feat: add support for extra rlsf

[Ian2012]

Description

This PR allows importing extra row-level security filters, which in combination with #123 will allow users to have granular control over what users can see.

Use cases:

• Bootstrap a new dev environment with custom filters
• Call an external API, perform validations, and verify user permissions
• Use data from some external DB to control which data a user has access to.
• Among others

[openedx-webhooks]

Thanks for the pull request, @Ian2012! Please note that it may take us up to several weeks or months to complete a review and merge your PR.

Feel free to add as much of the following information to the ticket as you can:

• supporting documentation
• Open edX discussion forum threads
• timeline information ("this must be merged by XX date", and why that is)
• partner information ("this is a course on edx.org")
• any other information that can help Product understand the context for the PR

All technical communication about the code itself will be done via the GitHub pull request interface. As a reminder, our process documentation is here.

Please let us know once your PR is ready for our review and all tests are green.

[bmtcril]

This seems ok to me, but @pomegranited knows a lot more about it than I do

[pomegranited]

@Ian2012 This is working fine, and a good addition to the config.

But I have some questions about the documentation, and a suggestion for the implementation. What do you think?

[pomegranited]

I see we actually do have a new datasources for transcript_usage and video_plays now.. don't we need RLSFs for them too?

And so maybe the details for these filters should all live in the tutor config, so here we can iterate over SUPERSET_ROW_LEVEL_SECURITY_FILTERS + SUPERSET_EXTRA_ROW_LEVEL_SECURITY_FILTERS?

[Ian2012]

Thanks for the review, I agree in all points

[Ian2012]

@pomegranited it seems like tutor doesn't render nested fields, so this:

"SUPERSET_BASE_ROW_LEVEL_SECURITY_FILTERS", {
  "schema": "{{ ASPECTS_XAPI_DATABASE }}",
  "table_name": "{{ ASPECTS_XAPI_TABLE }}",
  "role_name": "{{ SUPERSET_OPENEDX_ROLE_NAME }}",
  "group_key": "{{ SUPERSET_ROW_LEVEL_SECURITY_XAPI_GROUP_KEY }}",
  "clause": "{{can_view_courses(current_username(),"
  "\"splitByChar(\"/\", course_id)[-1]\")}}",
  "filter_type": "Regular",
},

Is rendered as raw strings.

BASE_SECURITY_FILTERS = [
    (
        "{{ ASPECTS_XAPI_DATABASE }}",
        "{{ ASPECTS_XAPI_TABLE }}",
        "{{ SUPERSET_OPENEDX_ROLE_NAME }}",
        "{{ SUPERSET_ROW_LEVEL_SECURITY_XAPI_GROUP_KEY }}",
        '{{can_view_courses(current_username(),"splitByChar("/", course_id)[-1]")}}',
        "Regular",
    ),
]

This should be refactored, but I will go back to the old approach. And mark it for improvement.

[Ian2012]

@pomegranited @bmtcril I've used a patch to add base security filters that will support interpolation, so I guess the setting SUPERSET_EXTRA_ROW_LEVEL_SECURITY_FILTERS is not needed anymore, because one can use the tutor patch to accomplish the same result and use the same "api" to define rlsf

[pomegranited]

@Ian2012 I started reviewing this too but ran out of time.. I'd specifically like to test the SUPERSET_EXTRA_JINJA_FEATURES patch you've documented to make sure it actually works.

But here's some comments, thanks for this!

[pomegranited]

Don't we need to provide yaml here?

Suggested change

	.. code-block:: python
	def can_view_courses(username, field_name="course_id"):
	.. code-block:: python
	SUPERSET_EXTRA_JINJA_FILTERS:
	custom_can_view_courses: |
	def can_view_courses(username, field_name="course_id"):

And so I think the rest of this code block needs to be indented too?

[Ian2012]

I was not clear with this documentation, I corrected and added a missing step for register the jinja filter using SUPERSET_EXTRA_JINJA_FILTERS

[Ian2012]

@pomegranited This is ready for review, I will assign proper rlsf to the other datasets in another PR with some changes to the permissions

[bmtcril]

Just a couple of documentation nits. I tested this by creating a plugin with both patches, installing it, init-ing superset, and confirming that the sql was appended to the queries appropriately by both seeing the data change and by viewing the chart SQL.

[bmtcril]

nit: "to restrict access to that data based on things like course roles, or organization"

Since you can use these on any column.

[bmtcril]

We should be really clear that the schema / table need to exist in the assets.yaml, so they can't filter on upstream tables that don't end up getting imported to Superset. I just fought with this for 30 mins trying to figure out why it thought a table didn't exist. Maybe a note about when you see AssertionError: {schema.table} table doesn't exist yet? to make sure it's exported to Superset.

[bmtcril]

Just a heads up on this: #153 I think it's probably a more general issue of "how do we deal with deleted assets" but I wanted to track it.

[Ian2012]

@bmtcril ready, I cannot merge it

[openedx-webhooks]

@Ian2012 🎉 Your pull request was merged! Please take a moment to answer a two question survey so we can improve your experience in the future.