Copilot commented on code in PR #40356: URL: https://github.com/apache/superset/pull/40356#discussion_r3326664164
########## superset/mcp_service/rls/tool/create_rls_filter.py: ########## @@ -0,0 +1,131 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.rls.schemas import ( + CreateRLSFilterRequest, + CreateRLSFilterResponse, +) + +logger = logging.getLogger(__name__) + + +@tool( + tags=["mutate"], + class_permission_name="Row Level Security", + method_permission_name="write", + annotations=ToolAnnotations( + title="Create RLS filter", + readOnlyHint=False, + destructiveHint=False, + ), +) +async def create_rls_filter( + request: CreateRLSFilterRequest, ctx: Context +) -> CreateRLSFilterResponse: + """Create a row-level security (RLS) filter rule. + + RLS filters restrict which rows users can see based on their role membership. + Use this to enforce data access policies at the row level. + + Filter types: + - "Regular": Hides rows from the specified roles unless the clause matches. + - "Base": Shows only rows where the clause matches to the specified roles. + + Workflow: + 1. Use list_datasets to find the table IDs to protect. + 2. Use find_users to locate role IDs to apply the filter to. + 3. Call this tool with the SQL WHERE clause to enforce. Review Comment: The tool docstring describes the "Base" filter type as applying only to the specified roles, but Superset’s RLS evaluation applies Base filters to all users *except* users with a role listed on that filter (see SupersetSecurityManager.get_rls_filters). This mismatch can lead to incorrect (and potentially risky) guidance for configuring RLS via MCP. Also, `find_users` does not provide role IDs, so the workflow step is misleading. ########## superset/mcp_service/rls/schemas.py: ########## @@ -0,0 +1,138 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +Pydantic schemas for RLS (row-level security) MCP tools. +""" + +from __future__ import annotations + +from typing import Literal + +from pydantic import BaseModel, ConfigDict, Field + + +class CreateRLSFilterRequest(BaseModel): + model_config = ConfigDict(populate_by_name=True) + + name: str = Field(..., min_length=1, description="Name for the RLS filter rule.") + filter_type: Literal["Regular", "Base"] = Field( + ..., + description=( + 'Type of filter. "Regular" hides rows from the specified roles ' + 'unless the clause matches. "Base" shows only rows where the ' + "clause matches to the specified roles." + ), Review Comment: `filter_type` documentation says Base filters "show only rows" for the specified roles, but Superset’s RLS logic applies Base filters to all users except users with the listed roles. The schema description is part of the MCP tool contract, so it should match actual enforcement semantics. ########## superset/mcp_service/rls/schemas.py: ########## @@ -0,0 +1,138 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +Pydantic schemas for RLS (row-level security) MCP tools. +""" + +from __future__ import annotations + +from typing import Literal + +from pydantic import BaseModel, ConfigDict, Field + + +class CreateRLSFilterRequest(BaseModel): + model_config = ConfigDict(populate_by_name=True) + + name: str = Field(..., min_length=1, description="Name for the RLS filter rule.") + filter_type: Literal["Regular", "Base"] = Field( + ..., + description=( + 'Type of filter. "Regular" hides rows from the specified roles ' + 'unless the clause matches. "Base" shows only rows where the ' + "clause matches to the specified roles." + ), + ) + tables: list[int] = Field( + ..., + min_length=1, + description=( + "List of table IDs this filter applies to. Use list_datasets to find IDs." + ), + ) + roles: list[int] = Field( + ..., + description="List of role IDs that see this filter applied.", + ) Review Comment: The `roles` field description implies roles always have the filter applied, but for Base filters the listed roles are exempt (Base rules apply to everyone *not* in the roles list). Clarifying this in the schema helps avoid misconfiguration via MCP. ########## superset/mcp_service/rls/schemas.py: ########## @@ -0,0 +1,138 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +Pydantic schemas for RLS (row-level security) MCP tools. +""" + +from __future__ import annotations + +from typing import Literal + +from pydantic import BaseModel, ConfigDict, Field + + +class CreateRLSFilterRequest(BaseModel): + model_config = ConfigDict(populate_by_name=True) + + name: str = Field(..., min_length=1, description="Name