villebro commented on issue #8699: [SIP-29] Add support for row-level security URL: https://github.com/apache/incubator-superset/pull/8699#issuecomment-560152670 Thanks for the feedback, very good to have an exhaustive discussion prior to committing to any approach. I think there might be a misunderstanding about how the ORing approach should work. The basic idea is this: 1) AND across different keys 2) OR within keys 3) apply default if user doesn't belong to any roles within a certain key In my example, the following WHERE clauses would be generated: 1) doesn't belong to any groups: `((false)) AND ((report_date >= current_timestamp() - 1))` 2) belongs to "finance": `((dept_id = 1)) AND ((report_date >= current_timestamp() - 30))` 3) belongs to "risk": `((dept_id = 2)) AND ((report_date >= current_timestamp() - 1))` 3) belongs to "finance" and "risk": `((dept_id = 1) OR (dept_id = 2)) AND ((report_date >= current_timestamp() - 30))` For your example case, providing that these filter groups were made with the same key (as I understand they should), the following WHERE clause would be generated: `((country='Freedonia' AND item='Apples') OR (country='Ruritania' AND item='Oranges'))`, i.e. the user would *not* see Ruritania Apple exports. In the case of having a default duration of 30 days and specifying a more restrictive filter group for 1 day, the default would not be applied, i.e. the user would only see one day's worth of data. Of course, if the user belonged to *two* restrictive groups, 15 days and 1 days, the more permissive role of 15 days would in practice apply. However, this seems like a logical error in how the roles are assigned to users. The proposal to start by rolling out the backend functionality was merely a proposal to keep the PRs as small as possible and easier to review/develop. However, I'm sure they can be done together, assuming the person working on the PR is proficient in both the frontend and backend aspects of the codebase.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
