giacomochiarella commented on PR #34111:
URL: https://github.com/apache/superset/pull/34111#issuecomment-4599590847
@rusackas In short, the idea is to have one database connection in Superset
and inject "set role <role_based_on_usename>" before any sql
def sql_query_mutator(sql: str, **kwargs: dict) -> str:
if kwargs.get("database"):
logger.info(f"Setting {role_name} role for database connection
{database_connection_name}...")
sql = f"set role {role_name}; {sql}"
logger.info(f"Executing query {sql}...")
return sql
SQL_QUERY_MUTATOR = sql_query_mutator
MUTATE_AFTER_SPLIT = True
in any connection to the database. The issue today is that, when
MUTATE_AFTER_SPLIT = True then the SQL_QUERY_MUTATOR function is called only on
queries executed through dashboards/charts (when you open it) and not through
sqllab. In sqllab the user must add itself "set role <>" meaning if it knows
another role name it can use it and access to other data. I don't know if this
is intentional or not (if not it would be a bug then).
In my opinion, either for consistency and to allow a better data governance,
it would be good the function SQL_QUERY_MUTATOR is applied "globally" when
MUTATE_AFTER_SPLIT = True. This is not mentioned in the documentation (or at
least I have not found it).
Or if you have another documented way is fine as well. The mutator is the
closest way I found in the documentation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
