Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The DASHBOARD_RBAC feature flag doesn't seem to work as intended, even with the example dataset #31938

Open
3 tasks done
Mayeu opened this issue Jan 21, 2025 · 8 comments · May be fixed by #32289
Open
3 tasks done

The DASHBOARD_RBAC feature flag doesn't seem to work as intended, even with the example dataset #31938

Mayeu opened this issue Jan 21, 2025 · 8 comments · May be fixed by #32289
Assignees
@dpgaspar
Labels
authentication:access-control Rlated to access control

Comments

@Mayeu
Copy link

Mayeu commented Jan 21, 2025

Bug description

Hello 👋,

Activating the DASHBOARD_RBAC feature flag doesn't work as intended, we can't share access to our dashboard that way on our production instance, and it doesn't work locally either with the example dataset.

  1. Checkout master (currently 63843c568255d5f1302815ed7614e93d7febadae)
  2. Activate the DASHBOARD_RBAC feature flag in docker/pythonpath_dev/superset_config.py 
    FEATURE_FLAGS = {"ALERT_REPORTS": True, "DASHBOARD_RBAC": True}
  3. Start the non-dev compose with: docker compose -f docker-compose-non-dev.yml up --build
  4. Create a user, assign it the Gamma role Image
  5. Open a dashboard, assign it the gamma role, save the dashboard
    Image
  6. Open a private browser instance, log as the gamma user, open the dashboard, get an error (left gamma user, right admin user)
Image

Exception in the log:

superset_app          | 2025-01-21 09:05:48,960:WARNING:superset.views.error_handling:SupersetErrorException
superset_app          | Traceback (most recent call last):
superset_app          |   File "/app/.venv/lib/python3.11/site-packages/flask/app.py", line 1484, in full_dispatch_request
superset_app          |     rv = self.dispatch_request()
superset_app          |          ^^^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/.venv/lib/python3.11/site-packages/flask/app.py", line 1469, in dispatch_request
superset_app          |     return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
superset_app          |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/.venv/lib/python3.11/site-packages/flask_appbuilder/security/decorators.py", line 109, in wraps
superset_app          |     return f(self, *args, **kwargs)
superset_app          |            ^^^^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/superset/views/base_api.py", line 120, in wraps
superset_app          |     duration, response = time_function(f, self, *args, **kwargs)
superset_app          |                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/superset/utils/core.py", line 1363, in time_function
superset_app          |     response = func(*args, **kwargs)
superset_app          |                ^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/superset/utils/log.py", line 303, in wrapper
superset_app          |     value = f(*args, **kwargs)
superset_app          |             ^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/superset/charts/data/api.py", line 239, in data
superset_app          |     command.validate()
superset_app          |   File "/app/superset/commands/chart/data/get_data_command.py", line 67, in validate
superset_app          |     self._query_context.raise_for_access()
superset_app          |   File "/app/superset/common/query_context.py", line 139, in raise_for_access
superset_app          |     self._processor.raise_for_access()
superset_app          |   File "/app/superset/common/query_context_processor.py", line 892, in raise_for_access
superset_app          |     security_manager.raise_for_access(query_context=self._query_context)
superset_app          |   File "/app/superset/security/manager.py", line 2350, in raise_for_access
superset_app          |     raise SupersetSecurityException(
superset_app          | superset.exceptions.SupersetSecurityException: This endpoint requires the datasource 20, database or `all_datasource_access` permission

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.11

Node version

16

Browser

Chrome

Additional context

  • I don't know which node version is used in the docker image.
  • I used Brave to test this, but I don't think the browser is relevant here.

I have read through various tickets that seems to also encounter this bug, but no solution describes there solved the issue , and most seems to only be for older version of Superset (and most where riddle with misleading AI slop).

So I decided to open this ticket to show that even with the example data this feature flag doesn't seem to work. Or maybe there are missing steps in the documentation for activating this?

Checklist

  • I have searched Superset docs and Slack and didn't find a solution to my problem.
  • I have searched the GitHub issue tracker and didn't find a similar bug report.
  • I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
@dosubot dosubot bot added the authentication:access-control Rlated to access control label Jan 21, 2025
@dosubot DosuBot
Copy link

dosubot bot commented Jan 21, 2025

Hey @Mayeu! 👋

There are a few similar discussions related to issues with the DASHBOARD_RBAC feature in Apache Superset:

  1. Issue with Dashboard Access for Role-Based Permissions (DASHBOARD_RBAC=True) - This discussion is unsolved and might provide insights into similar problems [1].

  2. Non-admin user cannot see Edit Dashboard button, even on dashboards they own - This is another unsolved discussion that might be related to role-based access issues [2].

  3. A closed issue, RBAC not Working, was resolved by a pull request that fixed the use of normal RBAC when no roles were chosen [3].

