5 HEX digest that makes this dashboard unique
        """
        unique_string = f"{self.position_json}.{self.css}.{self.json_metadata}"
        return md5_sha_from_str(unique_string)

Adding an executor will invalidate all current computed dashboard thumbnails.

I would also prefer to bring these changes back to /superset/tasks/thumbnails and avoid introducing the deprecation and underlying breaking change on the task structure.

[villebro]

Adding an executor will invalidate all current computed dashboard thumbnails.

Oof, that was an unintended mistake, the executor was only supposed to be added in the case of CURRENT_USER.

I would also prefer to bring these changes back to /superset/tasks/thumbnails and avoid introducing the deprecation and underlying breaking change on the task structure.

Makes sense - I'll revert the move

[michael-s-molina]

Code LGMT.

@villebro If you don't mind, it would be a good idea to also get @dpgaspar's approval before merging it. Thank you for the improvement!

[villebro]

Code LGMT.

@villebro If you don't mind, it would be a good idea to also get @dpgaspar's approval before merging it. Thank you for the improvement!

Absolutely @michael-s-molina 👍 As I also found a bug today in the PR I'm going to let it simmer over the weekend as I feel there's room for improvement in the tests.

[dpgaspar]

Looks really good, since this change will invalidate thumbnails cache it would be nice to add a note on UPDATING.md

[dpgaspar]

will dashboard.charts generate a N+1 issue?

[villebro]

This PR shouldn't change current performance, as this property is already present on the current request payload.