chore: Remove deprecated ENABLE_ACCESS_REQUEST workflow (#24266)

RESOURCES/STANDARD_ROLES.md

@@ -191,12 +191,6 @@
 |can show on AlertLogModelView|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
 |can list on AlertObservationModelView|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
 |can show on AlertObservationModelView|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-|can edit on AccessRequestsModelView|:heavy_check_mark:|O|O|O|
-|can list on AccessRequestsModelView|:heavy_check_mark:|O|O|O|
-|can show on AccessRequestsModelView|:heavy_check_mark:|O|O|O|
-|can add on AccessRequestsModelView|:heavy_check_mark:|O|O|O|
-|can delete on AccessRequestsModelView|:heavy_check_mark:|O|O|O|
-|muldelete on AccessRequestsModelView|:heavy_check_mark:|O|O|O|
 |menu access on Row Level Security|:heavy_check_mark:|O|O|O|
 |menu access on Access requests|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
 |menu access on Home|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|

UPDATING.md

@@ -33,6 +33,7 @@ assists people when migrating to a new version.
 
 ### Breaking Changes
 
+- [24266](https://github.com/apache/superset/pull/24266) Remove the `ENABLE_ACCESS_REQUEST` config parameter and the associated request/approval workflows.
 - [24330](https://github.com/apache/superset/pull/24330) Removes `getUiOverrideRegistry` from `ExtensionsRegistry`.
 - [23933](https://github.com/apache/superset/pull/23933) Removes the deprecated Multiple Line Charts.
 - [23741](https://github.com/apache/superset/pull/23741) Migrates the TreeMap chart and removes the legacy Treemap code.

superset-frontend/src/dashboard/components/PropertiesModal/PropertiesModal.test.tsx

@@ -58,11 +58,6 @@ fetchMock.get(
           value: 4,
           extra: {},
         },
-        {
-          text: 'granter',
-          value: 5,
-          extra: {},
-        },
         {
           text: 'Public',
           value: 2,
@@ -393,7 +388,7 @@ test('should show all roles', async () => {
 
   const options = await findAllSelectOptions();
 
-  expect(options).toHaveLength(6);
+  expect(options).toHaveLength(5);
   expect(options[0]).toHaveTextContent('Admin');
 });
 

superset-frontend/src/pages/RowLevelSecurityList/RowLevelSecurityList.test.tsx

@@ -50,7 +50,7 @@ const mockRules = [
       },
       {
         id: 5,
-        name: 'granter',
+        name: 'Gamma',
       },
     ],
     tables: [
@@ -79,7 +79,7 @@ const mockRules = [
       },
       {
         id: 5,
-        name: 'granter',
+        name: 'Gamma',
       },
     ],
     tables: [

superset/config.py

@@ -1071,10 +1071,6 @@ def CSV_TO_HIVE_UPLOAD_DIRECTORY_FUNC(  # pylint: disable=invalid-name
 # example: FLASK_APP_MUTATOR = lambda x: x.before_request = f
 FLASK_APP_MUTATOR = None
 
-# Set this to false if you don't want users to be able to request/grant
-# datasource access requests from/to other users.
-ENABLE_ACCESS_REQUEST = False
-
 # smtp server configuration
 EMAIL_NOTIFICATIONS = False  # all the emails are sent using dryrun
 SMTP_HOST = "localhost"

superset/explore/commands/get.py

@@ -19,19 +19,19 @@
 from typing import Any, cast, Optional
 
 import simplejson as json
-from flask import current_app, request
-from flask_babel import gettext as __, lazy_gettext as _
+from flask import request
+from flask_babel import lazy_gettext as _
 from sqlalchemy.exc import SQLAlchemyError
 
-from superset import db, security_manager
+from superset import db
 from superset.commands.base import BaseCommand
 from superset.connectors.base.models import BaseDatasource
 from superset.connectors.sqla.models import SqlaTable
 from superset.dao.exceptions import DatasourceNotFound
 from superset.datasource.dao import DatasourceDAO
 from superset.exceptions import SupersetException
 from superset.explore.commands.parameters import CommandParameters
-from superset.explore.exceptions import DatasetAccessDeniedError, WrongEndpointError
+from superset.explore.exceptions import WrongEndpointError
 from superset.explore.form_data.commands.get import GetFormDataCommand
 from superset.explore.form_data.commands.parameters import (
     CommandParameters as FormDataCommandParameters,
@@ -119,20 +119,6 @@ def run(self) -> Optional[dict[str, Any]]:
             except DatasourceNotFound:
                 pass
         datasource_name = datasource.name if datasource else _("[Missing Dataset]")
-
-        if datasource:
-            if current_app.config["ENABLE_ACCESS_REQUEST"] and (
-                not security_manager.can_access_datasource(datasource)
-            ):
-                message = __(
-                    security_manager.get_datasource_access_error_msg(datasource)
-                )
-                raise DatasetAccessDeniedError(
-                    message=message,
-                    datasource_type=self._datasource_type,
-                    datasource_id=self._datasource_id,
-                )
-
         viz_type = form_data.get("viz_type")
         if not viz_type and datasource and datasource.default_endpoint:
             raise WrongEndpointError(redirect=datasource.default_endpoint)

