superset
superset copied to clipboard
apache
RBAC not Working
Problem: Role Based Access Control is not enabling users to view Dashboards correctly.
Feature flag enabled: RBAC Browser: Firefox Superset Version 1.4
Background: I have assigned a user a role AlphaDG (essentially Gamma) and have assigned this role to a dashboard.
Expected outcome: Even though the user has not been assigned access to the underlying dataset(s), this user should be able to see the dashboard.
Actual outcome: The user is not able to see the dashboard (whether published or not)
Perhaps I have not included a necessary permissions flag?
That being said, I have tested user roles who are give all permissions (except datasource access obviously, as this is why I am using RBAC.....)
I had a similar issue:
User 1 - has access to a dataset via role AlphaCopy (all datasource access is removed) User 2 - has access to same dataset via role GammaCopy Dashboard 1 and Dashboard 2 - defined on dataset
Now feature flag is enabled and access is set as follows: Dashboard 1 - No specific user set, so all users with access to dataset should have access Dashboard 2 - Only Role AlphaCopy has access to it
Outcome expected: User 1 will have access to Dashboard 1 and Dashboard 2, User 2 will have access to only Dashboard 1 Actual Result: User 1 and User 2 didn't have access to any dashboards
I then gave specific access to Dashboard 1 to role AlphaCopy and GammaCopy. Same result
How exactly is the FEATURE FASHBOARD_RBAC supposed to work?
I can confirm @srinisubramanian's observation. Same for me. I also pulled a fresh image without any modification (apart from the FF) to double check. The FF is not stable! Please investigate.
Ping @amitmiran137 , have you run into this? We're hoping to push out 1.5.1 in 1-2 weeks, so if this feature is currently broken it would be nice to get a fix for this in.
Are you using the DASHBOARD_RBAC ff?
Ehy not use the new UI for editing a dashboard
We use it as one of the core features we use and it does work
Please answer those questions sk we can proceed
I just tested this again with 1.5.0 and it works. Maybe it was an older version issue?
Thanks @amitmiran137 and @srinisubramanian ! so we're ok closing this with the assumption that upgrading to 1.5 should fix the problem?
I guess so @villebro as of now the feature flag works after the upgrade to 1.5.0 that I did.
Alright, this has become a bit unstructured. I was just picking up on parts of https://github.com/apache/superset/issues/18634#issuecomment-1073508833 but actually my problem is described in #17227 So you might as well close this issue and continue discussion in the other one ;) Sorry for the mess
I have issue with Superset v1.5.0 , I'm unable to Assign Roles for users in Dashboard Properties(Option is not showing). I have enabled DASHBOARD_RBAC=True in config.py Can anyone Help m
e
I have issue with Superset v1.5.0 , I'm unable to Assign Roles for users in Dashboard Properties(Option is not showing). I have enabled DASHBOARD_RBAC=True in config.py Can anyone Help m
Did you set the feature flag or just a variable?
As mentioned elsewhere it's working good for me. The only catch is I had to give access to users on each dashboard. Default access didn't work.
Did you also run superset init? If not please try that.
could be a duplicate ticket to https://github.com/apache/superset/issues/19988 (happens also on V2.0.0)
The error is in
in the has_rbac_access function
def has_rbac_access() -> bool:
return (not is_feature_enabled("DASHBOARD_RBAC")) or any(
dashboard_role.id
in [user_role.id for user_role in self.get_user_roles()]
for dashboard_role in dashboard.roles
)
Delete the "not" and everything works as expected. Sorry, first post here, have to read up on how to officially post such things.
The error is in
in the has_rbac_access function
def has_rbac_access() -> bool: return (not is_feature_enabled("DASHBOARD_RBAC")) or any( dashboard_role.id in [user_role.id for user_role in self.get_user_roles()] for dashboard_role in dashboard.roles )Delete the "not" and everything works as expected. Sorry, first post here, have to read up on how to officially post such things.
Sorry @benjamin-mueller, that doesn't make sense. Your solution would completely bypass any role management introduced with the feature flag and grant all access, only because the FF is enabled.
The role management is done somewhere else, as mentioned in the parent function
def raise_for_dashboard_access(self, dashboard: "Dashboard") -> None:
"""
Raise an exception if the user cannot access the dashboard.
This does not check for the required role/permission pairs,
it only concerns itself with entity relationships.
