def test_update_role(self):
update_role_str = 'update_me'
sm.add_role(update_role_str)
db.session.commit()
resp = self.client.post(
'/superset/update_role/',
data=json.dumps({
'user_emails': ['*****@*****.**'],
'role_name': update_role_str
}),
follow_redirects=True
)
update_role = sm.find_role(update_role_str)
self.assertEquals(
update_role.user, [sm.find_user(email='*****@*****.**')])
self.assertEquals(resp.status_code, 201)
resp = self.client.post(
'/superset/update_role/',
data=json.dumps({
'user_emails': ['*****@*****.**', '*****@*****.**'],
'role_name': update_role_str
}),
follow_redirects=True
)
self.assertEquals(resp.status_code, 201)
update_role = sm.find_role(update_role_str)
self.assertEquals(
update_role.user, [sm.find_user(email='*****@*****.**')])
db.session.delete(update_role)
db.session.commit()
def setUpClass(cls):
sm.add_role('override_me')
sm.add_role(TEST_ROLE_1)
sm.add_role(TEST_ROLE_2)
sm.add_role(DB_ACCESS_ROLE)
sm.add_role(SCHEMA_ACCESS_ROLE)
db.session.commit()
def setUpClass(cls):
sm.add_role('override_me')
sm.add_role(TEST_ROLE_1)
sm.add_role(TEST_ROLE_2)
sm.add_role(DB_ACCESS_ROLE)
sm.add_role(SCHEMA_ACCESS_ROLE)
db.session.commit()
def test_update_role(self):
update_role_str = 'update_me'
sm.add_role(update_role_str)
db.session.commit()
resp = self.client.post(
'/superset/update_role/',
data=json.dumps({
'usernames': ['gamma'],
'role_name': update_role_str
}),
follow_redirects=True
)
update_role = sm.find_role(update_role_str)
self.assertEquals(
update_role.user, [sm.find_user(username='******')])
self.assertEquals(resp.status_code, 201)
resp = self.client.post(
'/superset/update_role/',
data=json.dumps({
'usernames': ['alpha', 'unknown'],
'role_name': update_role_str
}),
follow_redirects=True
)
self.assertEquals(resp.status_code, 201)
update_role = sm.find_role(update_role_str)
self.assertEquals(
update_role.user, [sm.find_user(username='******')])
db.session.delete(update_role)
db.session.commit()
def test_update_role(self):
update_role_str = 'update_me'
sm.add_role(update_role_str)
db.session.commit()
resp = self.client.post(
'/superset/update_role/',
data=json.dumps({
'users': [{
'username': '******',
'first_name': 'Gamma',
'last_name': 'Gamma',
'email': '*****@*****.**',
}],
'role_name':
update_role_str,
}),
follow_redirects=True,
)
update_role = sm.find_role(update_role_str)
self.assertEquals(update_role.user, [sm.find_user(username='******')])
self.assertEquals(resp.status_code, 201)
resp = self.client.post(
'/superset/update_role/',
data=json.dumps({
'users': [{
'username': '******',
'first_name': 'Alpha',
'last_name': 'Alpha',
'email': '*****@*****.**',
}, {
'username': '******',
'first_name': 'Unknown1',
'last_name': 'Unknown2',
'email': '*****@*****.**',
}],
'role_name':
update_role_str,
}),
follow_redirects=True,
)
self.assertEquals(resp.status_code, 201)
update_role = sm.find_role(update_role_str)
self.assertEquals(update_role.user, [
sm.find_user(username='******'),
sm.find_user(username='******'),
])
unknown = sm.find_user(username='******')
self.assertEquals('Unknown2', unknown.last_name)
self.assertEquals('Unknown1', unknown.first_name)
self.assertEquals('*****@*****.**', unknown.email)
db.session.delete(update_role)
db.session.delete(unknown)
db.session.commit()
def test_update_role(self):
update_role_str = 'update_me'
sm.add_role(update_role_str)
db.session.commit()
resp = self.client.post(
'/superset/update_role/',
data=json.dumps({
'users': [{
'username': '******',
'first_name': 'Gamma',
'last_name': 'Gamma',
'email': '*****@*****.**'
}],
'role_name': update_role_str
}),
follow_redirects=True
)
update_role = sm.find_role(update_role_str)
self.assertEquals(
update_role.user, [sm.find_user(username='******')])
self.assertEquals(resp.status_code, 201)
resp = self.client.post(
'/superset/update_role/',
data=json.dumps({
'users': [{
'username': '******',
'first_name': 'Alpha',
'last_name': 'Alpha',
'email': '*****@*****.**'
}, {
'username': '******',
'first_name': 'Unknown1',
'last_name': 'Unknown2',
'email': '*****@*****.**'
}],
'role_name': update_role_str
}),
follow_redirects=True
)
self.assertEquals(resp.status_code, 201)
update_role = sm.find_role(update_role_str)
self.assertEquals(
update_role.user, [
sm.find_user(username='******'),
sm.find_user(username='******'),
])
unknown = sm.find_user(username='******')
self.assertEquals('Unknown2', unknown.last_name)
self.assertEquals('Unknown1', unknown.first_name)
self.assertEquals('*****@*****.**', unknown.email)
db.session.delete(update_role)
db.session.delete(unknown)
db.session.commit()
def test_sql_json_has_access(self):
main_db = self.get_main_database(db.session)
sm.add_permission_view_menu('database_access', main_db.perm)
db.session.commit()
main_db_permission_view = (
db.session.query(ab_models.PermissionView)
.join(ab_models.ViewMenu)
.filter(ab_models.ViewMenu.name == '[main].(id:1)')
.first()
)
astronaut = sm.add_role("Astronaut")
sm.add_permission_role(astronaut, main_db_permission_view)
# Astronaut role is Gamma + sqllab + main db permissions
for perm in sm.find_role('Gamma').permissions:
sm.add_permission_role(astronaut, perm)
for perm in sm.find_role('sql_lab').permissions:
sm.add_permission_role(astronaut, perm)
gagarin = appbuilder.sm.find_user('gagarin')
if not gagarin:
appbuilder.sm.add_user(
'gagarin', 'Iurii', 'Gagarin', '*****@*****.**',
astronaut,
password='******')
data = self.run_sql('SELECT * FROM ab_user', "3", user_name='gagarin')
db.session.query(models.Query).delete()
db.session.commit()
self.assertLess(0, len(data['data']))
def test_sql_json_has_access(self):
main_db = self.get_main_database(db.session)
sm.add_permission_view_menu('database_access', main_db.perm)
db.session.commit()
main_db_permission_view = (db.session.query(
ab_models.PermissionView).join(ab_models.ViewMenu).join(
ab_models.Permission
).filter(ab_models.ViewMenu.name == '[main].(id:1)').filter(
ab_models.Permission.name == 'database_access').first())
astronaut = sm.add_role('Astronaut')
sm.add_permission_role(astronaut, main_db_permission_view)
# Astronaut role is Gamma + sqllab + main db permissions
for perm in sm.find_role('Gamma').permissions:
sm.add_permission_role(astronaut, perm)
for perm in sm.find_role('sql_lab').permissions:
sm.add_permission_role(astronaut, perm)
gagarin = appbuilder.sm.find_user('gagarin')
if not gagarin:
appbuilder.sm.add_user('gagarin',
'Iurii',
'Gagarin',
'*****@*****.**',
astronaut,
password='******')
data = self.run_sql('SELECT * FROM ab_user', '3', user_name='gagarin')
db.session.query(Query).delete()
db.session.commit()
self.assertLess(0, len(data['data']))
def set_role(role_name, pvms, pvm_check):
logging.info("Syncing {} perms".format(role_name))
role = sm.add_role(role_name)
role_pvms = [p for p in pvms if pvm_check(p)]
role.permissions = role_pvms
sesh = sm.get_session()
sesh.merge(role)
sesh.commit()
def set_role(role_name, pvms, pvm_check):
logging.info("Syncing {} perms".format(role_name))
role = sm.add_role(role_name)
role_pvms = [p for p in pvms if pvm_check(p)]
role.permissions = role_pvms
sesh = sm.get_session()
sesh.merge(role)
sesh.commit()
def set_role(role_name, pvm_check):
logging.info('Syncing {} perms'.format(role_name))
sesh = sm.get_session()
pvms = sesh.query(ab_models.PermissionView).all()
pvms = [p for p in pvms if p.permission and p.view_menu]
role = sm.add_role(role_name)
role_pvms = [p for p in pvms if pvm_check(p)]
