GitHub user gabriel-korbato created a discussion: Overriding can_access_datasource to block access to sensitive tables
Superset's permissions are set up in a way that if a user has access to a data source, they have implicit access to the database. This makes sense in many cases, but my database has a set of tables that contain sensitive data that only privileged users should be able to access, make charts from, or see charts from. The list of tables with sensitive data is large and growing each day, so it is not practical to set row-level permissions, because this requires listing each table. I started browsing the code for `SupersetSecurityManager`, since I had to make a subclass of that for other security matters, found the `can_access_datasource` function, and overrode it in `superset_config.py` with additional logic that checks the table name and the user's roles to determine if they should have access. I tested this with log statements and verified that the function correctly returns `True` or `False` as required: when an unprivileged user accesses a chart that has a `datasource` that should be privileged, the function returns False, and when a privileged user accesses the same chart, the function returns True. So far so good, but I am stuck because Superset displays the chart fed from the datasource anyway. Does anyone know what I am missing? GitHub link: https://github.com/apache/superset/discussions/35932 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
