feat(mcp): add list and get tools for row level security and plugins#13
Open
hbrooks wants to merge 9 commits into
Open
feat(mcp): add list and get tools for row level security and plugins#13hbrooks wants to merge 9 commits into
hbrooks wants to merge 9 commits into
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…er roles to be returned RLS filter `roles` (which roles a filter applies to) are core RLS data, not user-directory metadata. Including 'roles' in USER_DIRECTORY_FIELDS caused filter_user_directory_columns() to strip it from any requested select_columns list, making it impossible to retrieve via list_rls_filters. No dashboard/chart/dataset schema defines a 'roles' field, so removing it from the block set has no privacy impact on other tools. Fixes test_list_rls_filters_returns_tables_and_roles.
…in RLS list tool 'roles' on a dashboard/chart exposes who has access to the resource and should be stripped by the USER_DIRECTORY_FIELDS privacy filter. 'roles' in an RLS filter is which roles the filter applies to — it is core filter data, not user-directory metadata. The RLS list tool now derives its column selection directly from ALL_RLS_COLUMNS (bypassing ModelListCore's USER_DIRECTORY_FIELDS filtering) so that RLS roles are selectable while dashboard roles remain hidden. Fixes three failing unit tests: - test_list_dashboards_omits_requested_user_directory_fields - test_get_allowed_fields_always_denies_user_directory_fields - test_filter_sensitive_data_strips_user_directory_fields_even_if_allowed Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix _serialize cols parameter type from list[str] | None to list[str] in both list_plugins.py and list_rls_filters.py to match ModelListCore Callable[[T, List[str]], S | None] callback signature - Update filter_user_directory_fields docstring to mention roles Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…IRECTORY_FIELDS in list_rls_filters When the caller passes select_columns that consists entirely of USER_DIRECTORY_FIELDS columns (e.g. ["roles"]), ModelListCore raises ValueError because its privacy filter strips all columns, leaving an empty list. Strip USER_DIRECTORY_FIELDS from select_columns before passing to run_tool (falling back to None/defaults when the filtered list is empty). The existing bypass mechanism already restores these fields in the final serialized output using ALL_RLS_COLUMNS. Adds a regression test for the ["roles"]-only select_columns edge case.
…plugin for consistency Align with the naming convention used by all other list tools (list_charts, list_dashboards, list_databases, list_datasets), which use _serialize_<resource> for the item serializer closure. Addresses bito additional suggestion: serializer naming inconsistency.
…umnFilter to RlsFilter - Add `description` field to `RlsFilterInfo`, `ALL_RLS_COLUMNS`, and `serialize_rls_filter_object` (maps to `RowLevelSecurityFilter.description`) - Add `created_on` field alongside existing `changed_on` for consistency with all sibling schemas in the MCP service suite - Rename `RlsColumnFilter` → `RlsFilter` to follow the `<Resource>Filter` naming convention used by every other filter class in the suite - Update test mock and test class name accordingly
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mirror of apache/superset#40347 by @aminghadersohi