for the RLS filter rule.") + filter_type: Literal["Regular", "Base"] = Field( + ..., + description=( + 'Type of filter. "Regular" hides rows from the specified roles ' + 'unless the clause matches. "Base" shows only rows where the ' + "clause matches to the specified roles." + ), + ) + tables: list[int] = Field( + ..., + min_length=1, + description=( + "List of table IDs this filter applies to. Use list_datasets to find IDs." + ), + ) + roles: list[int] = Field( + ..., + description="List of role IDs that see this filter applied.", + ) + clause: str = Field( + ..., + min_length=1, + description=( + "SQL WHERE clause applied to matching tables (e.g. \"region = 'EMEA'\")." + ), + ) + group_key: str | None = Field( + None, + description="Optional group key for grouping related filters.", + ) + description: str | None = Field( + None, + description="Optional human-readable description of the filter.", + ) + + +class CreateRLSFilterResponse(BaseModel): + id: int | None = Field( + None, + description="RLS filter ID. None if the operation failed.", + ) + name: str | None = Field(None, description="Name of the RLS filter.") + filter_type: str | None = Field(None, description="Filter type: Regular or Base.") + clause: str | None = Field(None, description="SQL WHERE clause of the filter.") + tables: list[int] = Field( + default_factory=list, + description="Table IDs this filter applies to.", + ) + roles: list[int] = Field( + default_factory=list, + description="Role IDs affected by this filter.", + ) + group_key: str | None = Field(None, description="Group key for the filter.") + description: str | None = Field(None, description="Description of the filter.") + error: str | None = Field( + None, + description="Error message if the operation failed, otherwise null.", + ) + + +class UpdateRLSFilterRequest(BaseModel): + model_config = ConfigDict(populate_by_name=True) + + id: int = Field(..., description="ID of the RLS filter rule to update.") + name: str | None = Field( + None, + min_length=1, + description="New name for the RLS filter rule. Omit to keep existing.", + ) + filter_type: Literal["Regular", "Base"] | None = Field( + None, + description=( + "New filter type. Omit to keep existing. " + '"Regular" hides rows from the specified roles unless the clause matches. ' + '"Base" shows only rows where the clause matches to the specified roles.' + ), + ) + tables: list[int] | None = Field( + None, + description=( + "New list of table IDs this filter applies to. " + "Omit to keep existing. Pass [] to remove all tables." + ), + ) + roles: list[int] | None = Field( + None, + description=( + "New list of role IDs that see this filter applied. " + "Omit to keep existing. Pass [] to remove all roles." + ), + ) Review Comment: `UpdateRLSFilterRequest.roles` description implies roles always have the filter applied, but for Base filters the listed roles are exempt (Base rules apply to everyone *not* in the roles list). This should be clarified to prevent accidental over-restriction via update calls. ########## superset/mcp_service/rls/schemas.py: ########## @@ -0,0 +1,138 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +Pydantic schemas for RLS (row-level security) MCP tools. +""" + +from __future__ import annotations + +from typing import Literal + +from pydantic import BaseModel, ConfigDict, Field + + +class CreateRLSFilterRequest(BaseModel): + model_config = ConfigDict(populate_by_name=True) + + name: str = Field(..., min_length=1, description="Name for the RLS filter rule.") + filter_type: Literal["Regular", "Base"] = Field( + ..., + description=( + 'Type of filter. "Regular" hides rows from the specified roles ' + 'unless the clause matches. "Base" shows only rows where the ' + "clause matches to the specified roles." + ), + ) + tables: list[int] = Field( + ..., + min_length=1, + description=( + "List of table IDs this filter applies to. Use list_datasets to find IDs." + ), + ) + roles: list[int] = Field( + ..., + description="List of role IDs that see this filter applied.", + ) + clause: str = Field( + ..., + min_length=1, + description=( + "SQL WHERE clause applied to matching tables (e.g. \"region = 'EMEA'\")." + ), + ) + group_key: str | None = Field( + None, + description="Optional group key for grouping related filters.", + ) + description: str | None = Field( + None, + description="Optional human-readable description of the filter.", + ) + + +class CreateRLSFilterResponse(BaseModel): + id: int | None = Field( + None, + description="RLS filter ID. None if the operation failed.", + ) + name: str | None = Field(None, description="Name of the RLS filter.") + filter_type: str | None = Field(None, description="Filter type: Regular or Base.") + clause: str | None = Field(None, description="SQL WHERE clause of the filter.") + tables: list[int] = Field( + default_factory=list, + description="Table IDs this filter applies to.", + ) + roles: list[int] = Field( + default_factory=list, + description="Role IDs affected by this filter.", + ) + group_key: str | None = Field(None, description="Group key for the filter.") + description: str | None = Field(None, description="Description of the filter.") + error: str | None = Field( + None, + description="Error message if the operation failed, otherwise null.", + ) + + +class UpdateRLSFilterRequest(BaseModel): + model_config = ConfigDict(populate_by_name=True) + + id: int = Field(..., description="ID of the RLS filter rule to update.") + name: str | None = Field( + None, + min_length=1, + description="New name for the RLS filter rule. Omit to keep existing.", + ) + filter_type: Literal["Regular", "Base"] | None = Field( + None, + description=( + "New filter type. Omit to keep existing. " + '"Regular" hides rows from the specified roles unless the clause matches. ' + '"Base" shows only rows where the clause matches to the specified roles.' + ), + ) Review Comment: `UpdateRLSFilterRequest.filter_type` description repeats the incorrect Base filter semantics (Base filters apply to all users except users with the listed roles). Since MCP clients will rely on these descriptions, they should reflect the actual behavior in Superset’s RLS evaluation. ########## superset/mcp_service/rls/schemas.py: ########## @@ -0,0 +1,138 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +Pydantic schemas for RLS (row-level security) MCP tools. +""" + +from __future__ import annotations + +from typing import Literal + +from pydantic import BaseModel, ConfigDict, Field + + +class CreateRLSFilterRequest(BaseModel): + model_config = ConfigDict(populate_by_name=True) + + name: str = Field(..., min_length=1, description="Name for the RLS filter rule.") + filter_type: Literal["Regular", "Base"] = Field( + ..., + description=( + 'Type of filter. "Regular" hides rows from the specified roles ' + 'unless the clause matches. "Base" shows only rows where the ' + "clause matches to the specified roles." + ), + ) + tables: list[int] = Field( + ..., + min_length=1, + description=( + "List of table IDs this filter applies to. Use list_datasets to find IDs." + ), + ) + roles: list[int] = Field( + ..., + description="List of role IDs that see this filter applied.", + ) + clause: str = Field( + ..., + min_length=1, + description=( + "SQL WHERE clause applied to matching tables (e.g. \"region = 'EMEA'\")." + ), + ) + group_key: str | None = Field( + None, + description="Optional group key for grouping related filters.", + ) + description: str | None = Field( + None, + description="Optional human-readable description of the filter.", + ) + + +class CreateRLSFilterResponse(BaseModel): + id: int | None = Field( + None, + description="RLS filter ID. None if the operation failed.", + ) + name: str | None = Field(None, description="Name of the RLS filter.") + filter_type: str | None = Field(None, description="Filter type: Regular or Base.") + clause: str | None = Field(None, description="SQL WHERE clause of the filter.") Review Comment: `CreateRLSFilterResponse` is used as the return type for both `create_rls_filter` and `update_rls_filter`. Since this response model is not create-specific, the class name is misleading for the update tool and for schema discovery/docs consumers. ########## superset/mcp_service/app.py: ########## @@ -656,6 +656,10 @@ def create_mcp_app( from superset.mcp_service.explore.tool import ( # noqa: F401, E402 generate_explore_link, ) +from superset.mcp_service.rls.tool import ( # noqa: F401, E402 + create_rls_filter, + update_rls_filter, +) Review Comment: These new MCP mutation tools are registered in the server, but there are no corresponding unit tests under `tests/unit_tests/mcp_service/` (other MCP tools have extensive schema + tool-call coverage). Adding tests for success paths and the documented error cases (invalid table/role IDs, missing rule ID, and permission denied) would help prevent regressions in this security-sensitive area. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
