frlm opened a new pull request, #25352: URL: https://github.com/apache/superset/pull/25352
<!--- [SIP] API Row Level Security: get rls by username or roles via API #25351 --> ### SUMMARY I have created the following SIP to give the client-side possibility to generate an embedding request by retrieving the row level securities defined on the UI page:  Providing either the username of the user or the role already defined on Apache Superset, API returns the list of RLS to be provided to body of endpoint /api/v1/security/guest_token/:  Otherwise, the client making the request must know in advance the settings provided at the user interface level. The following endpoints generate output considering the filter type (Basic / Regular) and the presence or absence of the Group Key. Right now a user without providing an rls but only the default value [ ], can display all the data within the dashboard, in my case I needed to manage the display of the type of data with respect to the user requesting the embedding. The output of request will be list of dictionaries with "clause" and "dataset" as keys, e.g: ~~~ [{"clause":"(province = 'AG')","dataset":25},{"clause":"(gender = 'boy')","dataset":2}] ~~~ If the different rls filters associated with the requested user or role have the same group key, the filters associated with the same dataset will be merged using the OR condition, e.g: ~~~ [{"clause":"(province = 'AG') OR (province = 'SI')","dataset":25}] ~~~ Proposed Change  I created new two endpoints: - /api/v1/security/get_rls_by_username/ - /api/v1/security/get_rls_by_role/ that retrieve users, roles, tables and rls from Metadata tables (using the SQLAlchemy package), convert all filters of type Base to Regular and aggregate the filters with respect to the defined group key value. Obviously considering only the row level securities enabled on that specific user or role. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF BEFORE: no endpoints to retrieve RLS configs made by Row Level security settings page AFTER:  ### TESTING INSTRUCTIONS Create an user with a specific role and related RLS, check if endpoints return correct output. ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [x] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
