feat: introduce Subject model and entity editors/viewers#38831
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #38831 +/- ##
==========================================
+ Coverage 64.10% 64.70% +0.59%
==========================================
Files 2702 2717 +15
Lines 150219 151718 +1499
Branches 34591 34751 +160
==========================================
+ Hits 96303 98170 +1867
+ Misses 52130 51722 -408
- Partials 1786 1826 +40
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
✅ Deploy Preview for superset-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
9f26ac3 to
5ddcf81
Compare
5ddcf81 to
bd3f3e1
Compare
EnxDev
left a comment
There was a problem hiding this comment.
A few non-blocking follow-ups that might be worth considering:
superset/subjects/utils.py:101— The embedded guest branch inget_current_user_subject_idsdoesn't seem to be covered by tests. It might be worth adding one to avoid regressions.- Migration UUID backfill — The backfill performs one
UPDATEper subject. Would batching these updates improve performance on larger installations? UPDATING.md— Since viewers are now always seeded fromdashboard_roles, it may be worth documenting the upgrade impact for installations with staledashboard_rolesdata.superset/dashboards/schemas.py:590— Old dashboard bundles silently droproleson import. Would it make sense to map them to viewers or at least emit a warning?
Nits
- Remove
_apply_legacyif it's no longer used. - The
ENABLE_VIEWERSbranches inreports/filters.pyappear identical—could they be simplified? _get_user_subject_idswallows all exceptions. Would logging a warning help with debugging?ReportModal.userIdappears unused and could potentially be removed.
Thanks for the new review pass! I addressed the other bits, but I'd like to push back on 4: imports/exports are not expected to be compatible across major versions, and when this feature ships in 7.0, exports will not contain dashboard roles, making the role-to-viewer compatibility mapping a no-op. |
|
Bito Automatic Review Skipped – PR Already Merged |

SUMMARY
This PR introduces a new Subject model, which can represent a User, Group, or Role, and replaces owner-based access management with subject-based editors. Dashboards, charts, datasets, and alerts/reports now use
editorsinstead ofowners.In addition, a new feature flag
ENABLE_VIEWERSintroduces subject-based viewers for dashboards and charts. Viewers replace the previousDASHBOARD_RBACmodel. For backwards compatibility, dashboards and charts with no assigned viewers keep the existing implicit dataset-permission visibility model. This means existing resources do not need viewer backfills immediately: users who can access the underlying datasets can continue to see published dashboards that use those datasets and charts backed by those datasets. Explicit Viewers are the intended access model going forward, and the implicit fallback can be considered for deprecation and removal in a later major version. A new config flag,VIEWER_PROMISCUOUS_MODE, controls whether assigned viewers can bypass regular datasource RBAC when rendering data, matching the behavior previously provided byDASHBOARD_RBAC.RLS rules now use Subjects instead of Roles, and the RLS list view can be filtered by Subject. Subject picker normalization is centralized so resource APIs can keep returning API-shaped Subjects while form controls consistently work with picker-shaped values and submit numeric subject IDs.
This is a breaking change. The legacy
owners, dashboardroles, RLSroles, andDASHBOARD_RBACAPI/config semantics are removed in favor ofeditors,viewers, andsubjects.Motivation
The previous access model tied ownership and edit permissions directly to individual users via
owners.DASHBOARD_RBACwas a step in the right direction because it recognized that dashboard visibility needs to be assignable to more than individual users, but it was implemented before Groups were available in Superset. As a result, it used Roles as the assignment target and lived as a separate, dashboard-only access system.The better abstraction is to model resource assignments as Subjects. For new assignments, the intended default is Users and Groups: Users cover direct exceptions, and Groups cover organizational membership. Roles should stay focused on capability grants (for example, which API actions or permissions a principal has), not resource membership. This keeps permission bundles separate from data-access assignments.
For backwards compatibility, Roles are still supported as a Subject type. This preserves migration paths for existing RLS role assignments and
DASHBOARD_RBACdeployments: persisted Role subject assignments continue to work even though Roles are no longer shown by default as selectable values when updating subject lists. Operators can expose Roles in subject pickers globally or per entity when needed. We may reconsider fully removing Role subjects in a later major version, but removing that compatibility layer is outside the scope of this PR.This PR unifies the legacy concepts into a single subject model where editors can modify resources and viewers can access dashboards/charts. Subjects can be users, groups, or compatibility role subjects.
Data Model
A new
subjectstable stores unified references to FAB users, roles, and groups:uuidlabelAlice Smith,Alpha, orData Engineeringsecondary_labelactiveextra_searchtype1=User,2=Role,3=Groupuser_id/role_id/group_idJunction tables link subjects to resources:
dashboard_editorsdashboard_viewerschart_editorschart_viewerssqlatable_editorsreport_schedule_editorsrls_filter_subjectsAn explicit
subjectstable is used to keep related-object queries fast and avoid repeatedly querying across user, role, and group tables.Legacy Table Removal
The migration drops the following legacy junction tables after seeding the new subject-based tables:
dashboard_userdashboard_editorsas user-type subjectsslice_userchart_editorsas user-type subjectssqlatable_usersqlatable_editorsas user-type subjectsreport_schedule_userreport_schedule_editorsas user-type subjectsdashboard_rolesdashboard_viewersas role-type subjectsrls_filter_rolesrls_filter_subjectsas role-type subjectsThe migration also renames owner tags from
owner:*/ownertoeditor:*/editor.On downgrade, the legacy tables are recreated and repopulated from user-type editors and role-type viewers/subjects.
