Hide SQL query while using RLS

[casmoir]

Hi all,

I'm using RLS to maintain data access within one table: there are multiple rows in the same table that should be filtered by username for each user (so each user can see only his/her own subset of rows from table)
If I go to Developer tools -> Network -> Preview ->result -> query I can see the query. This makes vulnerability because user can copy query and run it in postman without filters and get access to the all data.

Is there any solutions of this problem?

Thanks!

[dosubot[bot]]

I found a similar discussion regarding SQL query visibility and Row Level Security (RLS) in Apache Superset. In the thread Does SQLLab / Query Editor support Row Level Security?, it was noted that RLS does not affect SQL Lab currently, and RLS is typically used for users who are primarily dashboard viewers or dataset explorers, rather than SQL Lab analysts or virtual table authors ^[1].

Regarding your concern about users being able to see and potentially misuse SQL queries, Apache Superset's frontend displays SQL queries using the ResultSet component. You can control the visibility of SQL queries by adjusting the showSql property in the ResultSet component. Setting showSql to false will prevent the SQL query from being displayed in the UI ^[2].

Additionally, consider using the SQL_QUERY_MUTATOR configuration parameter to define a function that can mutate SQL queries before execution, which might help in customizing or restricting SQL query behavior further ^[3]. However, these solutions primarily affect the UI and may not fully prevent users from accessing queries through developer tools or network requests.

To continue talking to Dosu, mention @dosu.