chore(security): Updating assert logic

[john-bodley]

SUMMARY

This PR updates the security manager assertion logic making it more flexible for deployments to configure their security manager. Currently there exists two types of methods:

1. can_access_*, e.g. can_access_datasource, which returns a boolean in response to whether the user can access said resource.
2. assert_*_permission, e.g. assert_datasource_permission, which returns None but raises an exception if the user cannot access said resource.

The issue with this approach is that some methods like access_datasource have all the logic and assert_datasource_permission calls can_access_datasource and raises an exception if the response is False, whereas others like can_access_table have no assert equivalent.

Additional context as to why a user cannot access said resource is lost when the logic resides in the can_access_* and thus the preferred approach is to have the logic in the assert_*_permission method and thus the can_access_* methods (which are mostly just convenience methods) can take the form,

def can_access_datasource(self, datasource) -> bool:
    try:
        self.assert_datasource_permission(datasource)
    except SupersetSecurityException:
        return False

    return True

Note I’ve only translated a few of the can_access_* methods. I think in the future it could make sense that more of these methods could leverage this pattern depending on how deployments with custom security managers would want to proceed.

Secondly the term assert seems strange as one would expect it to raise an AssertionError if the assertion fails, whereas these methods raise a SupersetSecurityException, hence I opted for the requests approach (which uses raise_for_status) to call these methods raise_for_access and thus it seems clearer than an exception may be raised (and thus should be handled if necessary). I used the term access rather than permission for consistency with the can_access_* methods. I also added a wrapper function to various classes so rather than,

query_context = QueryContext(**json.loads(request.form["query_context"]))
security_manager.assert_query_context_permission(query_context)

the logic is now,

query_context = QueryContext(**json.loads(request.form["query_context"]))
query_context.raise_for_access()

Finally rather than having a slew of raise_for_*_access which can add to the confusion (and introduce unnecessary complexity) if a deployment needs to override these, i.e., they intrinsically need to know how these interact, I defined a single raise_for_access method which contains all the logic regardless of the resource type (table, datasource, visualization, etc.). This can be helpful say if a user cannot access to an outright datasource but due to column level security can access the datasource in the context of a visualization (where the columns are defined).

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TEST PLAN

CI and added unit tests.

ADDITIONAL INFORMATION

• Has associated issue:
• Changes UI
• Requires DB Migration.
• Confirm DB Migration upgrade and downgrade tested.
• Introduces new feature or API
• Removes existing feature or API

[codecov-commenter]

Codecov Report

Merging #10034 into master will increase coverage by 4.84%.
The diff coverage is 92.15%.

@@            Coverage Diff             @@
##           master   #10034      +/-   ##
==========================================
+ Coverage   64.08%   68.93%   +4.84%     
==========================================
  Files         584      584              
  Lines       31054    31077      +23     
  Branches     3180     3180              
==========================================
+ Hits        19901    21422    +1521     
+ Misses      10975     9546    -1429     
+ Partials      178      109      -69     

Flag	Coverage Δ
#cypress	53.92% <ø> (?)
#javascript	59.48% <ø> (ø)
#python	67.40% <92.15%> (+0.06%)	⬆️

Impacted Files	Coverage Δ
superset/viz_sip38.py	0.00% <0.00%> (ø)
superset/views/api.py	66.66% <50.00%> (ø)
superset/views/core.py	75.39% <75.00%> (ø)
superset/charts/api.py	80.31% <100.00%> (ø)
superset/common/query_context.py	79.62% <100.00%> (+0.25%)	⬆️
superset/connectors/base/models.py	86.57% <100.00%> (+0.14%)	⬆️
superset/security/manager.py	91.17% <100.00%> (+2.13%)	⬆️
superset/viz.py	57.11% <100.00%> (+0.05%)	⬆️
superset/connectors/sqla/models.py	89.10% <0.00%> (+0.14%)	⬆️
...rontend/src/SqlLab/components/AceEditorWrapper.tsx	56.98% <0.00%> (+1.07%)	⬆️
... and 147 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9532bff...06efb7d. Read the comment docs.

[john-bodley]

I wonder if there should be any assertion logic to ensure that the right combination of parameters are defined. Note except for database and table these are all mutually exclusive. I did consider having an argument database_and_table which would be an Optional[Tuple["Database, "Table']] but I wasn't sold on the idea and thus opted for the additional docstring context.