Breaking API and Behavior Changes
editorsinstead ofowners.viewerswhenENABLE_VIEWERSis enabled. Dashboards/charts with no viewers continue to use the implicit dataset-access visibility model for backwards compatibility.subjectsinstead ofroles.DASHBOARD_RBACis replaced: Viewer-based dashboard/chart access is controlled byENABLE_VIEWERSandVIEWER_PROMISCUOUS_MODE.EXTRA_OWNERS_RESOLVERis replaced: Custom dynamic ownership hooks should migrate toEXTRA_EDITORS_RESOLVER, returning editor Subjects, subject IDs, or dicts with anidkey. API responses expose these dynamic assignments asextra_editorsinstead ofextra_owners.CREATOR_OWNER,MODIFIER_OWNER, andOWNERare replaced byCREATOR_EDITOR,MODIFIER_EDITOR, andEDITOR.Feature Flags
ENABLE_VIEWERSNew config flags
VIEWER_PROMISCUOUS_MODEENABLE_VIEWERS, viewers can access dashboards/charts without explicit datasource permissions, mirroring the previousDASHBOARD_RBACbehaviorSUBJECTS_RELATED_TYPESSUBJECTS_RELATED_TYPES_DASHBOARDSSUBJECTS_RELATED_TYPES_CHARTSSUBJECTS_RELATED_TYPES_RLSSUBJECTS_RELATED_TYPES_ALERT_REPORTSEXTRA_RELATED_QUERY_FILTERSgroupsupport alongside existing user/role filtering hooksEXTRA_EDITORS_RESOLVEREXTRA_OWNERS_RESOLVERfor dynamic editor subject assignments and editorship checksSubject pickers default to Users + Groups so roles can remain focused on capability grants, while resource-specific assignments use identity and organizational membership. Roles are still supported for backwards compatibility with existing RLS and
DASHBOARD_RBACusage. Existing Role subject assignments remain effective, but Roles are hidden from dropdown values unless they are re-enabled globally or per entity. Removing Role subjects entirely can be considered in a later major version.Viewer adoption is also intentionally incremental. Enabling
ENABLE_VIEWERSdoes not require backfilling viewers onto every existing dashboard or chart: resources with an empty viewer list keep the existing implicit dataset-access visibility behavior. Assigning at least one viewer subject opts that resource into explicit viewer access for non-editors. UnlessVIEWER_PROMISCUOUS_MODEis enabled, assigned viewers still need normal datasource permissions to render the underlying data. The long-term direction is to use explicit Viewers for resource visibility; deprecating and removing the implicit fallback can be considered in a later major version.Documentation
ExecutorType.EDITOR.BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
With this change, the dashboard, chart, and dataset list views have Editors instead of Owners. The new
SubjectPilecomponent displays user, role, and group subjects with distinct avatar shapes (round for Users, rounded square for Groups, octagon for Roles):When the feature flag
ENABLE_VIEWERSis enabled, a Viewers column appears on Dashboard and Chart list views:The Editors and Viewers sections appear on the Access tab in dashboard/chart properties:
The Subject dropdown supports Users and Groups by default, and can also expose Roles when configured for backwards-compatible workflows:
When a user has viewer access to a dashboard, directly or through a Role/Group, but
VIEWER_PROMISCUOUS_MODEis not enabled and they do not have datasource access, they will still see the datasource access error:When
VIEWER_PROMISCUOUS_MODE = True, the same viewer can render all charts on the dashboard, even without separate datasource permissions:Row Level Security now uses Subjects, so filters can be assigned to Users, Roles, or Groups (notice that even if by default we don't expose Roles in Subject selectors, the Roles that were assigned to a RLS filter before this feature still appear in the dropdown):
Alerts & Reports also use subject-based Editors:
TESTING INSTRUCTIONS
superset db upgradeSELECT type, COUNT(*) FROM subjects GROUP BY typeENABLE_VIEWERSis enabledENABLE_VIEWERS-> viewer-only users can see published dashboards/charts but cannot edit themVIEWER_PROMISCUOUS_MODE = False, verify viewer access still requires datasource permissionsVIEWER_PROMISCUOUS_MODE = True, verify viewer access can render dashboards/charts without separate datasource permissionsENABLE_VIEWERS = True, verify dashboards/charts with no viewers still fall back to dataset-based visibilitysubjectssubjectsrelationEDITOR,CREATOR_EDITOR, andMODIFIER_EDITOREXTRA_EDITORS_RESOLVERextra_editorsSUBJECTS_RELATED_TYPES = [SubjectType.USER]andSUBJECTS_RELATED_TYPES_RLS = [SubjectType.USER, SubjectType.GROUP, SubjectType.ROLE]SUBJECTS_RELATED_TYPES = [SubjectType.USER, SubjectType.ROLE, SubjectType.GROUP]-> all subject types appear everywheresuperset db downgradeand verify legacy tables are recreated from editor/viewer/subject dataADDITIONAL INFORMATION
ENABLE_VIEWERSfor viewer UI/access behavior