dosubot[bot] commented on issue #28377: URL: https://github.com/apache/superset/issues/28377#issuecomment-2099466009
<!-- Answer --> For the DSL and ABAC selectors in the context of Apache Superset's security model redesign, it's beneficial to look into Superset's existing Row Level Security (RLS) feature. This feature already incorporates elements of a domain-specific language (DSL) for attribute-based access control (ABAC), demonstrating the application of complex permission scenarios through conditions like equality, sets, logical operators, and efficient translation into SQLAlchemy `.where()` clauses. The RLS tests and implementation provide a practical example of how RLS filters can be defined with conditions and applied to SQL queries, showcasing the support for the required features in your ABAC DSL proposal. The current RLS feature in Superset, as demonstrated in the integration tests, supports defining filters with various conditions, applying these filters based on user roles and dataset-specific rules, and translating these rules efficiently into SQL queries. This aligns with your goals for a DSL that supports equality, sets, negative flips, logical operators, and can be translated into efficient database queries. Improving upon the current ABAC implementation could involve addressing any existing limitations, such as the complexity of maintaining the system, performance concerns with dynamic permission checks, limited attribute support, and integration challenges with external systems. Enhancing these aspects could lead to a more robust, efficient, and user-friendly ABAC system within Superset. In summary, leveraging insights from Superset's RLS feature and addressing its limitations could provide a solid foundation for developing a new DSL and ABAC selectors that meet your objectives for a more intuitive, scalable, and manageable security framework. <!-- Dosu Comment Footer --> <details> <summary> #### Details </summary> **Sources** - [[SIP-73] Proposal for Improving the security stucture and move to resource based model](https://github.com/apache/superset/issues/14806) - [tests/integration_tests/security/row_level_security_tests.py](https://github.com/apache/superset/blob/master/tests/integration_tests/security/row_level_security_tests.py) - [docs/docs/security/security.mdx](https://github.com/apache/superset/blob/master/docs/docs/security/security.mdx) - [superset/security/manager.py](https://github.com/apache/superset/blob/master/superset/security/manager.py) - [superset/models/helpers.py](https://github.com/apache/superset/blob/master/superset/models/helpers.py) - [superset-frontend/packages/superset-ui-core/src/query/processFilters.ts](https://github.com/apache/superset/blob/master/superset-frontend/packages/superset-ui-core/src/query/processFilters.ts) - [superset/models/sql_lab.py](https://github.com/apache/superset/blob/master/superset/models/sql_lab.py) - [docs/src/pages/index.tsx](https://github.com/apache/superset/blob/master/docs/src/pages/index.tsx) - [tests/integration_tests/sqla_models_tests.py](https://github.com/apache/superset/blob/master/tests/integration_tests/sqla_models_tests.py) <br/> **About Dosu** This response is meant to be useful and save you time. It is **not meant to be a precise solution**, but rather a starting point for your own research. Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant. </details> *To continue the conversation, mention @dosu.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