Regarding your specific issue, the error message indicates that the user lacks the necessary datasource or all_datasource_access permission. When DASHBOARD_RBAC is enabled, users with the Gamma role need explicit datasource_access permissions for the datasets associated with the dashboard. You can add this permission by modifying the role's permissions in the security manager [4].

Additionally, ensure that the DASHBOARD_RBAC feature is correctly configured in your superset_config.py file, and that the roles are properly assigned to both the user and the dashboard [5].

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other

@Mayeu Mayeu changed the title DASHBOARD_RBAC doesn't work as intended, even with the example dataset DASHBOARD_RBAC doesn't seems work as intended, even with the example dataset Jan 21, 2025
@Mayeu
Copy link
Author

Mayeu commented Jan 21, 2025

Allowing myself to poke direct members of this repository (@villebro, @amitmiran137, @geido), because this bot answer is not useful. I know all those tickets, I have read them, and one of them is just a poor user fighting against that bot.

Please deactivate issue responses from that bot. Auto-labelling is fine, but on most issues I saw here the bot seems to just add noise and confuse users.

@Mayeu Mayeu changed the title DASHBOARD_RBAC doesn't seems work as intended, even with the example dataset The DASHBOARD_RBAC feature flag doesn't seem to work as intended, even with the example dataset Jan 21, 2025
@LevisNgigi
Copy link
Contributor

From the error it seems the gamma user does not have access to the data source the dashboard is deriving it's data from? Have you give the gamma user permission to access the data source as well? or only assigned the dashboard to the gamma role?

@vhf
Copy link
Contributor

vhf commented Jan 21, 2025
edited
Loading

From the error it seems the gamma user does not have access to the data source the dashboard is deriving it's data from?

Correct, that's what DASHBOARD_RBAC is for, see the documentation: https://superset.apache.org/docs/using-superset/creating-your-first-dashboard/#manage-access-to-dashboards

  • Granting a role access to a dashboard will bypass dataset level checks. Having dashboard access implicitly grants read access to all the featured charts in the dashboard, and thereby also all the associated datasets.

As this issue demonstrates, enabling DASHBOARD_RBAC and granting a role access to a dashboard does not bypass dataset level checks, so that's a bug.

@rusackas
Copy link
Member

I always CC @dpgaspar when RBAC bugs come up 🤞

@u35253
Copy link

u35253 commented Feb 4, 2025
edited
Loading

DASHBOARD_RBAC may not work for datasets included via dataset() Jinja template macro

If anyone works on this one, I kindly request please making sure that the case is tested too in which the dataset needed by the dashboard contains a Jinja snippet that includes another dataset as a subquery using the dataset() macro (e.g., SELECT * FROM {{ dataset(42) }}) [0].

  • To be clear, this Jinja dataset inclusion is a feature fairly separate from DASHBOARD_RBAC and does work fine to nest/generate queries.
  • However the point of this comment is that it is important to make sure that DASHBOARD_RBAC does let the users (given role based dashboard access) to access the dataset expanded by the Jinja dataset() macro as well; the "nested" dataset(s) need to be accessible, too.

The reason for this comment comment is that, while the dataset() macro expands successfully, I have recently had to specifically grant dataset access to a Role getting denied dataset that was the nested/Jinja-included dataset used within the dataset of a chart, even though DASHBOARD_RBAC was enabled and was anticipated to have allowed access already, according to the docs, since "Granting a role access to a dashboard will bypass dataset level checks."

I'm not 100% sure if it's the same issue bug tracked in this Issue, but it seems like it could be, so I point it out in case there is something there, to be included in testing/bugfixing, please.

Thank you for the great Superset dashboarding software.

[0] https://superset.apache.org/docs/configuration/sql-templating/

@jeremiebedjai
Copy link

jeremiebedjai commented Feb 5, 2025
edited
Loading

I ran into the same problem. In my case, the code in the security manager expects a field named dashboardId, which was missing in the formData object.

Instead, the dashboards field is both included in the schema and actually sent by the frontend, making it more relevant to me. As a result, the check:

and (dashboard_id := form_data.get("dashboardId"))

always evaluated to False—so the logic for DASHBOARD_RBAC never got a chance to run. Patching the code to handle the actual field name (or list of IDs) fixed the issue.

Hope this can help.

@mfreyre-smo
Copy link

Seems like there was something removed that handled casing differences between the row level security config and the security check on charts in the dashboard. We discovered that if we changed the casing of the table, view, or virtual dataset in the query that the charts were built upon (such that the casing matched the RBAC entry), then it would work.

imad-hl pushed a commit to imad-hl/superset that referenced this issue Feb 17, 2025
Fix issue apache#31938: Improve RBAC priority in security manager
6ea1ccc
@imad-hl imad-hl linked a pull request Feb 17, 2025 that will close this issue
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dpgaspar dpgaspar

Labels
authentication:access-control Rlated to access control
Projects
None yet
Milestone
No milestone
8 participants
@Mayeu @rusackas @vhf @dpgaspar @jeremiebedjai @mfreyre-smo @LevisNgigi @u35253