def setUp(self):
session = db.session
security_manager.add_role(SCHEMA_ACCESS_ROLE)
session.commit()
ds = (
db.session.query(SqlaTable)
.filter_by(table_name="wb_health_population")
.first()
)
ds.schema = "temp_schema"
ds.schema_perm = ds.get_schema_perm()
ds_slices = (
session.query(Slice)
.filter_by(datasource_type="table")
.filter_by(datasource_id=ds.id)
.all()
)
for s in ds_slices:
s.schema_perm = ds.schema_perm
create_schema_perm("[examples].[temp_schema]")
gamma_user = security_manager.find_user(username="******")
gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE))
session.commit()
def setUpClass(cls):
security_manager.add_role('override_me')
security_manager.add_role(TEST_ROLE_1)
security_manager.add_role(TEST_ROLE_2)
security_manager.add_role(DB_ACCESS_ROLE)
security_manager.add_role(SCHEMA_ACCESS_ROLE)
db.session.commit()
def setUpClass(cls):
security_manager.add_role("override_me")
security_manager.add_role(TEST_ROLE_1)
security_manager.add_role(TEST_ROLE_2)
security_manager.add_role(DB_ACCESS_ROLE)
security_manager.add_role(SCHEMA_ACCESS_ROLE)
db.session.commit()
def setUp(self):
session = db.session
# Create roles
security_manager.add_role(self.NAME_AB_ROLE)
security_manager.add_role(self.NAME_Q_ROLE)
gamma_user = security_manager.find_user(username="******")
gamma_user.roles.append(security_manager.find_role(self.NAME_AB_ROLE))
gamma_user.roles.append(security_manager.find_role(self.NAME_Q_ROLE))
self.create_user_with_roles("NoRlsRoleUser", ["Gamma"])
session.commit()
# Create regular RowLevelSecurityFilter (energy_usage, unicode_test)
self.rls_entry1 = RowLevelSecurityFilter()
self.rls_entry1.tables.extend(
session.query(SqlaTable).filter(
SqlaTable.table_name.in_(["energy_usage",
"unicode_test"])).all())
self.rls_entry1.filter_type = "Regular"
self.rls_entry1.clause = "value > {{ cache_key_wrapper(1) }}"
self.rls_entry1.group_key = None
self.rls_entry1.roles.append(security_manager.find_role("Gamma"))
self.rls_entry1.roles.append(security_manager.find_role("Alpha"))
db.session.add(self.rls_entry1)
# Create regular RowLevelSecurityFilter (birth_names name starts with A or B)
self.rls_entry2 = RowLevelSecurityFilter()
self.rls_entry2.tables.extend(
session.query(SqlaTable).filter(
SqlaTable.table_name.in_(["birth_names"])).all())
self.rls_entry2.filter_type = "Regular"
self.rls_entry2.clause = "name like 'A%' or name like 'B%'"
self.rls_entry2.group_key = "name"
self.rls_entry2.roles.append(security_manager.find_role("NameAB"))
db.session.add(self.rls_entry2)
# Create Regular RowLevelSecurityFilter (birth_names name starts with Q)
self.rls_entry3 = RowLevelSecurityFilter()
self.rls_entry3.tables.extend(
session.query(SqlaTable).filter(
SqlaTable.table_name.in_(["birth_names"])).all())
self.rls_entry3.filter_type = "Regular"
self.rls_entry3.clause = "name like 'Q%'"
self.rls_entry3.group_key = "name"
self.rls_entry3.roles.append(security_manager.find_role("NameQ"))
db.session.add(self.rls_entry3)
# Create Base RowLevelSecurityFilter (birth_names boys)
self.rls_entry4 = RowLevelSecurityFilter()
self.rls_entry4.tables.extend(
session.query(SqlaTable).filter(
SqlaTable.table_name.in_(["birth_names"])).all())
self.rls_entry4.filter_type = "Base"
self.rls_entry4.clause = "gender = 'boy'"
self.rls_entry4.group_key = "gender"
self.rls_entry4.roles.append(security_manager.find_role("Admin"))
db.session.add(self.rls_entry4)
db.session.commit()
def setUpClass(cls):
with app.app_context():
cls.create_druid_test_objects()
security_manager.add_role("override_me")
security_manager.add_role(TEST_ROLE_1)
security_manager.add_role(TEST_ROLE_2)
security_manager.add_role(DB_ACCESS_ROLE)
security_manager.add_role(SCHEMA_ACCESS_ROLE)
db.session.commit()
def create_role(self, role_name, datasourceIds, datasourceNames,
isUser) -> None:
pns = []
for idx, id in enumerate(datasourceIds):
pns.append('datasource access on [Tracking].[' +
datasourceNames[idx] + '](id:' + id + ')')
if isUser:
pns.append('can write on Dataset')
pns.append('can read on Dataset')
pns.append('menu access on Dataset')
pns.append('can save on Datasource')
role = sm.add_role(role_name)
pvms = sm.get_session.query(PermissionView).all()
role.permissions = []
for permission_view in pvms:
for perm_name in pns:
if self.custom_pvm_check(permission_view, perm_name):
role.permissions.append(permission_view)
break
sm.get_session.merge(role)
sm.get_session.commit()
def test_sql_json_has_access(self):
main_db = get_main_database(db.session)
security_manager.add_permission_view_menu('database_access',
main_db.perm)
db.session.commit()
main_db_permission_view = (db.session.query(
ab_models.PermissionView).join(ab_models.ViewMenu).join(
ab_models.Permission
).filter(ab_models.ViewMenu.name == '[main].(id:1)').filter(
ab_models.Permission.name == 'database_access').first())
astronaut = security_manager.add_role('Astronaut')
security_manager.add_permission_role(astronaut,
main_db_permission_view)
# Astronaut role is Gamma + sqllab + main db permissions
for perm in security_manager.find_role('Gamma').permissions:
security_manager.add_permission_role(astronaut, perm)
for perm in security_manager.find_role('sql_lab').permissions:
security_manager.add_permission_role(astronaut, perm)
gagarin = security_manager.find_user('gagarin')
if not gagarin:
security_manager.add_user('gagarin',
'Iurii',
'Gagarin',
'*****@*****.**',
astronaut,
password='******')
data = self.run_sql('SELECT * FROM ab_user', '3', user_name='gagarin')
db.session.query(Query).delete()
