justin-barton commented on issue #8699: [SIP-29] Add support for row-level security URL: https://github.com/apache/incubator-superset/pull/8699#issuecomment-561441223 > Thanks for the feedback, very good to have an exhaustive discussion prior to committing to any approach. > > I think there might be a misunderstanding about how the ORing approach should work. The basic idea is this: > > 1. AND across different keys > 2. OR within keys > 3. apply default if user doesn't belong to any roles within a certain key > > In my example, the following WHERE clauses would be generated: > > 1. doesn't belong to any groups: `((false)) AND ((report_date >= current_timestamp() - 1))` > 2. belongs to "finance": `((dept_id = 1)) AND ((report_date >= current_timestamp() - 30))` > 3. belongs to "risk": `((dept_id = 2)) AND ((report_date >= current_timestamp() - 1))` > 4. belongs to "finance" and "risk": `((dept_id = 1) OR (dept_id = 2)) AND ((report_date >= current_timestamp() - 30))` > > For your example case, providing that these filter groups were made with the same key (as I understand they should), the following WHERE clause would be generated: `((country='Freedonia' AND item='Apples') OR (country='Ruritania' AND item='Oranges'))`, i.e. the user would _not_ see Ruritania Apple exports. > > In the case of having a default duration of 30 days and specifying a more restrictive filter group for 1 day, the default would not be applied, i.e. the user would only see one day's worth of data. Of course, if the user belonged to _two_ restrictive groups, 15 days and 1 days, the more permissive role of 15 days would in practice apply. However, this seems like a logical error in how the roles are assigned to users. > > The proposal to start by rolling out the backend functionality was merely a proposal to keep the PRs as small as possible and easier to review/develop. However, I'm sure they can be done together, assuming the person working on the PR is proficient in both the frontend and backend aspects of the codebase. I think that I'm following. So in your framework, my example would look something like: ``` { "somekey": { "default": "false", "roles": { "freedonia-orchards": "country='Freedonia' AND item='Apples'", "ruritania-groves": "country='Ruritania' AND item='Oranges'" } } } ``` I believe that functionally this is very similar to the current PR, with the following difference: - In the current PR, combinations of roles must be created as new roles and the filter clauses explicitly defined - In your proposed setup the logic for how the clauses within roles should be combined is explicitly defined by the user at the time of creation in the AND/OR hierarchy of the JSON structure Is that accurate? How would you envision making this available to end-users in the UI?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