role.permissions = role_pvms
sesh.merge(role)
sesh.commit()
def set_role(role_name, pvm_check):
logging.info("Syncing {} perms".format(role_name))
sesh = sm.get_session()
pvms = sesh.query(ab_models.PermissionView).all()
pvms = [p for p in pvms if p.permission and p.view_menu]
role = sm.add_role(role_name)
role_pvms = [p for p in pvms if pvm_check(p)]
role.permissions = role_pvms
sesh.merge(role)
sesh.commit()
def test_slices_V2(self):
# Add explore-v2-beta role to admin user
# Test all slice urls as user with with explore-v2-beta role
sm.add_role('explore-v2-beta')
appbuilder.sm.add_user(
'explore_beta', 'explore_beta', ' user', '*****@*****.**',
appbuilder.sm.find_role('explore-v2-beta'),
password='******')
self.login(username='******', password='******')
Slc = models.Slice
urls = []
for slc in db.session.query(Slc).all():
urls += [
(slc.slice_name, 'slice_url', slc.slice_url),
]
for name, method, url in urls:
print("[{name}]/[{method}]: {url}".format(**locals()))
response = self.client.get(url)
def test_slices_V2(self):
# Add explore-v2-beta role to admin user
# Test all slice urls as user with with explore-v2-beta role
sm.add_role('explore-v2-beta')
appbuilder.sm.add_user(
'explore_beta', 'explore_beta', ' user', '*****@*****.**',
appbuilder.sm.find_role('explore-v2-beta'),
password='******')
self.login(username='******', password='******')
Slc = models.Slice
urls = []
for slc in db.session.query(Slc).all():
urls += [
(slc.slice_name, 'slice_url', slc.slice_url),
]
for name, method, url in urls:
print("[{name}]/[{method}]: {url}".format(**locals()))
response = self.client.get(url)
def setUpClass(cls):
sm.add_role('override_me')
db.session.commit()
def test_approve(self, mock_send_mime):
session = db.session
TEST_ROLE_NAME = 'table_role'
sm.add_role(TEST_ROLE_NAME)
# Case 1. Grant new role to the user.
access_request1 = create_access_request(session, 'table',
'unicode_test', TEST_ROLE_NAME,
'gamma')
ds_1_id = access_request1.datasource_id
resp = self.get_resp(
GRANT_ROLE_REQUEST.format('table', ds_1_id, 'gamma',
TEST_ROLE_NAME))
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual([
sm.find_user(username='******').email,
sm.find_user(username='******').email
], call_args[1])
self.assertEqual(
'[Superset] Access to the datasource {} was granted'.format(
self.get_table(ds_1_id).full_name), call_args[2]['Subject'])
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn('unicode_test', call_args[2].as_string())
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
# request was removed
self.assertFalse(access_requests)
# user was granted table_role
user_roles = [r.name for r in sm.find_user('gamma').roles]
self.assertIn(TEST_ROLE_NAME, user_roles)
# Case 2. Extend the role to have access to the table
access_request2 = create_access_request(session, 'table', 'long_lat',
TEST_ROLE_NAME, 'gamma')
ds_2_id = access_request2.datasource_id
long_lat_perm = access_request2.datasource.perm
self.client.get(
EXTEND_ROLE_REQUEST.format('table', access_request2.datasource_id,
'gamma', TEST_ROLE_NAME))
access_requests = self.get_access_requests('gamma', 'table', ds_2_id)
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual([
sm.find_user(username='******').email,
sm.find_user(username='******').email
], call_args[1])
self.assertEqual(
'[Superset] Access to the datasource {} was granted'.format(
self.get_table(ds_2_id).full_name), call_args[2]['Subject'])
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn('long_lat', call_args[2].as_string())
# request was removed
self.assertFalse(access_requests)
# table_role was extended to grant access to the long_lat table/
perm_view = sm.find_permission_view_menu('datasource_access',
long_lat_perm)
TEST_ROLE = sm.find_role(TEST_ROLE_NAME)
self.assertIn(perm_view, TEST_ROLE.permissions)
# Case 3. Grant new role to the user to access the druid datasource.
sm.add_role('druid_role')
access_request3 = create_access_request(session, 'druid', 'druid_ds_1',
'druid_role', 'gamma')
self.get_resp(
GRANT_ROLE_REQUEST.format('druid', access_request3.datasource_id,
'gamma', 'druid_role'))
# user was granted table_role
user_roles = [r.name for r in sm.find_user('gamma').roles]
self.assertIn('druid_role', user_roles)
# Case 4. Extend the role to have access to the druid datasource
access_request4 = create_access_request(session, 'druid', 'druid_ds_2',
'druid_role', 'gamma')
druid_ds_2_perm = access_request4.datasource.perm
self.client.get(
EXTEND_ROLE_REQUEST.format('druid', access_request4.datasource_id,
'gamma', 'druid_role'))
# druid_role was extended to grant access to the druid_access_ds_2
druid_role = sm.find_role('druid_role')
perm_view = sm.find_permission_view_menu('datasource_access',
druid_ds_2_perm)
self.assertIn(perm_view, druid_role.permissions)
# cleanup
gamma_user = sm.find_user(username='******')
gamma_user.roles.remove(sm.find_role('druid_role'))
gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME))
session.delete(sm.find_role('druid_role'))
session.delete(sm.find_role(TEST_ROLE_NAME))
session.commit()
def test_request_access(self):
session = db.session
self.logout()
self.login(username='******')
gamma_user = sm.find_user(username='******')
sm.add_role('dummy_role')
gamma_user.roles.append(sm.find_role('dummy_role'))
session.commit()
ACCESS_REQUEST = ('/superset/request_access?'
'datasource_type={}&'
'datasource_id={}&'
'action={}&')
ROLE_EXTEND_LINK = (
'<a href="/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_extend={}">Extend {} Role</a>')
ROLE_GRANT_LINK = (
'<a href="/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_grant={}">Grant {} Role</a>')
# Request table access, there are no roles have this table.
table1 = session.query(models.SqlaTable).filter_by(
table_name='random_time_series').first()
table_1_id = table1.id
# request access to the table
resp = self.get_resp(ACCESS_REQUEST.format('table', table_1_id, 'go'))
assert "Access was requested" in resp
access_request1 = self.get_access_requests('gamma', 'table',
table_1_id)
assert access_request1 is not None
# Request access, roles exist that contains the table.
# add table to the existing roles
table3 = session.query(
models.SqlaTable).filter_by(table_name='energy_usage').first()
table_3_id = table3.id
table3_perm = table3.perm
sm.add_role('energy_usage_role')
alpha_role = sm.find_role('Alpha')
sm.add_permission_role(
alpha_role,
sm.find_permission_view_menu('datasource_access', table3_perm))
sm.add_permission_role(
sm.find_role("energy_usage_role"),
sm.find_permission_view_menu('datasource_access', table3_perm))
session.commit()
self.get_resp(ACCESS_REQUEST.format('table', table_3_id, 'go'))
access_request3 = self.get_access_requests('gamma', 'table',
table_3_id)
approve_link_3 = ROLE_GRANT_LINK.format('table', table_3_id, 'gamma',
'energy_usage_role',
'energy_usage_role')
self.assertEqual(access_request3.roles_with_datasource,
'<ul><li>{}</li></ul>'.format(approve_link_3))
# Request druid access, there are no roles have this table.
druid_ds_4 = session.query(models.DruidDatasource).filter_by(
datasource_name='druid_ds_1').first()
druid_ds_4_id = druid_ds_4.id
# request access to the table
self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go'))
access_request4 = self.get_access_requests('gamma', 'druid',
druid_ds_4_id)
self.assertEqual(access_request4.roles_with_datasource,
'<ul></ul>'.format(access_request4.id))
