metaperl opened a new issue #8864: How to programmatically create and assign a Superset custom role URL: https://github.com/apache/incubator-superset/issues/8864 **Is your feature request related to a problem? Please describe.** Currently no docs exist for creating a role programmatically - only via the UI. Also, no docs exist for programmatically customizing what happens after a database connection is created by a user in the UI. **Describe the solution you'd like** Some docs similar to to what follows should be added and embellished upon. We have, via the UI, created a "Gamma_modified" role. A user with this role can create database connections. And currently, they can then be manually granted access to their created database connection. It is our aim to 1. create the Gamma_modified role programmatically one time, when first building Superset. 1. bind the `Gamma_modified` role to `AUTH_USER_REGISTRATION_ROLE` in our `superset_config.py` so that it is the default role of new users. It is a misfeature of superset that one cannot simply list two roles for the default user registration role - https://github.com/apache/incubator-superset/issues/8861 1. automatically grant access to a newly created database connection by the creator of the connection. # Creating a Gamma_modified Role Programmatically The docs show how to create a role via the UI, but our delivery pipeline demands automatic creation of a role which contains the following properties beyond teh standard gamma role: ``` ['can add', 'DatabaseAsync'] ['can delete', 'DatabaseAsync'] ['can download', 'DatabaseAsync'] ['can edit', 'DatabaseAsync'] ['muldelete', 'DatabaseAsync'] ['yaml export', 'DatabaseAsync'] ['can add', 'DatabaseView'] ['can delete', 'DatabaseView'] ['can download', 'DatabaseView'] ['can edit', 'DatabaseView'] ['muldelete', 'DatabaseView'] ['yaml export', 'DatabaseView'] ['can add', 'SqlMetricInlineView'] ['can delete', 'SqlMetricInlineView'] ['can download', 'SqlMetricInlineView'] ['can edit', 'SqlMetricInlineView'] ['can add', 'TableColumnInlineView'] ['can delete', 'TableColumnInlineView'] ['can download', 'TableColumnInlineView'] ['can edit', 'TableColumnInlineView'] ['can add', 'TableModelView'] ['can delete', 'TableModelView'] ['can download', 'TableModelView'] ['can edit', 'TableModelView'] ['muldelete', 'TableModelView'] ['refresh', 'TableModelView'] ['yaml export', 'TableModelView'] ``` # bind AUTH_USER_REGISTRATION_ROLE to a custom role It is presumed that any defined role can be chosen in our `superset_config.py` just by providing its value to `AUTH_USER_REGISTRATION_ROLE`. # Automatically granting the creator of a role access to it. Presumably a SQLAlchemy post-commit hook can be added to some class to automatically grant access to the creator of a database connection. # Discussion Reflection, and Implementation ## Creating a Gamma_modified Role Programmatically The following code creates and saves a `Gamma_modified` role: ```python from superset import app, appbuilder, db, examples, security_manager import gamma_extra sm = security_manager sm.sync_role_definitions() gamma_modified_role = sm.add_role("gamma_modified") for perm, view in gamma_extra.perm_views: pv = sm.find_permission_view_menu(perm, view) sm.add_permission_role(gamma_modified_role, pv) for role in ["Gamma", "sql_lab"]: for perm in sm.find_role(role).permissions: sm.add_permission_role(gamma_modified_role, perm) sm.get_session.commit() ``` ## (Automatically) granting the creator of a role access to it. The following code assigns `database_access` to the creator of a database: ```python from superset import app, appbuilder, db, examples, security_manager from superset.models import core as models sm = security_manager def self_permit(u, db): pv = sm.add_permission_view_menu("database_access", db.perm) role_name = f"(SP) database_access on {db.perm}" role = sm.add_role(role_name) sm.add_permission_role(role, pv) u.roles.append(role) sm.get_session.commit() for database in db.session.query(models.Database): print(database) # print(database.creator) c = database.created_by print(type(c)) # <class 'flask_appbuilder.security.sqla.models.User'> try: print(c.id) p = database.perm print(type(p)) print(p) u = sm.find_user('user3') self_permit(u, database) except: pass ``` ### Questions Is there a post-commit hook that can run after a user creates a database connection that I can add this code to so that right after a user creates a connection, they receive `database_access` to it?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
