aminghadersohi opened a new pull request, #38407: URL: https://github.com/apache/superset/pull/38407
## Summary - Adds RBAC (Role-Based Access Control) enforcement to MCP tools that mirrors Flask-AppBuilder's `@protect()` decorator pattern - Each MCP tool now declares its required FAB permission (e.g., `can_read` on `Chart`) via `class_permission_name` on the `@tool` decorator - `mcp_auth_hook` checks permissions via `security_manager.can_access()` before tool execution, raising `MCPPermissionDeniedError` on denial - System tools (health_check, get_instance_info, get_schema) remain open to all authenticated users ### Permission Mapping | Tool Category | class_permission_name | Read Tools | Write Tools | |---|---|---|---| | Chart | `Chart` | list_charts, get_chart_info, get_chart_data, get_chart_preview | generate_chart, update_chart, update_chart_preview | | Dashboard | `Dashboard` | list_dashboards, get_dashboard_info | generate_dashboard, add_chart_to_existing_dashboard | | Dataset | `Dataset` | list_datasets, get_dataset_info | — | | Explore | `Explore` | generate_explore_link | — | | SQL Lab | `SQLLab` | open_sql_lab_with_context | execute_sql | ## Testing Instructions 1. Start MCP server locally (`superset mcp`) 2. Verify admin user can access all tools (no change in behavior) 3. Run unit tests: `pytest tests/unit_tests/mcp_service/test_auth_rbac.py -v` (14 tests) 4. To test permission denial: create a user with limited roles and verify tools return `MCPPermissionDeniedError` for resources they can't access ## Additional Information - Mutate-tagged tools (generate_chart, execute_sql, etc.) auto-default to `can_write`; all others default to `can_read` - Explicit `method_permission_name` can override the default (e.g., for custom SQL Lab permissions) - No breaking changes: admin users retain full access; tools without `class_permission_name` are allowed by default -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