# Case 5. Roles exist that contains the druid datasource.
# add druid ds to the existing roles
druid_ds_5 = session.query(models.DruidDatasource).filter_by(
datasource_name='druid_ds_2').first()
druid_ds_5_id = druid_ds_5.id
druid_ds_5_perm = druid_ds_5.perm
druid_ds_2_role = sm.add_role('druid_ds_2_role')
admin_role = sm.find_role('Admin')
sm.add_permission_role(
admin_role,
sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
sm.add_permission_role(
druid_ds_2_role,
sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
session.commit()
self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go'))
access_request5 = self.get_access_requests('gamma', 'druid',
druid_ds_5_id)
approve_link_5 = ROLE_GRANT_LINK.format('druid', druid_ds_5_id,
'gamma', 'druid_ds_2_role',
'druid_ds_2_role')
self.assertEqual(access_request5.roles_with_datasource,
'<ul><li>{}</li></ul>'.format(approve_link_5))
# cleanup
gamma_user = sm.find_user(username='******')
gamma_user.roles.remove(sm.find_role('dummy_role'))
session.commit()
def __init__(self, *args, **kwargs):
if self.requires_examples and not os.environ.get("SOLO_TEST") and not os.environ.get("examples_loaded"):
logging.info("Loading examples")
cli.load_examples(load_test_data=True)
logging.info("Done loading examples")
sync_role_definitions()
os.environ["examples_loaded"] = "1"
else:
sync_role_definitions()
super(SupersetTestCase, self).__init__(*args, **kwargs)
self.client = app.test_client()
self.maxDiff = None
gamma_sqllab_role = sm.add_role("gamma_sqllab")
for perm in sm.find_role("Gamma").permissions:
sm.add_permission_role(gamma_sqllab_role, perm)
db_perm = self.get_main_database(sm.get_session).perm
security.merge_perm(sm, "database_access", db_perm)
db_pvm = sm.find_permission_view_menu(view_menu_name=db_perm, permission_name="database_access")
gamma_sqllab_role.permissions.append(db_pvm)
for perm in sm.find_role("sql_lab").permissions:
sm.add_permission_role(gamma_sqllab_role, perm)
admin = appbuilder.sm.find_user("admin")
if not admin:
appbuilder.sm.add_user(
"admin", "admin", " user", "*****@*****.**", appbuilder.sm.find_role("Admin"), password="******"
)
gamma = appbuilder.sm.find_user("gamma")
if not gamma:
appbuilder.sm.add_user(
"gamma", "gamma", "user", "*****@*****.**", appbuilder.sm.find_role("Gamma"), password="******"
)
gamma_sqllab_user = appbuilder.sm.find_user("gamma_sqllab")
if not gamma_sqllab_user:
appbuilder.sm.add_user(
"gamma_sqllab", "gamma_sqllab", "user", "*****@*****.**", gamma_sqllab_role, password="******"
)
alpha = appbuilder.sm.find_user("alpha")
if not alpha:
appbuilder.sm.add_user(
"alpha", "alpha", "user", "*****@*****.**", appbuilder.sm.find_role("Alpha"), password="******"
)
sm.get_session.commit()
# create druid cluster and druid datasources
session = db.session
cluster = session.query(models.DruidCluster).filter_by(cluster_name="druid_test").first()
if not cluster:
cluster = models.DruidCluster(cluster_name="druid_test")
session.add(cluster)
session.commit()
druid_datasource1 = models.DruidDatasource(datasource_name="druid_ds_1", cluster_name="druid_test")
session.add(druid_datasource1)
druid_datasource2 = models.DruidDatasource(datasource_name="druid_ds_2", cluster_name="druid_test")
session.add(druid_datasource2)
session.commit()
def setUpClass(cls):
sm.add_role('override_me')
db.session.commit()
def test_approve(self):
session = db.session
TEST_ROLE_NAME = 'table_role'
sm.add_role(TEST_ROLE_NAME)
def create_access_request(ds_type, ds_name, role_name):
ds_class = SourceRegistry.sources[ds_type]
# TODO: generalize datasource names
if ds_type == 'table':
ds = session.query(ds_class).filter(
ds_class.table_name == ds_name).first()
else:
ds = session.query(ds_class).filter(
ds_class.datasource_name == ds_name).first()
ds_perm_view = sm.find_permission_view_menu(
'datasource_access', ds.perm)
sm.add_permission_role(sm.find_role(role_name), ds_perm_view)
access_request = models.DatasourceAccessRequest(
datasource_id=ds.id,
datasource_type=ds_type,
created_by_fk=sm.find_user(username='******').id,
)
session.add(access_request)
session.commit()
return access_request
EXTEND_ROLE_REQUEST = (
'/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_extend={}')
GRANT_ROLE_REQUEST = (
'/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_grant={}')
# Case 1. Grant new role to the user.
access_request1 = create_access_request(
'table', 'unicode_test', TEST_ROLE_NAME)
ds_1_id = access_request1.datasource_id
self.get_resp(GRANT_ROLE_REQUEST.format(
'table', ds_1_id, 'gamma', TEST_ROLE_NAME))
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
# request was removed
self.assertFalse(access_requests)
# user was granted table_role
user_roles = [r.name for r in sm.find_user('gamma').roles]
self.assertIn(TEST_ROLE_NAME, user_roles)
# Case 2. Extend the role to have access to the table
access_request2 = create_access_request('table', 'long_lat', TEST_ROLE_NAME)
ds_2_id = access_request2.datasource_id
long_lat_perm = access_request2.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
access_requests = self.get_access_requests('gamma', 'table', ds_2_id)
# request was removed
self.assertFalse(access_requests)
# table_role was extended to grant access to the long_lat table/
perm_view = sm.find_permission_view_menu(
'datasource_access', long_lat_perm)
TEST_ROLE = sm.find_role(TEST_ROLE_NAME)
self.assertIn(perm_view, TEST_ROLE.permissions)
# Case 3. Grant new role to the user to access the druid datasource.
sm.add_role('druid_role')
access_request3 = create_access_request('druid', 'druid_ds_1', 'druid_role')
self.get_resp(GRANT_ROLE_REQUEST.format(
'druid', access_request3.datasource_id, 'gamma', 'druid_role'))
# user was granted table_role
user_roles = [r.name for r in sm.find_user('gamma').roles]
self.assertIn('druid_role', user_roles)
# Case 4. Extend the role to have access to the druid datasource
access_request4 = create_access_request('druid', 'druid_ds_2', 'druid_role')
druid_ds_2_perm = access_request4.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
# druid_role was extended to grant access to the druid_access_ds_2
druid_role = sm.find_role('druid_role')
perm_view = sm.find_permission_view_menu(
'datasource_access', druid_ds_2_perm)
self.assertIn(perm_view, druid_role.permissions)
# cleanup
gamma_user = sm.find_user(username='******')
gamma_user.roles.remove(sm.find_role('druid_role'))
gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME))
session.delete(sm.find_role('druid_role'))
session.delete(sm.find_role(TEST_ROLE_NAME))
session.commit()
def test_request_access(self):
session = db.session
self.logout()
self.login(username='******')
gamma_user = sm.find_user(username='******')
sm.add_role('dummy_role')
gamma_user.roles.append(sm.find_role('dummy_role'))
session.commit()
ACCESS_REQUEST = (
'/superset/request_access?'
