do not default to the Public role

razvan · razvan · commit 81b783ae5a5e · 2025-02-19T16:13:36.000+01:00
diff --git a/superset/stackable/opa-authorizer/opa_authorizer/opa_manager.py b/superset/stackable/opa-authorizer/opa_authorizer/opa_manager.py
@@ -26,7 +26,6 @@ class OpaSupersetSecurityManager(SupersetSecurityManager):
     AUTH_OPA_REQUEST_TIMEOUT_DEFAULT = 10
     AUTH_OPA_PACKAGE_DEFAULT = "superset"
     AUTH_OPA_RULE_DEFAULT = "user_roles"
-    AUTH_USER_REGISTRATION_ROLE_DEFAULT = "Public"
 
     def __init__(self, appbuilder):
         super().__init__(appbuilder)
@@ -54,10 +53,6 @@ def __init__(self, appbuilder):
         self.auth_opa_request_timeout: int = current_app.config.get(
             "AUTH_OPA_REQUEST_TIMEOUT", self.AUTH_OPA_REQUEST_TIMEOUT_DEFAULT
         )
-        # Cannot name this "auth_auth_user_registration_role" because it clashes with some super() property constraints
-        self.user_registration_role: str = config.get(
-            "AUTH_USER_REGISTRATION_ROLE", self.AUTH_USER_REGISTRATION_ROLE_DEFAULT
-        )
         self.opa_session = requests.Session()
 
     @override
@@ -77,17 +72,7 @@ def get_user_roles(self, user: Optional[User] = None) -> list[Role]:
             log.error(
                 f"No OPA roles for user [{user.username}], defaulting to role AUTH_USER_REGISTRATION_ROLE"
             )
-            default_role = self.resolve_role(self.user_registration_role)
-            if not default_role:
-                log.error(
-                    f"Failed to resolve default role name {self.user_registration_role} for user [{user.username}]. User will have no roles."
-                )
-                return []
-            else:
-                log.info(
-                    f"User [{user.username}] will only have default role [{self.user_registration_role}]"
-                )
-                return [default_role]
+            return []
 
         user_role_set = set(user.roles)
         log.debug(f"Superset roles for user [{user.username}]: {user_role_set}")
diff --git a/superset/stackable/opa-authorizer/tests/opa_manager_test.py b/superset/stackable/opa-authorizer/tests/opa_manager_test.py
@@ -145,9 +145,7 @@ def test_no_roles(
             wraps=mock_resolve_role,
         )
 
-        assert set(
-            map(lambda r: r.name, opa_security_manager.get_user_roles(user))
-        ) == {"Public"}
+        assert opa_security_manager.get_user_roles(user) == []
 
 
 def test_get_opa_roles(

Original file line number	Diff line number	Diff line change
`@@ -145,9 +145,7 @@ def test_no_roles(`
`145`	`145`	`wraps=mock_resolve_role,`
`146`	`146`	`)`
`147`	`147`
`148`		`- assert set(`
`149`		`- map(lambda r: r.name, opa_security_manager.get_user_roles(user))`
`150`		`- ) == {"Public"}`
	`148`	`+ assert opa_security_manager.get_user_roles(user) == []`
`151`	`149`
`152`	`150`
`153`	`151`	`def test_get_opa_roles(`