yamyamyuo commented on issue #538: Access configuration is too complicated URL: https://github.com/apache/incubator-superset/issues/538#issuecomment-402068569 I totally agreed that the security control is too complex to use. There are several problems with the role based permission models. 1. if you have datasource access of a bunch of tables named Perm_A, it allows you to view dashboard A if its datasource is a subset of Perm_A's datasource. The tricky thing is that if by coincident, dashboard B 's datasource also a subset of Perm_A, then it will cause problem if dashboard B is not supposed to be accessed by anyone. 2. Datasource access is only controlled over table. Why datasource access control is not available on the level of database, schema or catalog? If you want to control a department's datasource access, you have to list all of the tables that belongs to the specific department. That's unreasonable. If a company has hundreds of departments and thousands of databases, it will require many superset administrator to manage the permission. 3. The permission models does not support deny. In some use case, if you don't have one permission, you will be denied. I did some hack things to avoid the complex permission management. I use scripts to automatically add one invisible slice to dashboard. Each slice use different datasource. Then it can solve problem 1. Scripts will be scheduled once an hour to collect all the dashboard's table permissions and create a grouped roles. The final things for admins to do is add the grouped role to specific user.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
