superset icon indicating copy to clipboard operation
superset copied to clipboard
verified publisher icon apache

fix(sqllab): sqllab/execute returns 500 when user only has schema access

Open toniphan21 opened this issue 1 year ago • 4 comments

SUMMARY

When a user has no admin access and is trying to run a query in SQL Lab, Superset needs to check:

  • Database access
  • Schema access
  • Data source access

To be able to check schema access, Superset needs to know which table the user is trying to execute on and use extract_tables_from_jinja_sql() to get it. The function extract tables in both ways:

  • Extract any tables referenced within the confines of specific Jinja macros.
  • Parse SQL and get tables.

In the line I changed, there is simply a bug that uses template which has type Template. The correct one should be sql, which is a string sent by the user.

TESTING INSTRUCTIONS

Reproduce steps:

  1. Create a new user
  2. Create a role with permission: "schema access on [examples].[main]"
  3. Assign the user to the role and "sql_lab" role
  4. Log in with the new user and go to SQL Lab.
  5. Write a simple query and execute it. You will see that the /api/v1/sqllab/execute/ endpoint returns 500

Impact

  • Fixes: https://github.com/apache/superset/issues/28145

toniphan21 avatar May 06 '24 15:05 toniphan21

If this does indeed resolve https://github.com/apache/superset/issues/28145 then please feel free to add "Fixes: #28145" do your description block and it'll auto-close that issue when merged.

Meanwhile, running CI 🤞

rusackas avatar May 14 '24 22:05 rusackas

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 77.56%. Comparing base (76d897e) to head (e85728a). Report is 823 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff             @@
##           master   #28357       +/-   ##
===========================================
+ Coverage   60.48%   77.56%   +17.07%     
===========================================
  Files        1931      521     -1410     
  Lines       76236    37570    -38666     
  Branches     8568        0     -8568     
===========================================
- Hits        46114    29140    -16974     
+ Misses      28017     8430    -19587     
+ Partials     2105        0     -2105
Flag Coverage Δ
hive 49.03% <ø> (-0.13%) :arrow_down:
javascript ?
mysql 77.03% <ø> (?)
postgres 77.12% <ø> (?)
presto 53.64% <ø> (-0.16%) :arrow_down:
python 77.56% <ø> (+14.07%) :arrow_up:
sqlite 76.59% <ø> (?)
unit ?

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar May 14 '24 22:05 codecov[bot]

Relevant to this issue as well: https://github.com/apache/superset/issues/28218

tseruga avatar May 21 '24 16:05 tseruga

Looks like there are some failing unit tests. Do you have time to take a look, @toniphan21 ?

rusackas avatar Jul 03 '24 16:07 rusackas