db.session.commit()
self.assertLess(0, len(data['data']))
def test_sql_json_has_access(self):
examples_db = get_example_database()
examples_db_permission_view = security_manager.add_permission_view_menu(
"database_access", examples_db.perm)
astronaut = security_manager.add_role("Astronaut")
security_manager.add_permission_role(astronaut,
examples_db_permission_view)
# Astronaut role is Gamma + sqllab + db permissions
for perm in security_manager.find_role("Gamma").permissions:
security_manager.add_permission_role(astronaut, perm)
for perm in security_manager.find_role("sql_lab").permissions:
security_manager.add_permission_role(astronaut, perm)
gagarin = security_manager.find_user("gagarin")
if not gagarin:
security_manager.add_user(
"gagarin",
"Iurii",
"Gagarin",
"*****@*****.**",
astronaut,
password="******",
)
data = self.run_sql(QUERY_1, "3", user_name="gagarin")
db.session.query(Query).delete()
db.session.commit()
self.assertLess(0, len(data["data"]))
def test_sql_json_has_access(self):
main_db = self.get_main_database(db.session)
security_manager.add_permission_view_menu('database_access', main_db.perm)
db.session.commit()
main_db_permission_view = (
db.session.query(ab_models.PermissionView)
.join(ab_models.ViewMenu)
.join(ab_models.Permission)
.filter(ab_models.ViewMenu.name == '[main].(id:1)')
.filter(ab_models.Permission.name == 'database_access')
.first()
)
astronaut = security_manager.add_role('Astronaut')
security_manager.add_permission_role(astronaut, main_db_permission_view)
# Astronaut role is Gamma + sqllab + main db permissions
for perm in security_manager.find_role('Gamma').permissions:
security_manager.add_permission_role(astronaut, perm)
for perm in security_manager.find_role('sql_lab').permissions:
security_manager.add_permission_role(astronaut, perm)
gagarin = security_manager.find_user('gagarin')
if not gagarin:
security_manager.add_user(
'gagarin', 'Iurii', 'Gagarin', '*****@*****.**',
astronaut,
password='******')
data = self.run_sql('SELECT * FROM ab_user', '3', user_name='gagarin')
db.session.query(Query).delete()
db.session.commit()
self.assertLess(0, len(data['data']))
def test_sql_json_has_access(self):
main_db = get_main_database()
security_manager.add_permission_view_menu("database_access",
main_db.perm)
db.session.commit()
main_db_permission_view = (db.session.query(
ab_models.PermissionView).join(ab_models.ViewMenu).join(
ab_models.Permission
).filter(ab_models.ViewMenu.name == "[main].(id:1)").filter(
ab_models.Permission.name == "database_access").first())
astronaut = security_manager.add_role("Astronaut")
security_manager.add_permission_role(astronaut,
main_db_permission_view)
# Astronaut role is Gamma + sqllab + main db permissions
for perm in security_manager.find_role("Gamma").permissions:
security_manager.add_permission_role(astronaut, perm)
for perm in security_manager.find_role("sql_lab").permissions:
security_manager.add_permission_role(astronaut, perm)
gagarin = security_manager.find_user("gagarin")
if not gagarin:
security_manager.add_user(
"gagarin",
"Iurii",
"Gagarin",
"*****@*****.**",
astronaut,
password="******",
)
data = self.run_sql("SELECT * FROM ab_user", "3", user_name="gagarin")
db.session.query(Query).delete()
db.session.commit()
self.assertLess(0, len(data["data"]))
def test_slices_V2(self):
# Add explore-v2-beta role to admin user
# Test all slice urls as user with with explore-v2-beta role
security_manager.add_role('explore-v2-beta')
security_manager.add_user(
'explore_beta', 'explore_beta', ' user', '*****@*****.**',
security_manager.find_role('explore-v2-beta'),
password='******')
self.login(username='******', password='******')
Slc = models.Slice
urls = []
for slc in db.session.query(Slc).all():
urls += [
(slc.slice_name, 'slice_url', slc.slice_url),
]
for name, method, url in urls:
print('[{name}]/[{method}]: {url}'.format(**locals()))
response = self.client.get(url)
def load_test_users_run():
"""
Loads admin, alpha, and gamma user for testing purposes
Syncs permissions for those users/roles
"""
if config.get('TESTING'):
security_manager.sync_role_definitions()
gamma_sqllab_role = security_manager.add_role('gamma_sqllab')
for perm in security_manager.find_role('Gamma').permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
utils.get_or_create_main_db()
db_perm = utils.get_main_database(security_manager.get_session).perm
security_manager.merge_perm('database_access', db_perm)
db_pvm = security_manager.find_permission_view_menu(
view_menu_name=db_perm, permission_name='database_access')
gamma_sqllab_role.permissions.append(db_pvm)
for perm in security_manager.find_role('sql_lab').permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
admin = security_manager.find_user('admin')
if not admin:
security_manager.add_user(
'admin', 'admin', ' user', '*****@*****.**',
security_manager.find_role('Admin'),
password='******')
gamma = security_manager.find_user('gamma')
if not gamma:
security_manager.add_user(
'gamma', 'gamma', 'user', '*****@*****.**',
security_manager.find_role('Gamma'),
password='******')
gamma2 = security_manager.find_user('gamma2')
if not gamma2:
security_manager.add_user(
'gamma2', 'gamma2', 'user', '*****@*****.**',
security_manager.find_role('Gamma'),
password='******')
gamma_sqllab_user = security_manager.find_user('gamma_sqllab')
if not gamma_sqllab_user:
security_manager.add_user(
'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**',
gamma_sqllab_role, password='******')
alpha = security_manager.find_user('alpha')