'datasource_type={}&'
'datasource_id={}&'
'action={}&')
ROLE_EXTEND_LINK = (
'<a href="/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_extend={}">Extend {} Role</a>')
ROLE_GRANT_LINK = (
'<a href="/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_grant={}">Grant {} Role</a>')
# Request table access, there are no roles have this table.
table1 = session.query(models.SqlaTable).filter_by(
table_name='random_time_series').first()
table_1_id = table1.id
# request access to the table
resp = self.get_resp(
ACCESS_REQUEST.format('table', table_1_id, 'go'))
assert "Access was requested" in resp
access_request1 = self.get_access_requests('gamma', 'table', table_1_id)
assert access_request1 is not None
# Request access, roles exist that contains the table.
# add table to the existing roles
table3 = session.query(models.SqlaTable).filter_by(
table_name='energy_usage').first()
table_3_id = table3.id
table3_perm = table3.perm
sm.add_role('energy_usage_role')
alpha_role = sm.find_role('Alpha')
sm.add_permission_role(
alpha_role,
sm.find_permission_view_menu('datasource_access', table3_perm))
sm.add_permission_role(
sm.find_role("energy_usage_role"),
sm.find_permission_view_menu('datasource_access', table3_perm))
session.commit()
self.get_resp(
ACCESS_REQUEST.format('table', table_3_id, 'go'))
access_request3 = self.get_access_requests('gamma', 'table', table_3_id)
approve_link_3 = ROLE_GRANT_LINK.format(
'table', table_3_id, 'gamma', 'energy_usage_role',
'energy_usage_role')
self.assertEqual(access_request3.roles_with_datasource,
'<ul><li>{}</li></ul>'.format(approve_link_3))
# Request druid access, there are no roles have this table.
druid_ds_4 = session.query(models.DruidDatasource).filter_by(
datasource_name='druid_ds_1').first()
druid_ds_4_id = druid_ds_4.id
# request access to the table
self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go'))
access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id)
self.assertEqual(
access_request4.roles_with_datasource,
'<ul></ul>'.format(access_request4.id))
# Case 5. Roles exist that contains the druid datasource.
# add druid ds to the existing roles
druid_ds_5 = session.query(models.DruidDatasource).filter_by(
datasource_name='druid_ds_2').first()
druid_ds_5_id = druid_ds_5.id
druid_ds_5_perm = druid_ds_5.perm
druid_ds_2_role = sm.add_role('druid_ds_2_role')
admin_role = sm.find_role('Admin')
sm.add_permission_role(
admin_role,
sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
sm.add_permission_role(
druid_ds_2_role,
sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
session.commit()
self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go'))
access_request5 = self.get_access_requests(
'gamma', 'druid', druid_ds_5_id)
approve_link_5 = ROLE_GRANT_LINK.format(
'druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role',
'druid_ds_2_role')
self.assertEqual(access_request5.roles_with_datasource,
'<ul><li>{}</li></ul>'.format(approve_link_5))
# cleanup
gamma_user = sm.find_user(username='******')
gamma_user.roles.remove(sm.find_role('dummy_role'))
session.commit()
def test_approve(self, mock_send_mime):
if app.config.get('ENABLE_ACCESS_REQUEST'):
session = db.session
TEST_ROLE_NAME = 'table_role'
sm.add_role(TEST_ROLE_NAME)
# Case 1. Grant new role to the user.
access_request1 = create_access_request(
session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma')
ds_1_id = access_request1.datasource_id
self.get_resp(GRANT_ROLE_REQUEST.format(
'table', ds_1_id, 'gamma', TEST_ROLE_NAME))
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual([sm.find_user(username='******').email,
sm.find_user(username='******').email],
call_args[1])
self.assertEqual(
'[Superset] Access to the datasource {} was granted'.format(
self.get_table(ds_1_id).full_name), call_args[2]['Subject'])
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn('unicode_test', call_args[2].as_string())
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
# request was removed
self.assertFalse(access_requests)
# user was granted table_role
user_roles = [r.name for r in sm.find_user('gamma').roles]
self.assertIn(TEST_ROLE_NAME, user_roles)
# Case 2. Extend the role to have access to the table
access_request2 = create_access_request(
session, 'table', 'long_lat', TEST_ROLE_NAME, 'gamma')
ds_2_id = access_request2.datasource_id
long_lat_perm = access_request2.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
access_requests = self.get_access_requests('gamma', 'table', ds_2_id)
# Test email content.
self.assertTrue(mock_send_mime.called)
call_args = mock_send_mime.call_args[0]
self.assertEqual([sm.find_user(username='******').email,
sm.find_user(username='******').email],
call_args[1])
self.assertEqual(
'[Superset] Access to the datasource {} was granted'.format(
self.get_table(ds_2_id).full_name), call_args[2]['Subject'])
self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
self.assertIn('long_lat', call_args[2].as_string())
# request was removed
self.assertFalse(access_requests)
# table_role was extended to grant access to the long_lat table/
perm_view = sm.find_permission_view_menu(
'datasource_access', long_lat_perm)
TEST_ROLE = sm.find_role(TEST_ROLE_NAME)
self.assertIn(perm_view, TEST_ROLE.permissions)
# Case 3. Grant new role to the user to access the druid datasource.
sm.add_role('druid_role')
access_request3 = create_access_request(
session, 'druid', 'druid_ds_1', 'druid_role', 'gamma')
self.get_resp(GRANT_ROLE_REQUEST.format(
'druid', access_request3.datasource_id, 'gamma', 'druid_role'))
# user was granted table_role
user_roles = [r.name for r in sm.find_user('gamma').roles]
self.assertIn('druid_role', user_roles)
# Case 4. Extend the role to have access to the druid datasource
access_request4 = create_access_request(
session, 'druid', 'druid_ds_2', 'druid_role', 'gamma')
druid_ds_2_perm = access_request4.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
# druid_role was extended to grant access to the druid_access_ds_2
druid_role = sm.find_role('druid_role')
perm_view = sm.find_permission_view_menu(
'datasource_access', druid_ds_2_perm)
self.assertIn(perm_view, druid_role.permissions)
# cleanup
gamma_user = sm.find_user(username='******')
gamma_user.roles.remove(sm.find_role('druid_role'))
gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME))
session.delete(sm.find_role('druid_role'))
session.delete(sm.find_role(TEST_ROLE_NAME))
session.commit()
def __init__(self, *args, **kwargs):
if (self.requires_examples and not os.environ.get('SOLO_TEST')
and not os.environ.get('examples_loaded')):
logging.info("Loading examples")
cli.load_examples(load_test_data=True)
logging.info("Done loading examples")
sync_role_definitions()
os.environ['examples_loaded'] = '1'
else:
sync_role_definitions()
super(SupersetTestCase, self).__init__(*args, **kwargs)
self.client = app.test_client()
self.maxDiff = None
gamma_sqllab = sm.add_role("gamma_sqllab")
for perm in sm.find_role('Gamma').permissions:
sm.add_permission_role(gamma_sqllab, perm)
for perm in sm.find_role('sql_lab').permissions:
sm.add_permission_role(gamma_sqllab, perm)
admin = appbuilder.sm.find_user('admin')
if not admin:
appbuilder.sm.add_user('admin',
'admin',
' user',
'*****@*****.**',
appbuilder.sm.find_role('Admin'),
password='******')
