GitHub user dosubot[bot] added a comment to the discussion: RLS condition inconsistently applied inside dataset metric subqueries
<!-- Answer --> I want to correct one important point in your understanding: **tables inside CTE bodies DO receive RLS injection**. The `is_cte()` exclusion only prevents CTE *references* (i.e., `SELECT * FROM cte_name`) from being treated as real tables — this is a security measure against name-shadowing attacks [[1]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/sql/parse.py#L1335-L1342). The actual tables *within* the CTE definition are still detected via `traverse_scope()` and receive RLS predicates. For example: ```sql WITH sub AS (SELECT * FROM tableau_brand WHERE type = 'ts') SELECT COUNT(*) FROM sub ``` Here: - `tableau_brand` inside the CTE body **will** be detected as an `exp.Table` and RLS will be attempted on it - `sub` in `FROM sub` will be **excluded** (it's a CTE reference, not a real table) So if you're not seeing RLS inside your CTEs, the issue is likely the same predicate lookup problem we discussed earlier — `tableau_brand` is found as a table, but `get_predicates_for_table()` either returns empty predicates (no RLS rules directly associated with that dataset name) or the schema qualification doesn't match [[2]](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/utils/rls.py#L85-L102). ## On Database-Native RLS as a Long-Term Approach Your instinct is sound. Given the architectural limitations: - Superset's application-level RLS has coverage gaps: it's not applied in `Database.get_df()`, MCP tools, or SQL Lab by default [[3]](https://github.com/apache/superset/pull/36529) [[4]](https://github.com/apache/superset/discussions/33308#discussioncomment-12999029) - There is no planned support for user-configurable CTE-aware RLS injection scope - No roadmap items exist for recursive RLS resolution in virtual dataset/metric subqueries PostgreSQL native RLS applied at the base table level would enforce security **regardless** of how Superset constructs the query — no dependency on AST transformation, schema matching, or dataset metadata resolution. It's the most robust approach for your use case with complex correlated denominators. ## Caveats with Database-Native RLS There's no official Superset guidance on this pattern, but consider: - **Connection pooling**: If Superset connects with a single service account, PostgreSQL RLS policies need to use session variables (e.g., `SET app.current_tenant = ...`) rather than `current_user`. You'd need to configure Superset's `DB_CONNECTION_MUTATOR` or equivalent to set these variables per-request. - **Complementary, not replacement**: You may still want Superset-level RLS for dashboard/UI-level filtering and the DB-level RLS as the enforcement backstop. - **Performance**: PostgreSQL RLS with proper indexes on policy columns performs well, often better than Superset injecting complex OR clauses into deeply nested subqueries. ## Summary For your specific pattern (virtual dataset + correlated metric denominators + complex Jinja filters), database-native RLS is the most architecturally sound long-term solution. There are no current plans for CTE-scope-aware RLS or recursive virtual dataset resolution in Superset's RLS system. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=reply-with-mention&utm_term=apache%2Fsuperset).* --- Docs are dead. Just use [Dosu](https://dosu.dev?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-tagline&utm_term=apache%2Fsuperset). [](https://app.dosu.dev/response-feedback?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-feedback&utm_term=apache%2Fsuperset&message_id=7bba409e-9e28-4040-80b4-9dc45caa4ed1) [](https://github.dosu.com/apache/superset?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-ask-repo&utm_term=apache%2Fsuperset) [](https://app.dosu.dev/signup?referrer=openSource&source=github-footer&utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-share-team&utm_term=apache%2Fsuperset) GitHub link: https://github.com/apache/superset/discussions/40400#discussioncomment-17060626 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