if not alpha:
security_manager.add_user(
'alpha', 'alpha', 'user', '*****@*****.**',
security_manager.find_role('Alpha'),
password='******')
security_manager.get_session.commit()
def load_test_users_run():
"""
Loads admin, alpha, and gamma user for testing purposes
Syncs permissions for those users/roles
"""
if config.get('TESTING'):
security_manager.sync_role_definitions()
gamma_sqllab_role = security_manager.add_role('gamma_sqllab')
for perm in security_manager.find_role('Gamma').permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
utils.get_or_create_main_db()
db_perm = utils.get_main_database(security_manager.get_session).perm
security_manager.merge_perm('database_access', db_perm)
db_pvm = security_manager.find_permission_view_menu(
view_menu_name=db_perm, permission_name='database_access')
gamma_sqllab_role.permissions.append(db_pvm)
for perm in security_manager.find_role('sql_lab').permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
admin = security_manager.find_user('admin')
if not admin:
security_manager.add_user(
'admin', 'admin', ' user', '*****@*****.**',
security_manager.find_role('Admin'),
password='******')
gamma = security_manager.find_user('gamma')
if not gamma:
security_manager.add_user(
'gamma', 'gamma', 'user', '*****@*****.**',
security_manager.find_role('Gamma'),
password='******')
gamma2 = security_manager.find_user('gamma2')
if not gamma2:
security_manager.add_user(
'gamma2', 'gamma2', 'user', '*****@*****.**',
security_manager.find_role('Gamma'),
password='******')
gamma_sqllab_user = security_manager.find_user('gamma_sqllab')
if not gamma_sqllab_user:
security_manager.add_user(
'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**',
gamma_sqllab_role, password='******')
alpha = security_manager.find_user('alpha')
if not alpha:
security_manager.add_user(
'alpha', 'alpha', 'user', '*****@*****.**',
security_manager.find_role('Alpha'),
password='******')
security_manager.get_session.commit()
def test_slices_V2(self):
# Add explore-v2-beta role to admin user
# Test all slice urls as user with with explore-v2-beta role
security_manager.add_role('explore-v2-beta')
security_manager.add_user(
'explore_beta', 'explore_beta', ' user', '*****@*****.**',
security_manager.find_role('explore-v2-beta'),
password='******')
self.login(username='******', password='******')
Slc = models.Slice
urls = []
for slc in db.session.query(Slc).all():
urls += [
(slc.slice_name, 'slice_url', slc.slice_url),
]
for name, method, url in urls:
print('[{name}]/[{method}]: {url}'.format(**locals()))
response = self.client.get(url)
def test_sql_json_schema_access(self):
examples_db = get_example_database()
db_backend = examples_db.backend
if db_backend == "sqlite":
# sqlite doesn't support database creation
return
sqllab_test_db_schema_permission_view = (
security_manager.add_permission_view_menu(
"schema_access", f"[{examples_db.name}].[{CTAS_SCHEMA_NAME}]"
)
)
schema_perm_role = security_manager.add_role("SchemaPermission")
security_manager.add_permission_role(
schema_perm_role, sqllab_test_db_schema_permission_view
)
self.create_user_with_roles(
"SchemaUser", ["SchemaPermission", "Gamma", "sql_lab"]
)
examples_db.get_sqla_engine().execute(
f"CREATE TABLE IF NOT EXISTS {CTAS_SCHEMA_NAME}.test_table AS SELECT 1 as c1, 2 as c2"
)
data = self.run_sql(
f"SELECT * FROM {CTAS_SCHEMA_NAME}.test_table", "3", username="******"
)
self.assertEqual(1, len(data["data"]))
data = self.run_sql(
f"SELECT * FROM {CTAS_SCHEMA_NAME}.test_table",
"4",
username="******",
schema=CTAS_SCHEMA_NAME,
)
self.assertEqual(1, len(data["data"]))
# postgres needs a schema as a part of the table name.
if db_backend == "mysql":
data = self.run_sql(
"SELECT * FROM test_table",
"5",
username="******",
schema=CTAS_SCHEMA_NAME,
)
self.assertEqual(1, len(data["data"]))
db.session.query(Query).delete()
get_example_database().get_sqla_engine().execute(
f"DROP TABLE IF EXISTS {CTAS_SCHEMA_NAME}.test_table"
)
db.session.commit()
def test_slices_V2(self):
# Add explore-v2-beta role to admin user
# Test all slice urls as user with with explore-v2-beta role
security_manager.add_role("explore-v2-beta")
security_manager.add_user(
"explore_beta",
"explore_beta",
" user",
"*****@*****.**",
security_manager.find_role("explore-v2-beta"),
password="******",
)
self.login(username="******", password="******")
Slc = Slice
urls = []
for slc in db.session.query(Slc).all():
urls += [(slc.slice_name, "slice_url", slc.slice_url)]
for name, method, url in urls:
print(f"[{name}]/[{method}]: {url}")
self.client.get(url)
def test_sql_json_has_access(self):
examples_db = get_example_database()
examples_db_permission_view = security_manager.add_permission_view_menu(
"database_access", examples_db.perm
)
astronaut = security_manager.add_role("ExampleDBAccess")
security_manager.add_permission_role(astronaut, examples_db_permission_view)
# Gamma user, with sqllab and db permission
self.create_user_with_roles("Gagarin", ["ExampleDBAccess", "Gamma", "sql_lab"])
data = self.run_sql(QUERY_1, "1", user_name="Gagarin")
db.session.query(Query).delete()
db.session.commit()
self.assertLess(0, len(data["data"]))
def test_request_access(self):
if app.config.get('ENABLE_ACCESS_REQUEST'):
session = db.session
self.logout()
self.login(username='******')
gamma_user = security_manager.find_user(username='******')
security_manager.add_role('dummy_role')
gamma_user.roles.append(security_manager.find_role('dummy_role'))
session.commit()
ACCESS_REQUEST = (
'/superset/request_access?'
