feat(dashboard_rbac): dashboard lists

[amitmiran137]

SUMMARY

Role based dashboard level access with focus on dashboard list APIs

credits also goes to @Ofeknielsen who took part in this months ago

resolves #10408

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

Screen.Recording.2021-01-23.at.14.12.29.mov

Design slide;

https://user-images.githubusercontent.com/4025227/105494222-6302e400-5cb2-11eb-8f0d-6a609d73cc6c.png

TEST PLAN

ff:
DASHBOARD_RBAC: True
ENABLE_REACT_CRUD_VIEWS: False

happy path:

1. create a new user X with Gamma role
2. edit a dashboard and add to roles the Gamma role
3. login as X and see the assigned dashboard

backward compatibility:
check backward compatibility by DASHBOARD_RBAC: False
access should be managed by the data level

code test coverage plan

dashboards list page for the following scenarios both for dataset and RBAC levels
To make sure we keep backward compatibility and new feature alignment on capabilities

1. an anonymous user
2. a non-admin (test user: alpha/general)
3. admin
4. owner
5. Published/ non published

Test need to be written in a decoupled approch from existing users/roles/tables/dashboards so other tests suites won't break

ADDITIONAL INFORMATION

• Has associated issue:
• Changes UI
• Requires DB Migration.
• Confirm DB Migration upgrade and downgrade tested.
• Introduces new feature or API
• Removes existing feature or API

[codecov-io]

Codecov Report

Merging #12680 (812bb87) into master (017f11f) will increase coverage by 3.85%.
The diff coverage is 60.86%.

@@            Coverage Diff             @@
##           master   #12680      +/-   ##
==========================================
+ Coverage   63.13%   66.98%   +3.85%     
==========================================
  Files        1022     1022              
  Lines       50032    50186     +154     
  Branches     4915     5204     +289     
==========================================
+ Hits        31587    33618    +2031     
+ Misses      18245    16433    -1812     
+ Partials      200      135      -65     

Flag	Coverage Δ
cypress	50.82% <ø> (?)
javascript	61.93% <ø> (+0.25%)	⬆️
python	63.98% <60.86%> (-0.11%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
superset/config.py	90.61% <ø> (ø)
...11ccdd12658_add_roles_relationship_to_dashboard.py	0.00% <0.00%> (ø)
superset/views/dashboard/mixin.py	95.00% <ø> (ø)
superset/dashboards/filters.py	97.61% <100.00%> (+0.64%)	⬆️
superset/models/dashboard.py	75.74% <100.00%> (+0.24%)	⬆️
superset/utils/celery.py	89.65% <0.00%> (-10.35%)	⬇️
superset/utils/cache.py	76.34% <0.00%> (-8.77%)	⬇️
superset/db_engine_specs/presto.py	82.25% <0.00%> (-6.28%)	⬇️
...hboard/components/nativeFilters/CascadePopover.tsx	18.18% <0.00%> (-4.46%)	⬇️
...terControl/AdhocFilterEditPopoverSqlTabContent.jsx	63.33% <0.00%> (-2.19%)	⬇️
... and 217 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 017f11f...812bb87. Read the comment docs.

[ktmud]

Could you add a test plan and maybe some test cases?

I think we should at least test visiting the dashboards list page as each of the following:

1. an anonymous user
2. a non-admin (test user: alpha/general)
3. admin

[dpgaspar]

I like this approach, IMO we should move to include database, datasets and charts to this pattern also. I personally would like to deprecate string based permissions constructed based on the dataset.name and dataset.id for example.

Recalling a diagram

[ktmud]

can you vote please so we can move forward with this in a non-POC approach?

Just saw it has passed. :D Didn't notice you've updated the SIP summary. Thanks for iterating on your proposal and creating this POC!

@dpgaspar's diagram makes perfect sense to me. Looks like things can be even simpler than I original thought. Maybe include the diagram in the SIP as a reference, too?

[villebro]

Small proposal to improve how the feature flag is handled

[villebro]

Code LGTM, tested the following:

• FF enabled: no roles for dashboard works like before
• FF enabled: role specified - only shows up for the roles listed on the dashboard
• FF disabled: roles don't affect dashboard visibility

[ktmud]

Looking great! Thanks for the iterations.

[junlincc]

Settings menu is missing from the page, is it by design?

[junlincc]

Screen.Recording.2021-01-30.at.10.41.59.PM.mov

tested~ for some reason, getting "unexpected errors" on all charts in the dashboard from gamma account. is it something I did wrong? @amitmiran137

[amitmiran137]

Screen.Recording.2021-01-30.at.10.41.59.PM.mov
tested~ for some reason, getting "unexpected errors" on all charts in the dashboard from gamma account. is it something I did wrong? @amitmiran137

thanks for checking this.
this PR focuses on the backend filtering the list of dashboards by the access given to the user.
if a user was given access to the Dashboard, that alone is not enough, and access to the relevant dataset still needs to be provided.
having said that, we plan in a follow-up PR that user will be given temporary read access to all of the datasets within a dashboard as was mentioned in the development milestones in #10408
allow token-based access to /explore_json and API/v1/chart/data to allow reading datasets only by have dashboard access for read-only purpose

[junlincc]

having said that, we plan in a follow-up PR that user will be given temporary read access to all of the datasets within a dashboard as was mentioned in the development milestones in #10408

Got it, thanks for adding test plan, and clarifying your plan going forward. we should expect a follow up PR to address both issues mentioned above.

[junlincc]

Approving as product signoff. thank you so much for your contribution. 🙏