superset/initialization/__init__.py

@@ -154,7 +154,6 @@ def init_views(self) -> None:
         from superset.security.api import SecurityRestApi
         from superset.sqllab.api import SqlLabRestApi
         from superset.tags.api import TagRestApi
-        from superset.views.access_requests import AccessRequestsModelView
         from superset.views.alerts import AlertView, ReportView
         from superset.views.all_entities import TaggedObjectsModelView, TaggedObjectView
         from superset.views.annotations import AnnotationLayerView
@@ -419,16 +418,6 @@ def init_views(self) -> None:
             category_label=__("Manage"),
         )
 
-        appbuilder.add_view(
-            AccessRequestsModelView,
-            "Access requests",
-            label=__("Access requests"),
-            category="Security",
-            category_label=__("Security"),
-            icon="fa-table",
-            menu_cond=lambda: bool(self.config["ENABLE_ACCESS_REQUEST"]),
-        )
-
         appbuilder.add_view(
             RowLevelSecurityView,
             "Row Level Security",

superset/migrations/versions/2023-06-01_13-13_83e1abbe777f_drop_access_request.py

@@ -0,0 +1,50 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""drop access_request
+
+Revision ID: 83e1abbe777f
+Revises: ae58e1e58e5c
+Create Date: 2023-06-01 13:13:18.147362
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = "83e1abbe777f"
+down_revision = "ae58e1e58e5c"
+
+import sqlalchemy as sa
+from alembic import op
+
+
+def upgrade():
+    op.drop_table("access_request")
+
+
+def downgrade():
+    op.create_table(
+        "access_request",
+        sa.Column("created_on", sa.DateTime(), nullable=True),
+        sa.Column("changed_on", sa.DateTime(), nullable=True),
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("datasource_type", sa.String(length=200), nullable=True),
+        sa.Column("datasource_id", sa.Integer(), nullable=True),
+        sa.Column("changed_by_fk", sa.Integer(), nullable=True),
+        sa.Column("created_by_fk", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(["changed_by_fk"], ["ab_user.id"]),
+        sa.ForeignKeyConstraint(["created_by_fk"], ["ab_user.id"]),
+        sa.PrimaryKeyConstraint("id"),
+    )

superset/models/__init__.py

@@ -14,4 +14,4 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-from . import core, datasource_access_request, dynamic_plugins, sql_lab, user_attributes
+from . import core, dynamic_plugins, sql_lab, user_attributes

superset/security/manager.py

@@ -164,7 +164,6 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
 
     ADMIN_ONLY_VIEW_MENUS = {
         "Access Requests",
-        "AccessRequestsModelView",
         "Action Log",
         "Log",
         "List Users",
@@ -195,8 +194,6 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
     }
 
     ADMIN_ONLY_PERMISSIONS = {
-        "can_override_role_permissions",
-        "can_approve",
         "can_update_role",
         "all_query_access",
         "can_grant_guest_token",
@@ -767,7 +764,6 @@ def sync_role_definitions(self) -> None:
         self.set_role("Admin", self._is_admin_pvm)
         self.set_role("Alpha", self._is_alpha_pvm)
         self.set_role("Gamma", self._is_gamma_pvm)
-        self.set_role("granter", self._is_granter_pvm)
         self.set_role("sql_lab", self._is_sql_lab_pvm)
 
         # Configure public role
@@ -981,19 +977,6 @@ def _is_sql_lab_pvm(self, pvm: PermissionView) -> bool:
             in self.SQLLAB_EXTRA_PERMISSION_VIEWS
         )
 
-    def _is_granter_pvm(  # pylint: disable=no-self-use
-        self, pvm: PermissionView
-    ) -> bool:
-        """
-        Return True if the user can grant the FAB permission/view, False
-        otherwise.
-
-        :param pvm: The FAB permission/view
-        :returns: Whether the user can grant the FAB permission/view
-        """
-
-        return pvm.permission.name in {"can_override_role_permissions", "can_approve"}
-
     def database_after_insert(
         self,
         mapper: Mapper,