'datasource_type={}&'
'datasource_id={}&'
'action={}&')
ROLE_GRANT_LINK = (
'<a href="/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_grant={}">Grant {} Role</a>')
# Request table access, there are no roles have this table.
table1 = session.query(SqlaTable).filter_by(
table_name='random_time_series').first()
table_1_id = table1.id
# request access to the table
resp = self.get_resp(
ACCESS_REQUEST.format('table', table_1_id, 'go'))
assert 'Access was requested' in resp
access_request1 = self.get_access_requests('gamma', 'table', table_1_id)
assert access_request1 is not None
# Request access, roles exist that contains the table.
# add table to the existing roles
table3 = session.query(SqlaTable).filter_by(
table_name='energy_usage').first()
table_3_id = table3.id
table3_perm = table3.perm
security_manager.add_role('energy_usage_role')
alpha_role = security_manager.find_role('Alpha')
security_manager.add_permission_role(
alpha_role,
security_manager.find_permission_view_menu(
'datasource_access', table3_perm))
security_manager.add_permission_role(
security_manager.find_role('energy_usage_role'),
security_manager.find_permission_view_menu(
'datasource_access', table3_perm))
session.commit()
self.get_resp(
ACCESS_REQUEST.format('table', table_3_id, 'go'))
access_request3 = self.get_access_requests('gamma', 'table', table_3_id)
approve_link_3 = ROLE_GRANT_LINK.format(
'table', table_3_id, 'gamma', 'energy_usage_role',
'energy_usage_role')
self.assertEqual(access_request3.roles_with_datasource,
'<ul><li>{}</li></ul>'.format(approve_link_3))
# Request druid access, there are no roles have this table.
druid_ds_4 = session.query(DruidDatasource).filter_by(
datasource_name='druid_ds_1').first()
druid_ds_4_id = druid_ds_4.id
# request access to the table
self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go'))
access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id)
self.assertEqual(
access_request4.roles_with_datasource,
'<ul></ul>'.format(access_request4.id))
# Case 5. Roles exist that contains the druid datasource.
# add druid ds to the existing roles
druid_ds_5 = session.query(DruidDatasource).filter_by(
datasource_name='druid_ds_2').first()
druid_ds_5_id = druid_ds_5.id
druid_ds_5_perm = druid_ds_5.perm
druid_ds_2_role = security_manager.add_role('druid_ds_2_role')
admin_role = security_manager.find_role('Admin')
security_manager.add_permission_role(
admin_role,
security_manager.find_permission_view_menu(
'datasource_access', druid_ds_5_perm))
security_manager.add_permission_role(
druid_ds_2_role,
security_manager.find_permission_view_menu(
'datasource_access', druid_ds_5_perm))
session.commit()
self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go'))
access_request5 = self.get_access_requests(
'gamma', 'druid', druid_ds_5_id)
approve_link_5 = ROLE_GRANT_LINK.format(
'druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role',
'druid_ds_2_role')
self.assertEqual(access_request5.roles_with_datasource,
'<ul><li>{}</li></ul>'.format(approve_link_5))
# cleanup
gamma_user = security_manager.find_user(username='******')
gamma_user.roles.remove(security_manager.find_role('dummy_role'))
session.commit()
def __init__(self, *args, **kwargs):
if (
self.requires_examples and
not os.environ.get('examples_loaded')
):
logging.info('Loading examples')
cli.load_examples(load_test_data=True)
logging.info('Done loading examples')
security_manager.sync_role_definitions()
os.environ['examples_loaded'] = '1'
else:
security_manager.sync_role_definitions()
super(SupersetTestCase, self).__init__(*args, **kwargs)
self.client = app.test_client()
self.maxDiff = None
gamma_sqllab_role = security_manager.add_role('gamma_sqllab')
for perm in security_manager.find_role('Gamma').permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
utils.get_or_create_main_db()
db_perm = self.get_main_database(security_manager.get_session).perm
security_manager.merge_perm('database_access', db_perm)
db_pvm = security_manager.find_permission_view_menu(
view_menu_name=db_perm, permission_name='database_access')
gamma_sqllab_role.permissions.append(db_pvm)
for perm in security_manager.find_role('sql_lab').permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
admin = security_manager.find_user('admin')
if not admin:
security_manager.add_user(
'admin', 'admin', ' user', '*****@*****.**',
security_manager.find_role('Admin'),
password='******')
gamma = security_manager.find_user('gamma')
if not gamma:
security_manager.add_user(
'gamma', 'gamma', 'user', '*****@*****.**',
security_manager.find_role('Gamma'),
password='******')
gamma2 = security_manager.find_user('gamma2')
if not gamma2:
security_manager.add_user(
'gamma2', 'gamma2', 'user', '*****@*****.**',
security_manager.find_role('Gamma'),
password='******')
gamma_sqllab_user = security_manager.find_user('gamma_sqllab')
if not gamma_sqllab_user:
security_manager.add_user(
'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**',
gamma_sqllab_role, password='******')
alpha = security_manager.find_user('alpha')
if not alpha:
security_manager.add_user(
'alpha', 'alpha', 'user', '*****@*****.**',
security_manager.find_role('Alpha'),
password='******')
security_manager.get_session.commit()
# create druid cluster and druid datasources
session = db.session
cluster = (
session.query(DruidCluster)
.filter_by(cluster_name='druid_test')
.first()
)
if not cluster:
cluster = DruidCluster(cluster_name='druid_test')
session.add(cluster)
session.commit()
druid_datasource1 = DruidDatasource(
datasource_name='druid_ds_1',
cluster_name='druid_test',
)
session.add(druid_datasource1)
druid_datasource2 = DruidDatasource(
datasource_name='druid_ds_2',
cluster_name='druid_test',
)
session.add(druid_datasource2)
session.commit()
def test_request_access(self):
if app.config.get("ENABLE_ACCESS_REQUEST"):
session = db.session
self.logout()
self.login(username="******")
gamma_user = security_manager.find_user(username="******")
security_manager.add_role("dummy_role")
gamma_user.roles.append(security_manager.find_role("dummy_role"))
session.commit()
ACCESS_REQUEST = (
"/superset/request_access?"