[villebro]

An optional approach here would be to define DatasourceMixin which provides a datasource, and add it to BaseViz, QueryContext and Datasource. in this case we could simplify the signature of this method by combining viz, datasource and query_context into one single datasource: DatasourceMixin. The same could be done to query and database (DatabaseMixin). This could help clarify what the diffefent arguments mean.

[dpgaspar]

It's tempting to think of something like use a **kwargs then use a dict to route the named parameters to smaller methods that would implement the security assertion logic. A bit crazy, but has it's upsides, cleaner signature, forced breaking logic into smaller chunks, easy to extend.

Not 100% sure if it's doable,

[john-bodley]

Annexed self explanatory comment.

[etr2460]

one other question: does this handle queries run within SQL Lab too? I'm assume that's what the "datasource" part does, but wanted to confirm

[etr2460]

If there's a different exception thrown, then this fails open. Is that secure?

[john-bodley]

@etr2460 in theory (by construction) the raise_for_access method should only throw a SupersetSecurityException exception. Generally catching scoped (as opposed to general) exceptions is preferred.

[john-bodley]

@etr2460 SQL Lab uses the rejected_tables method which calls can_access_datasource (renamed to can_access_table in #10031) which leverages this the raise_for_access method.

[john-bodley]

@dpgaspar and @villebro I was wondering whether you had any updated thoughts regarding this approach.

Note I do believe that long term many constructs of the existing security manager (from a data access perspective) will need to change as the constructs of database, schema, datasource access is somewhat regimented especially within the world of row level access (exists within Apache Superset) and column level access (exists at Airbnb in the form of metric level access).

[etr2460]

not changed in this PR, but this try/catch seems kinda weird, I would've expected this api to be wrapped in the handle_api_exception decorator that i believe automatically generates the proper json error response from an exception

[john-bodley]

@etr2460 I think this merely highlights the inconsistencies with how backend errors are handled. This is detailed in SIP-41.

[dpgaspar]

@etr2460 #9529 kind of addresses that, it's a POC for SIP-41, uses flask error handling

[etr2460]

this looks good, although i'm not sure if @villebro or @dpgaspar still needed to take a look

[john-bodley]

I though there was merit in being more explicit about what it means to be able to access a database, schema, etc. It's not overly apparent without the comment.

[villebro]

@john-bodley this needs a rebase

[john-bodley]

@villebro I've rebased. Note in the second commit I also extended the logic to replace the rejected_tables method. I think this provides clarity/simplicity in the views but possibly adds complexity to the raise_for_access method.

[villebro]

LGTM. My only concern is the fairly loaded method raise_for_access method, which in current form feels slightly difficult to approach for first-timers, and was slightly difficult to follow with many branching if-statements. I'm not sure how you feel about the mixin approach, but it could help remove some complexity in this method, although would arguably introduce some bloat elsewhere.

[villebro]

An optional approach here would be to define DatasourceMixin which provides a datasource, and add it to BaseViz, QueryContext and Datasource. in this case we could simplify the signature of this method by combining viz, datasource and query_context into one single datasource: DatasourceMixin. The same could be done to query and database (DatabaseMixin). This could help clarify what the diffefent arguments mean.

[john-bodley]

@villebro I agree that the raise_for_access method is fairly loaded, though in general I like the standardization it has provided in terms of checking for access from the perspective of a query, viz, etc. It also has reduced a significant amount of the spaghetti security logic, i.e., pervious assert_datasource_permission , can_access_datasource, can_access_table, rejected_tables, etc. whereas now there's just the raise_for_access and a convenience method.

The mixin is an interesting idea, though I sense it mightn’t simply the logic in raise_for_access as one would need to do a number of isinstance checks to work out whether the DatasourceMixin is a query context, viz, etc to pull out the appropriate attributes. Also this doesn’t address the issue of the Table argument as there’s no mixin related to that.

[dpgaspar]

@etr2460, @john-bodley

I'm aware of this change, will take a look today

[dpgaspar]

It's tempting to think of something like use a **kwargs then use a dict to route the named parameters to smaller methods that would implement the security assertion logic. A bit crazy, but has it's upsides, cleaner signature, forced breaking logic into smaller chunks, easy to extend.

Not 100% sure if it's doable,

[dpgaspar]

Regarding the from superset import db
We could replace it by self.get_session