gamma = appbuilder.sm.find_user('gamma')
if not gamma:
appbuilder.sm.add_user('gamma',
'gamma',
'user',
'*****@*****.**',
appbuilder.sm.find_role('Gamma'),
password='******')
gamma_sqllab = appbuilder.sm.find_user('gamma_sqllab')
if not gamma_sqllab:
gamma_sqllab = appbuilder.sm.add_user(
'gamma_sqllab',
'gamma_sqllab',
'user',
'*****@*****.**',
appbuilder.sm.find_role('gamma_sqllab'),
password='******')
alpha = appbuilder.sm.find_user('alpha')
if not alpha:
appbuilder.sm.add_user('alpha',
'alpha',
'user',
'*****@*****.**',
appbuilder.sm.find_role('Alpha'),
password='******')
# create druid cluster and druid datasources
session = db.session
cluster = session.query(
models.DruidCluster).filter_by(cluster_name="druid_test").first()
if not cluster:
cluster = models.DruidCluster(cluster_name="druid_test")
session.add(cluster)
session.commit()
druid_datasource1 = models.DruidDatasource(
datasource_name='druid_ds_1', cluster_name='druid_test')
session.add(druid_datasource1)
druid_datasource2 = models.DruidDatasource(
datasource_name='druid_ds_2', cluster_name='druid_test')
session.add(druid_datasource2)
session.commit()
def sync_role_definitions():
"""Inits the Superset application with security roles and such"""
logging.info("Syncing role definition")
# Creating default roles
alpha = sm.add_role("Alpha")
admin = sm.add_role("Admin")
gamma = sm.add_role("Gamma")
public = sm.add_role("Public")
sql_lab = sm.add_role("sql_lab")
granter = sm.add_role("granter")
dashboard_access = sm.add_role("dashboard_access")
dashboard_edit = sm.add_role("dashboard_edit")
slice_access = sm.add_role("slice_access")
slice_edit = sm.add_role("slice_edit")
datasource_access = sm.add_role("datasource_access")
datasource_edit = sm.add_role("datasource_edit")
manage_edit = sm.add_role("manage_edit")
user_role_edit = sm.add_role("user_role_edit")
get_or_create_main_db()
# Global perms
merge_perm(sm, 'all_datasource_access', 'all_datasource_access')
merge_perm(sm, 'all_database_access', 'all_database_access')
perms = db.session.query(ab_models.PermissionView).all()
perms = [p for p in perms if p.permission and p.view_menu]
logging.info("Syncing admin perms")
for p in perms:
# admin has all_database_access and all_datasource_access
if is_user_defined_permission(p):
sm.del_permission_role(admin, p)
else:
sm.add_permission_role(admin, p)
logging.info("Syncing alpha perms")
for p in perms:
# alpha has all_database_access and all_datasource_access
if is_user_defined_permission(p):
sm.del_permission_role(alpha, p)
elif ((p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES
and p.permission.name not in ADMIN_ONLY_PERMISSIONS)
or (p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT):
sm.add_permission_role(alpha, p)
else:
sm.del_permission_role(alpha, p)
logging.info("Syncing gamma perms and public if specified")
PUBLIC_ROLE_LIKE_GAMMA = conf.get('PUBLIC_ROLE_LIKE_GAMMA', False)
for p in perms:
if ((p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES
and p.view_menu.name not in GAMMA_READ_ONLY_MODELVIEWS
and p.permission.name not in ADMIN_ONLY_PERMISSIONS
and p.permission.name not in ALPHA_ONLY_PERMISSIONS) or
(p.permission.name, p.view_menu.name) in GAMMA_READ_ONLY_PRODUCT):
sm.add_permission_role(gamma, p)
if PUBLIC_ROLE_LIKE_GAMMA:
sm.add_permission_role(public, p)
else:
sm.del_permission_role(gamma, p)
sm.del_permission_role(public, p)
logging.info("Syncing sql_lab perms")
for p in perms:
if (p.view_menu.name in {'SQL Lab'} or p.permission.name
in {'can_sql_json', 'can_csv', 'can_search_queries'}):
sm.add_permission_role(sql_lab, p)
else:
sm.del_permission_role(sql_lab, p)
logging.info("Syncing granter perms")
for p in perms:
if (p.permission.name
in {'can_override_role_permissions', 'can_aprove'}):
sm.add_permission_role(granter, p)
else:
sm.del_permission_role(granter, p)
logging.info("Syncing dashboard_access perms")
for p in perms:
if (p.view_menu.name in {'Dashboards'} or p.permission.name in {
'can_explore', 'can_explore_json', 'can_slice',
'can_created_dashboards', 'can_fave_dashboards',
'all_datasource_access', 'all_database_access', 'can_profile'
} or (p.permission.name in {'can_list', 'can_show', 'can_download'}
and p.view_menu.name in {'DashboardModelView'}) or
(p.permission.name in {'can_list', 'can_show', 'can_download'}
and p.view_menu.name in {'DashboardModelViewAsync'})
or (p.permission.name in {
'can_show', 'can_edit', 'can_download', 'can_userinfo',
'resetmypassword', 'userinfoedit'
} and p.view_menu.name in {'UserDBModelView'})):
sm.add_permission_role(dashboard_access, p)
else:
sm.del_permission_role(dashboard_access, p)
logging.info("Syncing dashboard_edit perms")
for p in perms:
if (p.view_menu.name in {'Dashboards'} or p.permission.name in {
'can_explore', 'can_explore_json', 'can_slice',
'can_created_dashboards', 'can_fave_dashboards',
'all_datasource_access', 'all_database_access', 'can_profile'
} or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
'can_edit', 'can_download', 'mulexport'
} and p.view_menu.name in {'DashboardModelView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'muldelete', 'can_edit', 'can_download', 'mulexport'
} and p.view_menu.name in {'DashboardModelViewAsync'})
or (p.permission.name in {
'can_show', 'can_edit', 'can_download', 'can_userinfo',
'resetmypassword', 'userinfoedit'
} and p.view_menu.name in {'UserDBModelView'})):
sm.add_permission_role(dashboard_edit, p)
else:
sm.del_permission_role(dashboard_edit, p)
logging.info("Syncing slice_access perms")
for p in perms:
if (p.view_menu.name in {'Slices'} or p.permission.name in {
'can_explore', 'can_explore_json', 'can_slice',
'can_created_slices', 'can_fave_slices',
'all_datasource_access', 'all_database_access', 'can_profile'
} or (p.permission.name in {'can_list', 'can_show', 'can_download'}
and p.view_menu.name in {'SliceModelView'}) or
(p.permission.name in {'can_list', 'can_show', 'can_download'}
and p.view_menu.name in {'SliceAsync'}) or (p.permission.name in {
'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
'userinfoedit'
} and p.view_menu.name in {'UserDBModelView'})):
sm.add_permission_role(slice_access, p)
else:
sm.del_permission_role(slice_access, p)
logging.info("Syncing slice_edit perms")
for p in perms:
if (p.view_menu.name in {'Slices'} or p.permission.name in {
'can_explore', 'can_explore_json', 'can_slice',
'can_created_slices', 'can_fave_slices', 'can_add_slices',
'all_datasource_access', 'all_database_access', 'can_profile'
} or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
'can_edit', 'can_download'
} and p.view_menu.name in {'SliceModelView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'muldelete', 'can_edit', 'can_download'
} and p.view_menu.name in {'SliceAsync'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'muldelete', 'can_edit', 'can_download'
} and p.view_menu.name in {'SliceAddView'})
or (p.permission.name in {
'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
'userinfoedit'
} and p.view_menu.name in {'UserDBModelView'})):
sm.add_permission_role(slice_edit, p)
else:
sm.del_permission_role(slice_edit, p)
logging.info("Syncing datasource_access perms")
for p in perms:
if (p.view_menu.name in {
'Sources', 'Databases', 'Tables', 'Druid Clusters',
'Druid Datasources'
} or p.permission.name in {