"datasource_type={}&"
"datasource_id={}&"
"action={}&"
)
ROLE_GRANT_LINK = (
'<a href="/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_grant={}">Grant {} Role</a>'
)
# Request table access, there are no roles have this table.
table1 = (
session.query(SqlaTable)
.filter_by(table_name="random_time_series")
.first()
)
table_1_id = table1.id
# request access to the table
resp = self.get_resp(ACCESS_REQUEST.format("table", table_1_id, "go"))
assert "Access was requested" in resp
access_request1 = self.get_access_requests("gamma", "table", table_1_id)
assert access_request1 is not None
# Request access, roles exist that contains the table.
# add table to the existing roles
table3 = (
session.query(SqlaTable).filter_by(table_name="energy_usage").first()
)
table_3_id = table3.id
table3_perm = table3.perm
security_manager.add_role("energy_usage_role")
alpha_role = security_manager.find_role("Alpha")
security_manager.add_permission_role(
alpha_role,
security_manager.find_permission_view_menu(
"datasource_access", table3_perm
),
)
security_manager.add_permission_role(
security_manager.find_role("energy_usage_role"),
security_manager.find_permission_view_menu(
"datasource_access", table3_perm
),
)
session.commit()
self.get_resp(ACCESS_REQUEST.format("table", table_3_id, "go"))
access_request3 = self.get_access_requests("gamma", "table", table_3_id)
approve_link_3 = ROLE_GRANT_LINK.format(
"table", table_3_id, "gamma", "energy_usage_role", "energy_usage_role"
)
self.assertEqual(
access_request3.roles_with_datasource,
"<ul><li>{}</li></ul>".format(approve_link_3),
)
# Request druid access, there are no roles have this table.
druid_ds_4 = (
session.query(DruidDatasource)
.filter_by(datasource_name="druid_ds_1")
.first()
)
druid_ds_4_id = druid_ds_4.id
# request access to the table
self.get_resp(ACCESS_REQUEST.format("druid", druid_ds_4_id, "go"))
access_request4 = self.get_access_requests("gamma", "druid", druid_ds_4_id)
self.assertEqual(
access_request4.roles_with_datasource,
"<ul></ul>".format(access_request4.id),
)
# Case 5. Roles exist that contains the druid datasource.
# add druid ds to the existing roles
druid_ds_5 = (
session.query(DruidDatasource)
.filter_by(datasource_name="druid_ds_2")
.first()
)
druid_ds_5_id = druid_ds_5.id
druid_ds_5_perm = druid_ds_5.perm
druid_ds_2_role = security_manager.add_role("druid_ds_2_role")
admin_role = security_manager.find_role("Admin")
security_manager.add_permission_role(
admin_role,
security_manager.find_permission_view_menu(
"datasource_access", druid_ds_5_perm
),
)
security_manager.add_permission_role(
druid_ds_2_role,
security_manager.find_permission_view_menu(
"datasource_access", druid_ds_5_perm
),
)
session.commit()
self.get_resp(ACCESS_REQUEST.format("druid", druid_ds_5_id, "go"))
access_request5 = self.get_access_requests("gamma", "druid", druid_ds_5_id)
approve_link_5 = ROLE_GRANT_LINK.format(
"druid", druid_ds_5_id, "gamma", "druid_ds_2_role", "druid_ds_2_role"
)
self.assertEqual(
access_request5.roles_with_datasource,
"<ul><li>{}</li></ul>".format(approve_link_5),
)
# cleanup
gamma_user = security_manager.find_user(username="******")
gamma_user.roles.remove(security_manager.find_role("dummy_role"))
session.commit()
def test_approve(self, mock_send_mime):
if app.config.get("ENABLE_ACCESS_REQUEST"):
session = db.session
TEST_ROLE_NAME = "table_role"
security_manager.add_role(TEST_ROLE_NAME)
