Updating manager, leaving todos

Author: Maleware

superset-opa-integration/superset-custom-opa.yaml

@@ -8,34 +8,38 @@ metadata:
   }
 spec:
   image:
-    custom: docker.stackable.tech/stackable/superset:4.0.2-stackable0.0.0-dev-opaV6
+    custom: docker.stackable.tech/sandbox/superset:4.0.2-stackable0.0.0-dev-opaV7
     productVersion: 4.0.2
     pullPolicy: Never
   clusterConfig:
     credentialsSecret: simple-superset-credentials
     listenerClass: external-unstable
+    authorization:
+      opa:
+        configMapName: simple-opa
+        package: superset
   nodes:
     roleGroups:
       default:
         config:
           rowLimit: 10000
           webserverTimeout: 300
-    podOverrides:
-      spec:
-        containers:
-        - name: superset
-          env:
-          - name: STACKABLE_OPA_ENDPOINT
-            valueFrom:
-              configMapKeyRef:
-                key: OPA
-                name: simple-opa
-    envOverrides:         
-      AUTH_USER_REGISTRATION_ROLE: Gamma
+    # podOverrides:
+      # spec:
+        # containers:
+        # - name: superset
+          # env:
+          # - name: STACKABLE_OPA_ENDPOINT
+            # valueFrom:
+              # configMapKeyRef:
+                # key: OPA
+                # name: simple-opa
+                #envOverrides:         
+                #AUTH_USER_REGISTRATION_ROLE: Gamma
     configOverrides:
       superset_config.py:
-        EXPERIMENTAL_FILE_HEADER: |
-          from superset.security.manager import OpaSupersetSecurityManager
+        # EXPERIMENTAL_FILE_HEADER: |
+        #  from superset.security.manager import OpaSupersetSecurityManager
         # Maybe also ENABLE_TEMPLATE_PROCESSING
         FEATURE_FLAGS: |-
           {
@@ -69,9 +73,9 @@ spec:
             False
           }
         # TODO: Add these line with superset operator
-        CUSTOM_SECURITY_MANAGER: OpaSupersetSecurityManager
-        AUTH_USER_REGISTRATION_ROLE: os.getenv('AUTH_USER_REGISTRATION_ROLE', 'Public')
-        STACKABLE_OPA_ENDPOINT: os.getenv('STACKABLE_OPA_ENDPOINT')
-        STACKABLE_OPA_PACKAGE: |-
-          "superset"
-        STACKABLE_OPA_RULE: os.getenv('STACKABLE_OPA_RULE', 'user_roles')
+        # CUSTOM_SECURITY_MANAGER: OpaSupersetSecurityManager
+        # AUTH_USER_REGISTRATION_ROLE: os.getenv('AUTH_USER_REGISTRATION_ROLE', 'Public')
+        # STACKABLE_OPA_ENDPOINT: os.getenv('STACKABLE_OPA_ENDPOINT')
+        # STACKABLE_OPA_PACKAGE: |-
+          # "superset"
+        # STACKABLE_OPA_RULE: os.getenv('STACKABLE_OPA_RULE', 'user_roles')

superset/stackable/patches/4.0.2/001-opa-integration.patch

@@ -27,7 +27,8 @@ index 0000000000..56fe61c917
 +        logging.info(f'OPA returned roles: {opa_role_names}')
 +
 +        opa_roles = set(map(self.resolve_role, opa_role_names))
-+        # Ensure that in case of a bad or no reponse from OPA each user will have at least one role.
++        # Ensure that in case of a bad or no response from OPA each user will have at least one role.
++        # I'm not toooo happy with that. Everybody get's public, even administrators. We should change that.
 +        opa_roles.add(default_role)
 +        
 +        if set(user.roles) != opa_roles: