dpgaspar commented on code in PR #22328: URL: https://github.com/apache/superset/pull/22328#discussion_r1042001783
########## superset/tasks/utils.py: ########## @@ -0,0 +1,94 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +from __future__ import annotations + +from typing import List, Optional, Tuple, TYPE_CHECKING, Union + +from flask import current_app, g + +from superset.tasks.exceptions import ExecutorNotFoundError +from superset.tasks.types import ExecutorType + +if TYPE_CHECKING: + from superset.models.dashboard import Dashboard + from superset.models.slice import Slice + from superset.reports.models import ReportSchedule + + +# pylint: disable=too-many-branches +def get_executor( + executor_types: List[ExecutorType], + model: Union[Dashboard, ReportSchedule, Slice], + initiator: Optional[str] = None, +) -> Tuple[ExecutorType, str]: + """ + Extract the user that should be used to execute a scheduled task. Certain executor + types extract the user from the underlying object (e.g. CREATOR), the constant + Selenium user (SELENIUM), or the user that initiated the request. + + :param executor_types: The requested executor type in descending order. When the + first user is found it is returned. + :param model: The underlying object + :param initiator: The username of the user that initiated the task. For thumbnails + this is the user that requested the thumbnail, while for alerts and + reports this is None (=initiated by Celery). + :return: User to execute the report as + :raises ScheduledTaskExecutorNotFoundError: If no users were found in after + iterating through all entries in `executor_types` + """ + owners = model.owners + owner_dict = {owner.id: owner for owner in owners} + for executor_type in executor_types: + if executor_type == ExecutorType.SELENIUM: + return executor_type, current_app.config["THUMBNAIL_SELENIUM_USER"] + if executor_type == ExecutorType.INITIATOR and initiator: + return executor_type, initiator + if executor_type == ExecutorType.CREATOR_OWNER: + if (user := model.created_by) and (owner := owner_dict.get(user.id)): + return executor_type, owner.username + if executor_type == ExecutorType.CREATOR: + if user := model.created_by: + return executor_type, user.username + if executor_type == ExecutorType.MODIFIER_OWNER: + if (user := model.changed_by) and (owner := owner_dict.get(user.id)): + return executor_type, owner.username + if executor_type == ExecutorType.MODIFIER: + if user := model.changed_by: + return executor_type, user.username + if executor_type == ExecutorType.OWNER: + owners = model.owners + if len(owners) == 1: + return executor_type, owners[0].username + if len(owners) > 1: + if modifier := model.changed_by: + if modifier and (user := owner_dict.get(modifier.id)): + return executor_type, user.username + if creator := model.created_by: + if creator and (user := owner_dict.get(creator.id)): + return executor_type, user.username + return executor_type, owners[0].username + + raise ExecutorNotFoundError() + + +def get_initiator() -> Optional[str]: + user = g.user if hasattr(g, "user") and g.user and g.user else None Review Comment: duplicate `and g.user`? ########## superset/config.py: ########## @@ -21,6 +21,8 @@ at the end of this file. """ # pylint: disable=too-many-lines +from __future__ import annotations Review Comment: Postponed evaluation of annotations, awesome! ########## superset/models/slice.py: ########## @@ -234,10 +234,7 @@ def data(self) -> Dict[str, Any]: @property def digest(self) -> str: - """ - Returns a MD5 HEX digest that makes this dashboard unique - """ - return md5_sha_from_str(self.params or "") + return get_chart_digest(self) Review Comment: don't see any other uses of `get_chart_digest` why not just post it's contents here? ########## docs/docs/installation/cache.mdx: ########## @@ -53,6 +53,13 @@ FEATURE_FLAGS = { } ``` +By default thumbnails are rendered using the `THUMBNAIL_SELENIUM_USER` user account. To render thumbnails as the +logged in user (e.g. in environments that are using user impersonation), use the following configuration: + +```python +THUMBNAIL_EXECUTE_AS = [ExecutorType.INITIATOR] Review Comment: nit: at first I struggled with the name `INITIATOR`, after reading the entire PR I got more used to it :) still do you think `ExecutorType.CURRENT_USER` or similar could be more explicit? ########## superset/thumbnails/digest.py: ########## @@ -0,0 +1,85 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +from __future__ import annotations + +import logging +from typing import TYPE_CHECKING + +from flask import current_app + +from superset.tasks.types import ExecutorType +from superset.tasks.utils import get_executor, get_initiator +from superset.utils.hashing import md5_sha_from_str + +if TYPE_CHECKING: + from superset.models.dashboard import Dashboard + from superset.models.slice import Slice + +logger = logging.getLogger(__name__) + + +def _adjust_string_for_executor( + unique_string: str, + executor_type: ExecutorType, + executor: str, +) -> str: Review Comment: If the API endpoints for screenshots provide enough security, we probably don't need this function anymore. ########## superset/models/slice.py: ########## @@ -344,6 +341,12 @@ def get_query_context_factory(self) -> QueryContextFactory: self.query_context_factory = QueryContextFactory() return self.query_context_factory + @classmethod + def get(cls, id_: int) -> Slice: + session = db.session() Review Comment: why create a new session here? ########## superset/dashboards/api.py: ########## @@ -879,16 +880,21 @@ def thumbnail(self, pk: int, digest: str, **kwargs: Any) -> WerkzeugResponse: 500: $ref: '#/components/responses/500' """ - dashboard = self.datamodel.get(pk, self._base_filters) + dashboard = cast(Dashboard, self.datamodel.get(pk, self._base_filters)) Review Comment: here, note that the `self._base_filters` provides our security against users being able to view each others thumbnails/screenshots -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