# Case 1. Grant new role to the user.
access_request1 = create_access_request(
session, "table", "unicode_test", TEST_ROLE_NAME, "gamma"
)
ds_1_id = access_request1.datasource_id
self.get_resp(
GRANT_ROLE_REQUEST.format("table", ds_1_id, "gamma", TEST_ROLE_NAME)
)
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual(
[
security_manager.find_user(username="******").email,
security_manager.find_user(username="******").email,
],
call_args[1],
)
self.assertEqual(
"[Superset] Access to the datasource {} was granted".format(
self.get_table(ds_1_id).full_name
),
call_args[2]["Subject"],
)
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn("unicode_test", call_args[2].as_string())
access_requests = self.get_access_requests("gamma", "table", ds_1_id)
# request was removed
self.assertFalse(access_requests)
# user was granted table_role
user_roles = [r.name for r in security_manager.find_user("gamma").roles]
self.assertIn(TEST_ROLE_NAME, user_roles)
# Case 2. Extend the role to have access to the table
access_request2 = create_access_request(
session, "table", "energy_usage", TEST_ROLE_NAME, "gamma"
)
ds_2_id = access_request2.datasource_id
energy_usage_perm = access_request2.datasource.perm
self.client.get(
EXTEND_ROLE_REQUEST.format(
"table", access_request2.datasource_id, "gamma", TEST_ROLE_NAME
)
)
access_requests = self.get_access_requests("gamma", "table", ds_2_id)
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual(
[
security_manager.find_user(username="******").email,
security_manager.find_user(username="******").email,
],
call_args[1],
)
self.assertEqual(
"[Superset] Access to the datasource {} was granted".format(
self.get_table(ds_2_id).full_name
),
call_args[2]["Subject"],
)
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn("energy_usage", call_args[2].as_string())
# request was removed
self.assertFalse(access_requests)
# table_role was extended to grant access to the energy_usage table/
perm_view = security_manager.find_permission_view_menu(
"datasource_access", energy_usage_perm
)
TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME)
self.assertIn(perm_view, TEST_ROLE.permissions)
# Case 3. Grant new role to the user to access the druid datasource.
security_manager.add_role("druid_role")
access_request3 = create_access_request(
session, "druid", "druid_ds_1", "druid_role", "gamma"
)
self.get_resp(
GRANT_ROLE_REQUEST.format(
"druid", access_request3.datasource_id, "gamma", "druid_role"
)
)
# user was granted table_role
user_roles = [r.name for r in security_manager.find_user("gamma").roles]
self.assertIn("druid_role", user_roles)
# Case 4. Extend the role to have access to the druid datasource
access_request4 = create_access_request(
session, "druid", "druid_ds_2", "druid_role", "gamma"
)
druid_ds_2_perm = access_request4.datasource.perm
self.client.get(
EXTEND_ROLE_REQUEST.format(
"druid", access_request4.datasource_id, "gamma", "druid_role"
)
)
# druid_role was extended to grant access to the druid_access_ds_2
druid_role = security_manager.find_role("druid_role")
perm_view = security_manager.find_permission_view_menu(
"datasource_access", druid_ds_2_perm
)
self.assertIn(perm_view, druid_role.permissions)
# cleanup
gamma_user = security_manager.find_user(username="******")
gamma_user.roles.remove(security_manager.find_role("druid_role"))
gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME))
session.delete(security_manager.find_role("druid_role"))
session.delete(security_manager.find_role(TEST_ROLE_NAME))
session.commit()
def test_approve(self, mock_send_mime):
if app.config.get('ENABLE_ACCESS_REQUEST'):
session = db.session
TEST_ROLE_NAME = 'table_role'
security_manager.add_role(TEST_ROLE_NAME)
# Case 1. Grant new role to the user.
access_request1 = create_access_request(
session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma')
ds_1_id = access_request1.datasource_id
self.get_resp(GRANT_ROLE_REQUEST.format(
'table', ds_1_id, 'gamma', TEST_ROLE_NAME))
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual([security_manager.find_user(username='******').email,
security_manager.find_user(username='******').email],
call_args[1])
self.assertEqual(
'[Superset] Access to the datasource {} was granted'.format(
self.get_table(ds_1_id).full_name), call_args[2]['Subject'])
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn('unicode_test', call_args[2].as_string())
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
# request was removed
self.assertFalse(access_requests)
# user was granted table_role
user_roles = [r.name for r in security_manager.find_user('gamma').roles]
self.assertIn(TEST_ROLE_NAME, user_roles)
# Case 2. Extend the role to have access to the table
access_request2 = create_access_request(
session, 'table', 'energy_usage', TEST_ROLE_NAME, 'gamma')
ds_2_id = access_request2.datasource_id
energy_usage_perm = access_request2.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
access_requests = self.get_access_requests('gamma', 'table', ds_2_id)
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual([security_manager.find_user(username='******').email,
security_manager.find_user(username='******').email],
call_args[1])
self.assertEqual(
'[Superset] Access to the datasource {} was granted'.format(
self.get_table(ds_2_id).full_name), call_args[2]['Subject'])
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn('energy_usage', call_args[2].as_string())
# request was removed
self.assertFalse(access_requests)
# table_role was extended to grant access to the energy_usage table/
perm_view = security_manager.find_permission_view_menu(
'datasource_access', energy_usage_perm)
TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME)
self.assertIn(perm_view, TEST_ROLE.permissions)
# Case 3. Grant new role to the user to access the druid datasource.
security_manager.add_role('druid_role')
access_request3 = create_access_request(
session, 'druid', 'druid_ds_1', 'druid_role', 'gamma')
self.get_resp(GRANT_ROLE_REQUEST.format(
'druid', access_request3.datasource_id, 'gamma', 'druid_role'))
# user was granted table_role
user_roles = [r.name for r in security_manager.find_user('gamma').roles]
self.assertIn('druid_role', user_roles)
# Case 4. Extend the role to have access to the druid datasource
access_request4 = create_access_request(
session, 'druid', 'druid_ds_2', 'druid_role', 'gamma')
druid_ds_2_perm = access_request4.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
# druid_role was extended to grant access to the druid_access_ds_2
druid_role = security_manager.find_role('druid_role')
perm_view = security_manager.find_permission_view_menu(
'datasource_access', druid_ds_2_perm)
self.assertIn(perm_view, druid_role.permissions)
# cleanup
gamma_user = security_manager.find_user(username='******')
gamma_user.roles.remove(security_manager.find_role('druid_role'))
gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME))
session.delete(security_manager.find_role('druid_role'))
session.delete(security_manager.find_role(TEST_ROLE_NAME))
session.commit()
def test_request_access(self):
if app.config.get('ENABLE_ACCESS_REQUEST'):
session = db.session
self.logout()
self.login(username='******')
gamma_user = security_manager.find_user(username='******')
security_manager.add_role('dummy_role')
gamma_user.roles.append(security_manager.find_role('dummy_role'))
session.commit()
ACCESS_REQUEST = (
'/superset/request_access?'
