[SIP-137] Can we limit a user to only read certain tables in the database connection? about superset HOT 10 OPEN

Delegating permissions to users who can read specific tables in the database is quite important. I've worked at 3 companies that use superset for data mining, and all have raised the same issue.
I believe this improvement will make Superset a much more powerful data mining tool.

from superset.

I think my point still applies then - if you are letting people query production databases, they should be trusted with that data (to the extent of what that particular db user allows them to access). If this doesn't fit, I think you are stuck using data sources as your control layer in some way, and SQLlab access is off-limits.

from superset.

This is something that should be managed at the db level (using different users), which I know you said was something you didn't want to do. Otherwise data source permissions is the only thing that remotely fits.

Overall I think if you are going to give people permission to use sqllab, they need to be trusted with whatever data that user can access in the database. There's really no difference between sqllab and any other SQL IDE/workbench.

from superset.

I think it's safe to say we need more detail in the proposal... we need to better understand the exact implementation here... how it's manifested in the UI, the default access, how it interacts with datasource permissions, etc. If this happens to be something you already have working on a fork, a Draft PR might help move the conversation forward as well.

from superset.

It might be worth filling out the other parts of the SIP template that are missing here. Otherwise, let me know if you need any help kicking off the [DISCUSS] thread on the Superset dev mailing list to move it forward.

from superset.

@rusackas as I read in 5602, I'm missing descriptions of New or Changed Public Interfaces, New dependencies, Migration Plan and Compatibility and Rejected Alternatives. However, I find these descriptions unnecessary. Could you tell me what information we should add to make it clearer?

from superset.

CC @dpgaspar @yousoph for comments/consideration.

from superset.

Hi there!

If you take a look at the List Roles page, you should be able to set up data permissions for schemas and datasources:

There's some additional information here and here as well - does that address what you're looking to achieve?

from superset.

@yousoph I'm aware of that feature, but it is not useful for determining which tables a user can access when querying in SQL Lab

from superset.

@andy-clapson This is not quite right. For querying on the IDE, we use personal accounts to query the database.

But on Superset, we query the database and create datasets to draw dashboards. Therefore, we cannot use personal-account for each dashboard when querying the database. We need to use a service account to represent Superset in querying the database.

And I also believe that the dashboards on Superset are a production environment. We are not allowed to use personal-account for the dashboards, and we cannot rely on the assumption that people never make mistakes. We need to avoid situations of human error.

from superset.