'can_explore', 'can_explore_json', 'all_datasource_access',
'all_database_access', 'can_profile'
} or (p.permission.name in {'can_list', 'can_show'}
and p.view_menu.name in {'DatabaseView'})
or (p.permission.name in {'can_list', 'can_show'}
and p.view_menu.name in {'DatabaseAsync'})
or (p.permission.name in {'can_list', 'can_show'}
and p.view_menu.name in {'TableModelView'})
or (p.permission.name in {'can_list', 'can_show'}
and p.view_menu.name in {'DatabaseTableAsync'})
or (p.permission.name in {'can_list', 'can_show'}
and p.view_menu.name in {'DruidDatasourceModelView'})
or (p.permission.name in {'can_list', 'can_show'}
and p.view_menu.name in {'DruidClusterModelView'})
or (p.permission.name in {
'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
'userinfoedit'
} and p.view_menu.name in {'UserDBModelView'})):
sm.add_permission_role(datasource_access, p)
else:
sm.del_permission_role(datasource_access, p)
logging.info("Syncing datasource_edit perms")
for p in perms:
if (p.view_menu.name in {
'Sources', 'Databases', 'Tables', 'Druid Clusters',
'Druid Datasources', 'Refresh Druid Metadata',
'TableColumnInlineView', 'SqlMetricInlineView'
} or p.permission.name in {
'can_explore', 'can_explore_json', 'can_testconn',
'can_checkbox', 'can_refresh_datasources',
'all_datasource_access', 'all_database_access', 'can_profile'
} or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
'can_edit', 'can_download'
} and p.view_menu.name in {'DatabaseView'}) or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
'can_edit', 'can_download'
} and p.view_menu.name in {'DatabaseAsync'}) or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete', 'muldelete',
'can_edit', 'can_download'
} and p.view_menu.name in {'TableModelView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'muldelete', 'can_edit', 'can_download'
} and p.view_menu.name in {'DatabaseTablesAsync'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'muldelete', 'can_edit', 'can_download'
} and p.view_menu.name in {'DruidDatasourceModelView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'muldelete', 'can_edit', 'can_download'
} and p.view_menu.name in {'DruidClusterModelView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'can_edit', 'can_download'
} and p.view_menu.name in {'TableColumnInlineView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'can_edit', 'can_download'
} and p.view_menu.name in {'SqlMetricInlineView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'can_edit', 'can_download'
} and p.view_menu.name in {'DruidColumnInlineView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'can_edit', 'can_download'
} and p.view_menu.name in {'DruidMetricInlineView'})
or (p.permission.name in {
'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
'userinfoedit'
} and p.view_menu.name in {'UserDBModelView'})):
sm.add_permission_role(datasource_edit, p)
else:
sm.del_permission_role(datasource_edit, p)
logging.info("Syncing manage_edit perms")
for p in perms:
if (p.view_menu.name
in {'Manage', 'Import Dashboards', 'Queries', 'CSS Templates'}
or p.permission.name in {'can_profile'}
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'can_edit', 'can_download'
} and p.view_menu.name in {'QueryView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'can_edit', 'can_download'
} and p.view_menu.name in {'CssTemplateModelView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'can_edit', 'can_download'
} and p.view_menu.name in {'CssTemplateAsyncModelView'})
or (p.permission.name in {'can_add'}
and p.view_menu.name in {'DashboardModelView'})
or (p.permission.name in {'can_add'}
and p.view_menu.name in {'SliceAddView'})
or (p.permission.name in {
'can_show', 'can_edit', 'can_userinfo', 'resetmypassword',
'userinfoedit'
} and p.view_menu.name in {'UserDBModelView'})):
sm.add_permission_role(manage_edit, p)
else:
sm.del_permission_role(manage_edit, p)
logging.info("Syncing user_role_edit perms")
for p in perms:
if (p.view_menu.name in {
'Security', 'List Users', 'List Roles', "User's Statistics",
'Base Permissions', 'Views/Menus', 'Permission on Views/Menus',
'Access requests', 'Action Log'
} or p.permission.name in {'can_recent_activity', 'can_profile'}
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'muldelete', 'can_edit', 'can_download', 'can_userinfo',
'resetmypassword', 'resetpasswords', 'userinfoedit'
} and p.view_menu.name in {'UserDBModelView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'muldelete', 'can_edit', 'can_download', 'Copy Role',
'can_update_role', 'can_override_role_permissions'
} and p.view_menu.name in {'RoleModelView'})
or (p.permission.name in {'can_chart'}
and p.view_menu.name in {'UserStatsChartView'})
or (p.permission.name in {'can_list'}
and p.view_menu.name in {'PermissionModelView'})
or (p.permission.name in {'can_list'}
and p.view_menu.name in {'ViewMenuModelView'})
or (p.permission.name in {'can_list'}
and p.view_menu.name in {'PermissionViewModelView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'can_edit', 'can_download', 'muldelete'
} and p.view_menu.name in {'AccessRequestsModelView'})
or (p.permission.name in {
'can_list', 'can_show', 'can_add', 'can_delete',
'can_edit', 'can_download'
} and p.view_menu.name in {'LogModelView'}) or
(p.permission.name in {'can_this_form_post', 'can_this_form_get'}
and p.view_menu.name in {'ResetMyPasswordView'}) or
(p.permission.name in {'can_this_form_post', 'can_this_form_get'}
and p.view_menu.name in {'ResetPasswordView'}) or
(p.permission.name in {'can_this_form_post', 'can_this_form_get'}
and p.view_menu.name in {'UserInfoEditView'})):
sm.add_permission_role(user_role_edit, p)
else:
sm.del_permission_role(user_role_edit, p)
logging.info("Making sure all data source perms have been created")
session = db.session()
datasources = [o for o in session.query(models.SqlaTable).all()]
datasources += [o for o in session.query(models.DruidDatasource).all()]
for datasource in datasources:
perm = datasource.get_perm()
merge_perm(sm, 'datasource_access', perm)
if datasource.schema:
merge_perm(sm, 'schema_access', datasource.schema_perm)
if perm != datasource.perm:
datasource.perm = perm
logging.info("Making sure all database perms have been created")
databases = [o for o in session.query(models.Database).all()]
for database in databases:
perm = database.get_perm()
if perm != database.perm:
database.perm = perm
merge_perm(sm, 'database_access', perm)
session.commit()
logging.info("Making sure all dashboard perms have been created")
dashboards = [o for o in session.query(models.Dashboard).all()]
for dashboard in dashboards:
perm = dashboard.get_dashboard_title()
sm.add_permission_view_menu('dashboard_access', perm)
session.commit()
logging.info("Making sure all metrics perms exist")
models.init_metrics_perm()
def set_role(role_name, pvms, pvm_check):
logging.info("Syncing {} perms".format(role_name))
role = sm.add_role(role_name)
role_pvms = [p for p in pvms if pvm_check(p)]
role.permissions = role_pvms
def __init__(self, *args, **kwargs):
if (
self.requires_examples and
not os.environ.get('SOLO_TEST') and
not os.environ.get('examples_loaded')
):
logging.info("Loading examples")
cli.load_examples(load_test_data=True)
logging.info("Done loading examples")
sync_role_definitions()
os.environ['examples_loaded'] = '1'