'datasource_type={}&'
'datasource_id={}&'
'action={}&')
ROLE_GRANT_LINK = (
'<a href="/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_grant={}">Grant {} Role</a>')
# Request table access, there are no roles have this table.
table1 = session.query(SqlaTable).filter_by(
table_name='random_time_series').first()
table_1_id = table1.id
# request access to the table
resp = self.get_resp(
ACCESS_REQUEST.format('table', table_1_id, 'go'))
assert 'Access was requested' in resp
access_request1 = self.get_access_requests('gamma', 'table', table_1_id)
assert access_request1 is not None
# Request access, roles exist that contains the table.
# add table to the existing roles
table3 = session.query(SqlaTable).filter_by(
table_name='energy_usage').first()
table_3_id = table3.id
table3_perm = table3.perm
security_manager.add_role('energy_usage_role')
alpha_role = security_manager.find_role('Alpha')
security_manager.add_permission_role(
alpha_role,
security_manager.find_permission_view_menu(
'datasource_access', table3_perm))
security_manager.add_permission_role(
security_manager.find_role('energy_usage_role'),
security_manager.find_permission_view_menu(
'datasource_access', table3_perm))
session.commit()
self.get_resp(
ACCESS_REQUEST.format('table', table_3_id, 'go'))
access_request3 = self.get_access_requests('gamma', 'table', table_3_id)
approve_link_3 = ROLE_GRANT_LINK.format(
'table', table_3_id, 'gamma', 'energy_usage_role',
'energy_usage_role')
self.assertEqual(access_request3.roles_with_datasource,
'<ul><li>{}</li></ul>'.format(approve_link_3))
# Request druid access, there are no roles have this table.
druid_ds_4 = session.query(DruidDatasource).filter_by(
datasource_name='druid_ds_1').first()
druid_ds_4_id = druid_ds_4.id
# request access to the table
self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go'))
access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id)
self.assertEqual(
access_request4.roles_with_datasource,
'<ul></ul>'.format(access_request4.id))
# Case 5. Roles exist that contains the druid datasource.
# add druid ds to the existing roles
druid_ds_5 = session.query(DruidDatasource).filter_by(
datasource_name='druid_ds_2').first()
druid_ds_5_id = druid_ds_5.id
druid_ds_5_perm = druid_ds_5.perm
druid_ds_2_role = security_manager.add_role('druid_ds_2_role')
admin_role = security_manager.find_role('Admin')
security_manager.add_permission_role(
admin_role,
security_manager.find_permission_view_menu(
'datasource_access', druid_ds_5_perm))
security_manager.add_permission_role(
druid_ds_2_role,
security_manager.find_permission_view_menu(
'datasource_access', druid_ds_5_perm))
session.commit()
self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go'))
access_request5 = self.get_access_requests(
'gamma', 'druid', druid_ds_5_id)
approve_link_5 = ROLE_GRANT_LINK.format(
'druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role',
'druid_ds_2_role')
self.assertEqual(access_request5.roles_with_datasource,
'<ul><li>{}</li></ul>'.format(approve_link_5))
# cleanup
gamma_user = security_manager.find_user(username='******')
gamma_user.roles.remove(security_manager.find_role('dummy_role'))
session.commit()
def __init__(self, *args, **kwargs):
if (self.requires_examples and not os.environ.get('examples_loaded')):
logging.info('Loading examples')
cli.load_examples_run(load_test_data=True)
logging.info('Done loading examples')
security_manager.sync_role_definitions()
os.environ['examples_loaded'] = '1'
else:
security_manager.sync_role_definitions()
super(SupersetTestCase, self).__init__(*args, **kwargs)
self.client = app.test_client()
self.maxDiff = None
gamma_sqllab_role = security_manager.add_role('gamma_sqllab')
for perm in security_manager.find_role('Gamma').permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
utils.get_or_create_main_db()
db_perm = self.get_main_database(security_manager.get_session).perm
security_manager.merge_perm('database_access', db_perm)
db_pvm = security_manager.find_permission_view_menu(
view_menu_name=db_perm, permission_name='database_access')
gamma_sqllab_role.permissions.append(db_pvm)
for perm in security_manager.find_role('sql_lab').permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
admin = security_manager.find_user('admin')
if not admin:
security_manager.add_user('admin',
'admin',
' user',
'*****@*****.**',
security_manager.find_role('Admin'),
password='******')
gamma = security_manager.find_user('gamma')
if not gamma:
security_manager.add_user('gamma',
'gamma',
'user',
'*****@*****.**',
security_manager.find_role('Gamma'),
password='******')
gamma2 = security_manager.find_user('gamma2')
if not gamma2:
security_manager.add_user('gamma2',
'gamma2',
'user',
'*****@*****.**',
security_manager.find_role('Gamma'),
password='******')
gamma_sqllab_user = security_manager.find_user('gamma_sqllab')
if not gamma_sqllab_user:
security_manager.add_user('gamma_sqllab',
'gamma_sqllab',
'user',
'*****@*****.**',
gamma_sqllab_role,
password='******')
alpha = security_manager.find_user('alpha')
if not alpha:
security_manager.add_user('alpha',
'alpha',
'user',
'*****@*****.**',
security_manager.find_role('Alpha'),
password='******')
security_manager.get_session.commit()
# create druid cluster and druid datasources
session = db.session
cluster = (session.query(DruidCluster).filter_by(
cluster_name='druid_test').first())
if not cluster:
cluster = DruidCluster(cluster_name='druid_test')
session.add(cluster)
session.commit()
druid_datasource1 = DruidDatasource(
datasource_name='druid_ds_1',
