frlm commented on PR #25352: URL: https://github.com/apache/superset/pull/25352#issuecomment-1729101295
> Thank you for the PR @frlm. I'm not sure if you are aware but we have the following [RLS endpoints](https://superset.apache.org/docs/api/). Are they not sufficient for your use case? > > <img alt="Screenshot 2023-09-20 at 17 27 17" width="939" src="https://user-images.githubusercontent.com/70410625/269410742-4c8b4642-468f-4427-ab46-d340759d2caa.png";> Hi Michael, thank you for your interest in my SIP request, I know there are new endpoints to pull RLS information via API, I had read them before implementing the two new endpoints included in this pull request. You will notice that I did not include them within the RowLevelSecurity class because they were not yet present in Apache Superset version 2.1.0. I needed this functionality in the version I am using in a specific production environment. However to explain the reasons why I think it is necessary to add these endpoints I will use _**/api/v1/rowlevelsecurity**_ as an example. In particular if we read the json argument:  ~~~ json "result: [ { "changed_on_delta_humanized": "string", "clause": "string", "description": "string", "filter_type": "regular", "group_key": "string", "id": "0", "name": "string", "roles": [ { "id": "0", "name": "string" } ], "tables": [ { "id": 0, "schema": "string", "table_name": "string" } ] ~~~ we can observe that there is all the information present in the RLS table plus the associated roles but during the embedding requests I observed the following shortcomings: - the endpoints already present allow you to extract information from the RLS table but do not help you extract the RLS for that specific username or role, generally the Client does not know which role the user is associated with. - If for that specific user or role there are several **RLS** filters of the Regular / Base type and with different group key values, it is necessary for the Client to carry out all the logical aggregation operations (AND, OR) to generate the list of dictionaries used later in the endpoint body _**/api/v1/security/guest_token/**_. ~~~ json { "resources": [ { "id": "string", "type": "dashboard" } ], "rls": [ { "clause": "string", "dataset": 0 } ], "user": { "first_name": "string", "last_name": "string", "username": "string" } } ~~~ This leads to greater difficulty on the Client side in using the tool via API because it must understand and manage any updates on the Superset side on how the settings relating to Row Level Security are managed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
![https://user-images.githubusercontent.com/70410625/269410742-4c8b4642-468f-4427-ab46-d340759d2caa.png"](https://user-images.githubusercontent.com/70410625/269410742-4c8b4642-468f-4427-ab46-d340759d2caa.png"){kind=link}