else:
sync_role_definitions()
super(SupersetTestCase, self).__init__(*args, **kwargs)
self.client = app.test_client()
self.maxDiff = None
gamma_sqllab_role = sm.add_role("gamma_sqllab")
for perm in sm.find_role('Gamma').permissions:
sm.add_permission_role(gamma_sqllab_role, perm)
db_perm = self.get_main_database(sm.get_session).perm
security.merge_perm(sm, 'database_access', db_perm)
db_pvm = sm.find_permission_view_menu(
view_menu_name=db_perm, permission_name='database_access')
gamma_sqllab_role.permissions.append(db_pvm)
for perm in sm.find_role('sql_lab').permissions:
sm.add_permission_role(gamma_sqllab_role, perm)
admin = appbuilder.sm.find_user('admin')
if not admin:
appbuilder.sm.add_user(
'admin', 'admin', ' user', '*****@*****.**',
appbuilder.sm.find_role('Admin'),
password='******')
gamma = appbuilder.sm.find_user('gamma')
if not gamma:
appbuilder.sm.add_user(
'gamma', 'gamma', 'user', '*****@*****.**',
appbuilder.sm.find_role('Gamma'),
password='******')
gamma2 = appbuilder.sm.find_user('gamma2')
if not gamma2:
appbuilder.sm.add_user(
'gamma2', 'gamma2', 'user', '*****@*****.**',
appbuilder.sm.find_role('Gamma'),
password='******')
gamma_sqllab_user = appbuilder.sm.find_user('gamma_sqllab')
if not gamma_sqllab_user:
appbuilder.sm.add_user(
'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**',
gamma_sqllab_role, password='******')
alpha = appbuilder.sm.find_user('alpha')
if not alpha:
appbuilder.sm.add_user(
'alpha', 'alpha', 'user', '*****@*****.**',
appbuilder.sm.find_role('Alpha'),
password='******')
sm.get_session.commit()
# create druid cluster and druid datasources
session = db.session
cluster = (
session.query(DruidCluster)
.filter_by(cluster_name="druid_test")
.first()
)
if not cluster:
cluster = DruidCluster(cluster_name="druid_test")
session.add(cluster)
session.commit()
druid_datasource1 = DruidDatasource(
datasource_name='druid_ds_1',
cluster_name='druid_test'
)
session.add(druid_datasource1)
druid_datasource2 = DruidDatasource(
datasource_name='druid_ds_2',
cluster_name='druid_test'
)
session.add(druid_datasource2)
session.commit()
def sync_role_definitions():
"""Inits the Superset application with security roles and such"""
logging.info("Syncing role definition")
# Creating default roles
alpha = sm.add_role("Alpha")
admin = sm.add_role("Admin")
gamma = sm.add_role("Gamma")
public = sm.add_role("Public")
sql_lab = sm.add_role("sql_lab")
granter = sm.add_role("granter")
get_or_create_main_db()
# Global perms
sm.add_permission_view_menu(
'all_datasource_access', 'all_datasource_access')
sm.add_permission_view_menu('all_database_access', 'all_database_access')
perms = db.session.query(ab_models.PermissionView).all()
perms = [p for p in perms if p.permission and p.view_menu]
logging.info("Syncing admin perms")
for p in perms:
# admin has all_database_access and all_datasource_access
if is_user_defined_permission(p):
sm.del_permission_role(admin, p)
else:
sm.add_permission_role(admin, p)
logging.info("Syncing alpha perms")
for p in perms:
# alpha has all_database_access and all_datasource_access
if is_user_defined_permission(p):
sm.del_permission_role(alpha, p)
elif (
(
p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES and
p.permission.name not in ADMIN_ONLY_PERMISSIONS
) or
(p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT
):
sm.add_permission_role(alpha, p)
else:
sm.del_permission_role(alpha, p)
logging.info("Syncing gamma perms and public if specified")
PUBLIC_ROLE_LIKE_GAMMA = conf.get('PUBLIC_ROLE_LIKE_GAMMA', False)
for p in perms:
if (
(
p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES and
p.permission.name not in ADMIN_ONLY_PERMISSIONS and
p.permission.name not in ALPHA_ONLY_PERMISSIONS
) or
(p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT
):
sm.add_permission_role(gamma, p)
if PUBLIC_ROLE_LIKE_GAMMA:
sm.add_permission_role(public, p)
else:
sm.del_permission_role(gamma, p)
sm.del_permission_role(public, p)
logging.info("Syncing sql_lab perms")
for p in perms:
if (
p.view_menu.name in {'SQL Lab'} or
p.permission.name in {
'can_sql_json', 'can_csv', 'can_search_queries'}
):
sm.add_permission_role(sql_lab, p)
else:
sm.del_permission_role(sql_lab, p)
logging.info("Syncing granter perms")
for p in perms:
if (
p.permission.name in {
'can_override_role_permissions', 'can_aprove'}
):
sm.add_permission_role(granter, p)
else:
sm.del_permission_role(granter, p)
logging.info("Making sure all data source perms have been created")
session = db.session()
datasources = [
o for o in session.query(models.SqlaTable).all()]
datasources += [
o for o in session.query(models.DruidDatasource).all()]
for datasource in datasources:
perm = datasource.get_perm()
sm.add_permission_view_menu('datasource_access', perm)
if perm != datasource.perm:
datasource.perm = perm
logging.info("Making sure all database perms have been created")
databases = [o for o in session.query(models.Database).all()]
for database in databases:
perm = database.get_perm()
if perm != database.perm:
database.perm = perm
sm.add_permission_view_menu('database_access', perm)
session.commit()
logging.info("Making sure all metrics perms exist")
models.init_metrics_perm()
def test_approve(self):
session = db.session
TEST_ROLE_NAME = 'table_role'
sm.add_role(TEST_ROLE_NAME)
def create_access_request(ds_type, ds_name, role_name):
ds_class = SourceRegistry.sources[ds_type]
# TODO: generalize datasource names
if ds_type == 'table':
ds = session.query(ds_class).filter(
ds_class.table_name == ds_name).first()
else:
ds = session.query(ds_class).filter(
ds_class.datasource_name == ds_name).first()
ds_perm_view = sm.find_permission_view_menu(
'datasource_access', ds.perm)
sm.add_permission_role(sm.find_role(role_name), ds_perm_view)
access_request = models.DatasourceAccessRequest(
datasource_id=ds.id,
datasource_type=ds_type,
created_by_fk=sm.find_user(username='******').id,
)
session.add(access_request)
session.commit()
return access_request
EXTEND_ROLE_REQUEST = (
'/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_extend={}')
GRANT_ROLE_REQUEST = (
'/superset/approve?datasource_type={}&datasource_id={}&'
'created_by={}&role_to_grant={}')
# Case 1. Grant new role to the user.
access_request1 = create_access_request(
'table', 'unicode_test', TEST_ROLE_NAME)
ds_1_id = access_request1.datasource_id
self.get_resp(GRANT_ROLE_REQUEST.format(
'table', ds_1_id, 'gamma', TEST_ROLE_NAME))
access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
# request was removed
self.assertFalse(access_requests)
# user was granted table_role
user_roles = [r.name for r in sm.find_user('gamma').roles]
self.assertIn(TEST_ROLE_NAME, user_roles)
# Case 2. Extend the role to have access to the table
access_request2 = create_access_request('table', 'long_lat', TEST_ROLE_NAME)
ds_2_id = access_request2.datasource_id
long_lat_perm = access_request2.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
access_requests = self.get_access_requests('gamma', 'table', ds_2_id)
# request was removed
self.assertFalse(access_requests)
# table_role was extended to grant access to the long_lat table/
perm_view = sm.find_permission_view_menu(
'datasource_access', long_lat_perm)
TEST_ROLE = sm.find_role(TEST_ROLE_NAME)
self.assertIn(perm_view, TEST_ROLE.permissions)