cluster_name='druid_test',
)
session.add(druid_datasource1)
druid_datasource2 = DruidDatasource(
datasource_name='druid_ds_2',
cluster_name='druid_test',
)
session.add(druid_datasource2)
session.commit()
def load_test_users_run():
"""
Loads admin, alpha, and gamma user for testing purposes
Syncs permissions for those users/roles
"""
if config.get("TESTING"):
security_manager.sync_role_definitions()
gamma_sqllab_role = security_manager.add_role("gamma_sqllab")
for perm in security_manager.find_role("Gamma").permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
utils.get_or_create_main_db()
db_perm = utils.get_main_database().perm
security_manager.add_permission_view_menu("database_access", db_perm)
db_pvm = security_manager.find_permission_view_menu(
view_menu_name=db_perm, permission_name="database_access"
)
gamma_sqllab_role.permissions.append(db_pvm)
for perm in security_manager.find_role("sql_lab").permissions:
security_manager.add_permission_role(gamma_sqllab_role, perm)
admin = security_manager.find_user("admin")
if not admin:
security_manager.add_user(
"admin",
"admin",
" user",
"*****@*****.**",
security_manager.find_role("Admin"),
password="******",
)
gamma = security_manager.find_user("gamma")
if not gamma:
security_manager.add_user(
"gamma",
"gamma",
"user",
"*****@*****.**",
security_manager.find_role("Gamma"),
password="******",
)
gamma2 = security_manager.find_user("gamma2")
if not gamma2:
security_manager.add_user(
"gamma2",
"gamma2",
"user",
"*****@*****.**",
security_manager.find_role("Gamma"),
password="******",
)
gamma_sqllab_user = security_manager.find_user("gamma_sqllab")
if not gamma_sqllab_user:
security_manager.add_user(
"gamma_sqllab",
"gamma_sqllab",
"user",
"*****@*****.**",
gamma_sqllab_role,
password="******",
)
alpha = security_manager.find_user("alpha")
if not alpha:
security_manager.add_user(
"alpha",
"alpha",
"user",
"*****@*****.**",
security_manager.find_role("Alpha"),
password="******",
)
security_manager.get_session.commit()
def test_approve(self, mock_send_mime):
if app.config.get('ENABLE_ACCESS_REQUEST'):
session = db.session
TEST_ROLE_NAME = 'table_role'
security_manager.add_role(TEST_ROLE_NAME)
# Case 1. Grant new role to the user.
access_request1 = create_access_request(
session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma')
ds_1_id = access_request1.datasource_id
self.get_resp(GRANT_ROLE_REQUEST.format(
'table', ds_1_id, 'gamma', TEST_ROLE_NAME))
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual([security_manager.find_user(username='******').email,
security_manager.find_user(username='******').email],
call_args[1])
self.assertEqual(
'[Superset] Access to the datasource {} was granted'.format(
self.get_table(ds_1_id).full_name), call_args[2]['Subject'])
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn('unicode_test', call_args[2].as_string())
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
# request was removed
self.assertFalse(access_requests)
# user was granted table_role
user_roles = [r.name for r in security_manager.find_user('gamma').roles]
self.assertIn(TEST_ROLE_NAME, user_roles)
# Case 2. Extend the role to have access to the table
access_request2 = create_access_request(
session, 'table', 'energy_usage', TEST_ROLE_NAME, 'gamma')
ds_2_id = access_request2.datasource_id
energy_usage_perm = access_request2.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
access_requests = self.get_access_requests('gamma', 'table', ds_2_id)
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual([security_manager.find_user(username='******').email,
security_manager.find_user(username='******').email],
call_args[1])
self.assertEqual(
'[Superset] Access to the datasource {} was granted'.format(
self.get_table(ds_2_id).full_name), call_args[2]['Subject'])
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn('energy_usage', call_args[2].as_string())
# request was removed
self.assertFalse(access_requests)
# table_role was extended to grant access to the energy_usage table/
perm_view = security_manager.find_permission_view_menu(
'datasource_access', energy_usage_perm)
TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME)
self.assertIn(perm_view, TEST_ROLE.permissions)
# Case 3. Grant new role to the user to access the druid datasource.
security_manager.add_role('druid_role')
access_request3 = create_access_request(
session, 'druid', 'druid_ds_1', 'druid_role', 'gamma')
self.get_resp(GRANT_ROLE_REQUEST.format(
'druid', access_request3.datasource_id, 'gamma', 'druid_role'))
# user was granted table_role
user_roles = [r.name for r in security_manager.find_user('gamma').roles]
self.assertIn('druid_role', user_roles)
# Case 4. Extend the role to have access to the druid datasource
access_request4 = create_access_request(
session, 'druid', 'druid_ds_2', 'druid_role', 'gamma')
druid_ds_2_perm = access_request4.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
# druid_role was extended to grant access to the druid_access_ds_2
druid_role = security_manager.find_role('druid_role')
perm_view = security_manager.find_permission_view_menu(
'datasource_access', druid_ds_2_perm)
self.assertIn(perm_view, druid_role.permissions)
# cleanup
gamma_user = security_manager.find_user(username='******')
gamma_user.roles.remove(security_manager.find_role('druid_role'))
gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME))
session.delete(security_manager.find_role('druid_role'))
session.delete(security_manager.find_role(TEST_ROLE_NAME))
session.commit()
