giacomochiarella commented on code in PR #34111:
URL: https://github.com/apache/superset/pull/34111#discussion_r2444174653
##########
superset/sql_lab.py:
##########
@@ -475,7 +475,9 @@ def execute_sql_statements( # noqa: C901
db.session.commit()
# Hook to allow environment-specific mutation (usually comments)
to the SQL
- query.executed_sql = database.mutate_sql_based_on_config(block)
+ query.executed_sql = database.mutate_sql_based_on_config(
+ block, is_split=config["MUTATE_AFTER_SPLIT"]
Review Comment:
Here my 2 cents on what I found out in Superset 5.0.0.
I’m trying to make MUTATE_AFTER_SPLIT and SQL_QUERY_MUTATOR working. I want
to execute set role <rolename> when a query is executed, either in sqllab or
from a dashboard/chart/dataset. I’ve setup SQL_QUERY_MUTATOR function in order
to add set role to the query:
```
def sql_query_mutator(sql: str, **kwargs: dict) -> str:
if <some condition>:
rle_name = <some logic>
sql = f"set role {role_name}; {sql}"
logger.info(f"Executing query {sql}...")
return sql
SQL_QUERY_MUTATOR = sql_query_mutator
```
so far so good, things get weird when I set MUTATE_AFTER_SPLIT:
MUTATE_AFTER_SPLIT = True: everything works fine from sqllab. The role is
applied correctly. I get Data error: Error: no results to fetch in charts (I
read it is due to set role <> not returning results makes psycopg raising that
error)
- MUTATE_AFTER_SPLIT = False: it works from charts and sqllab with a big
BUT. In such case, the user needs to add set role <role_name> which means the
user can set any role if it knows the role name
- MUTATE_AFTER_SPLIT = False would work perfectly if I could force users in
sqllab to not use other roles, for example if I could intercept the sqllab
query I could remove any set role and add automatically the set role needed.
The idea is to have one single connection based on a user without any
permissions but membership to roles and then add set role automatically based
on the username of Superset user which is executing the query. I don't think
this is possible currently.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