# Case 3. Grant new role to the user to access the druid datasource.
sm.add_role('druid_role')
access_request3 = create_access_request('druid', 'druid_ds_1', 'druid_role')
self.get_resp(GRANT_ROLE_REQUEST.format(
'druid', access_request3.datasource_id, 'gamma', 'druid_role'))
# user was granted table_role
user_roles = [r.name for r in sm.find_user('gamma').roles]
self.assertIn('druid_role', user_roles)
# Case 4. Extend the role to have access to the druid datasource
access_request4 = create_access_request('druid', 'druid_ds_2', 'druid_role')
druid_ds_2_perm = access_request4.datasource.perm
self.client.get(EXTEND_ROLE_REQUEST.format(
'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
# druid_role was extended to grant access to the druid_access_ds_2
druid_role = sm.find_role('druid_role')
perm_view = sm.find_permission_view_menu(
'datasource_access', druid_ds_2_perm)
self.assertIn(perm_view, druid_role.permissions)
# cleanup
gamma_user = sm.find_user(username='******')
gamma_user.roles.remove(sm.find_role('druid_role'))
gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME))
session.delete(sm.find_role('druid_role'))
session.delete(sm.find_role(TEST_ROLE_NAME))
session.commit()
def set_role(role_name, pvms, pvm_check):
logging.info("Syncing {} perms".format(role_name))
role = sm.add_role(role_name)
role_pvms = [p for p in pvms if pvm_check(p)]
role.permissions = role_pvms
def sync_role_definitions():
"""Inits the Superset application with security roles and such"""
logging.info("Syncing role definition")
# Creating default roles
alpha = sm.add_role("Alpha")
admin = sm.add_role("Admin")
gamma = sm.add_role("Gamma")
public = sm.add_role("Public")
sql_lab = sm.add_role("sql_lab")
granter = sm.add_role("granter")
get_or_create_main_db()
# Global perms
merge_perm(sm, 'all_datasource_access', 'all_datasource_access')
merge_perm(sm, 'all_database_access', 'all_database_access')
perms = db.session.query(ab_models.PermissionView).all()
perms = [p for p in perms if p.permission and p.view_menu]
logging.info("Syncing admin perms")
for p in perms:
# admin has all_database_access and all_datasource_access
if is_user_defined_permission(p):
sm.del_permission_role(admin, p)
else:
sm.add_permission_role(admin, p)
logging.info("Syncing alpha perms")
for p in perms:
# alpha has all_database_access and all_datasource_access
if is_user_defined_permission(p):
sm.del_permission_role(alpha, p)
elif ((p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES
and p.permission.name not in ADMIN_ONLY_PERMISSIONS)
or (p.permission.name, p.view_menu.name) in READ_ONLY_PRODUCT):
sm.add_permission_role(alpha, p)
else:
sm.del_permission_role(alpha, p)
logging.info("Syncing gamma perms and public if specified")
PUBLIC_ROLE_LIKE_GAMMA = conf.get('PUBLIC_ROLE_LIKE_GAMMA', False)
for p in perms:
if ((p.view_menu.name not in ADMIN_ONLY_VIEW_MENUES
and p.view_menu.name not in GAMMA_READ_ONLY_MODELVIEWS
and p.permission.name not in ADMIN_ONLY_PERMISSIONS
and p.permission.name not in ALPHA_ONLY_PERMISSIONS) or
(p.permission.name, p.view_menu.name) in GAMMA_READ_ONLY_PRODUCT):
sm.add_permission_role(gamma, p)
if PUBLIC_ROLE_LIKE_GAMMA:
sm.add_permission_role(public, p)
else:
sm.del_permission_role(gamma, p)
sm.del_permission_role(public, p)
logging.info("Syncing sql_lab perms")
for p in perms:
if (p.view_menu.name in {'SQL Lab'} or p.permission.name
in {'can_sql_json', 'can_csv', 'can_search_queries'}):
sm.add_permission_role(sql_lab, p)
else:
sm.del_permission_role(sql_lab, p)
logging.info("Syncing granter perms")
for p in perms:
if (p.permission.name
in {'can_override_role_permissions', 'can_aprove'}):
sm.add_permission_role(granter, p)
else:
sm.del_permission_role(granter, p)
logging.info("Making sure all data source perms have been created")
session = db.session()
datasources = [o for o in session.query(models.SqlaTable).all()]
datasources += [o for o in session.query(models.DruidDatasource).all()]
for datasource in datasources:
perm = datasource.get_perm()
merge_perm(sm, 'datasource_access', perm)
if datasource.schema:
merge_perm(sm, 'schema_access', datasource.schema_perm)
if perm != datasource.perm:
datasource.perm = perm
logging.info("Making sure all database perms have been created")
databases = [o for o in session.query(models.Database).all()]
for database in databases:
perm = database.get_perm()
if perm != database.perm:
database.perm = perm
merge_perm(sm, 'database_access', perm)
session.commit()
logging.info("Making sure all metrics perms exist")
models.init_metrics_perm()
def __init__(self, *args, **kwargs):
if (
self.requires_examples and
not os.environ.get('SOLO_TEST') and
not os.environ.get('examples_loaded')
):
logging.info("Loading examples")
cli.load_examples(load_test_data=True)
logging.info("Done loading examples")
sync_role_definitions()
os.environ['examples_loaded'] = '1'
else:
sync_role_definitions()
super(SupersetTestCase, self).__init__(*args, **kwargs)
self.client = app.test_client()
self.maxDiff = None
gamma_sqllab = sm.add_role("gamma_sqllab")
for perm in sm.find_role('Gamma').permissions:
sm.add_permission_role(gamma_sqllab, perm)
for perm in sm.find_role('sql_lab').permissions:
sm.add_permission_role(gamma_sqllab, perm)
admin = appbuilder.sm.find_user('admin')
if not admin:
appbuilder.sm.add_user(
'admin', 'admin', ' user', '*****@*****.**',
appbuilder.sm.find_role('Admin'),
password='******')
gamma = appbuilder.sm.find_user('gamma')
if not gamma:
appbuilder.sm.add_user(
'gamma', 'gamma', 'user', '*****@*****.**',
appbuilder.sm.find_role('Gamma'),
password='******')
gamma_sqllab = appbuilder.sm.find_user('gamma_sqllab')
if not gamma_sqllab:
gamma_sqllab = appbuilder.sm.add_user(
'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**',
appbuilder.sm.find_role('gamma_sqllab'),
password='******')
alpha = appbuilder.sm.find_user('alpha')
if not alpha:
appbuilder.sm.add_user(
'alpha', 'alpha', 'user', '*****@*****.**',
appbuilder.sm.find_role('Alpha'),
password='******')
# create druid cluster and druid datasources
session = db.session
cluster = session.query(models.DruidCluster).filter_by(
cluster_name="druid_test").first()
if not cluster:
cluster = models.DruidCluster(cluster_name="druid_test")
session.add(cluster)
session.commit()
druid_datasource1 = models.DruidDatasource(
datasource_name='druid_ds_1',
cluster_name='druid_test'
)
session.add(druid_datasource1)
druid_datasource2 = models.DruidDatasource(
datasource_name='druid_ds_2',
cluster_name='druid_test'
)
session.add(druid_datasource2)
session.commit()
def __init__(self, *args, **kwargs):
if (self.requires_examples and not os.environ.get('SOLO_TEST')
and not os.environ.get('examples_loaded')):
logging.info('Loading examples')
cli.load_examples(load_test_data=True)
logging.info('Done loading examples')
sync_role_definitions()
os.environ['examples_loaded'] = '1'
else:
sync_role_definitions()
super(SupersetTestCase, self).__init__(*args, **kwargs)
self.client = app.test_client()
self.maxDiff = None
gamma_sqllab_role = sm.add_role('gamma_sqllab')
for perm in sm.find_role('Gamma').permissions:
sm.add_permission_role(gamma_sqllab_role, perm)
db_perm = self.get_main_database(sm.get_session).perm
security.merge_perm(sm, 'database_access', db_perm)
db_pvm = sm.find_permission_view_menu(
view_menu_name=db_perm, permission_name='database_access')
gamma_sqllab_role.permissions.append(db_pvm)
for perm in sm.find_role('sql_lab').permissions:
sm.add_permission_role(gamma_sqllab_role, perm)
admin = appbuilder.sm.find_user('admin')
if not admin:
appbuilder.sm.add_user('admin',
'admin',
' user',
'*****@*****.**',
appbuilder.sm.find_role('Admin'),
password='******')
gamma = appbuilder.sm.find_user('gamma')
if not gamma:
appbuilder.sm.add_user('gamma',
'gamma',
'user',
'*****@*****.**',
appbuilder.sm.find_role('Gamma'),
password='******')
gamma2 = appbuilder.sm.find_user('gamma2')
if not gamma2:
appbuilder.sm.add_user('gamma2',
'gamma2',
'user',
'*****@*****.**',
appbuilder.sm.find_role('Gamma'),
password='******')
gamma_sqllab_user = appbuilder.sm.find_user('gamma_sqllab')
if not gamma_sqllab_user:
appbuilder.sm.add_user('gamma_sqllab',
'gamma_sqllab',
'user',
'*****@*****.**',
gamma_sqllab_role,
password='******')
alpha = appbuilder.sm.find_user('alpha')
if not alpha:
appbuilder.sm.add_user('alpha',
'alpha',
'user',
'*****@*****.**',
appbuilder.sm.find_role('Alpha'),
password='******')
sm.get_session.commit()
# create druid cluster and druid datasources
session = db.session
cluster = (session.query(DruidCluster).filter_by(
cluster_name='druid_test').first())
if not cluster:
cluster = DruidCluster(cluster_name='druid_test')
session.add(cluster)
session.commit()
druid_datasource1 = DruidDatasource(
datasource_name='druid_ds_1',
cluster_name='druid_test',
)
session.add(druid_datasource1)
druid_datasource2 = DruidDatasource(
datasource_name='druid_ds_2',
cluster_name='druid_test',
)
session.add(druid_datasource2)
session.commit()
