amitmiran137 commented on a change in pull request #13773:
URL: https://github.com/apache/superset/pull/13773#discussion_r605894672
##########
File path: superset/security/manager.py
##########
@@ -987,15 +989,28 @@ def raise_for_access( # pylint:
disable=too-many-arguments,too-many-branches
)
if datasource or query_context or viz:
+ extra_jwt = None
if query_context:
datasource = query_context.datasource
+ extra_jwt = query_context.extra_jwt
elif viz:
datasource = viz.datasource
+ extra_jwt = viz.extra_jwt
assert datasource
+ ds_allowed_in_dashboard = False
+ if feature_flag_manager.is_feature_enabled("DASHBOARD_RBAC"):
+ dashboard_data_context =
dashboard_jwt_manager.parse_jwt(extra_jwt)
+
+ if dashboard_data_context:
+ ds_allowed_in_dashboard = (
+ datasource.id in dashboard_data_context.dataset_ids
+ )
+
if not (
- self.can_access_schema(datasource)
+ ds_allowed_in_dashboard
Review comment:
in our org every dashboard might serve different set of users which
basically means a separated role per dashboard.
so managing access for every dataset on every dashboard is a cumbersome work.
it will require managing all datasets permissions for every role.
this problem scale when having hundreds of dashboards.
additionally, dataset permission mechanism has a defect , when changing a
virtual dataset name then permission name changes as well but if it is already
associated to a role you'll need to remove it and then remove and re-associate
bc permission is based on the name of the dataset and not by the id
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