:param dashboard: Dashboard the user wants access to
:raises DashboardAccessDeniedError: If the user cannot access the resource
"""
https://github.com/apache/superset/blob/2d16100dbcc1d12d4c077b109f80ade53785077e/superset/security/manager.py#L1916
We tested it on our systems with roles assigned and it worked as expected, sorry.
I can confirm that DASHBOARD_RBAC works on 1.5.1. We want to upgrade to 2.0.1 but fear that it will impact our production users if this is broken in 2.0.0. A fix will be really appreciated.
Agreed that there is a gap in user access, we're on 2.0.0, with DASHBOARD_RBAC enabled. Our ideal use case is
- All users who login get a custom role, something like
dashboard_viewer - We use dashboard RBAC to grant access to the full dashboard (view dashboard, see underlying datasets, and see filter datasets)
- We apply RLS rule that limits user based on templated
{{ current_username }}
This way all users can login, see the dashboard, but only see rows they are associated with.
The issue now is we are getting the You don't have access to this dashboard - seems like the only workaround is the snippet Benjamin shared, it would not be scalable to add access for the 100+ users through dashboard ownership, sounds like this may have a fix on the way.
The other issue is datasets associated with native filters, when working around the above issue by adding my test user as an owner so it can hit the dashboard I'm getting permission errors on all native filters that utilize datasets NOT used by the dashboard. I believe the root of this is that hitting the dashboard/ID/datasets endpoint only returns chart datasets and not filters.
Hey guys,
I also had the same issue in both versions 1.5.1 and 2.0.0.
BUT after inspecting the code (specifically func raise_for_dashboard_access in branch 2.0 and line 1268) I figured out that you need your dashboards to be Published, but my dashboards were Draft
...
can_access = (
is_user_admin()
or is_owner(dashboard, g.user)
or (dashboard.published and has_rbac_access()). # <<HERE<<: dashboard.published
or (not dashboard.published and not dashboard.roles)
)
...
If I set the dashboard status to Published everything works like a charm in both v1.5.1 and v2.0.0
I don't know if this solves your issues, but I hope it helps :)
I have issue with Superset v1.5.0 , I'm unable to Assign Roles for users in Dashboard Properties(Option is not showing). I have enabled DASHBOARD_RBAC=True in config.py Can anyone Help m
I`ve same issue here with superset 2.0.0
what i`ve done is adding this on config.py
#to Enabling DASHBOARD_RBAC (Role-Based Access Control) in Apache Superset - 2023-01-14
ENABLE_DASHBOARD_RBAC = True
then re inialize superset with
superset init
so i open dashboard and make it published and choose edit. show the image above. how can i handle this?
@lazuardi21
correct way to enable dashboard rbac is to add following to superset_config.py
FEATURE_FLAGS = { "DASHBOARD_RBAC": True }
Hi @mdeshmu thank u a lot, it worked.
I hope for this issue can be closed since it worked on my local. Thank you!!
Hey guys,
I also had the same issue in both versions
1.5.1and2.0.0.BUT after inspecting the code (specifically func
raise_for_dashboard_accessin branch2.0and line 1268) I figured out that you need your dashboards to bePublished, but my dashboards wereDraft... can_access = ( is_user_admin() or is_owner(dashboard, g.user) or (dashboard.published and has_rbac_access()). # <<HERE<<: dashboard.published or (not dashboard.published and not dashboard.roles) ) ...If I set the dashboard status to
Publishedeverything works like a charm in bothv1.5.1andv2.0.0I don't know if this solves your issues, but I hope it helps :)
it works for me and my superset verison is 2.1.0. it's interesting the dashboard rbac works on development like run it on PyCharm even though the status is draft, but on live you need to change it to Published.
Hey guys, I also had the same issue in both versions
1.5.1and2.0.0. BUT after inspecting the code (specifically funcraise_for_dashboard_accessin branch2.0and line 1268) I figured out that you need your dashboards to bePublished, but my dashboards wereDraft... can_access = ( is_user_admin() or is_owner(dashboard, g.user) or (dashboard.published and has_rbac_access()). # <<HERE<<: dashboard.published or (not dashboard.published and not dashboard.roles) ) ...If I set the dashboard status to
Publishedeverything works like a charm in bothv1.5.1andv2.0.0I don't know if this solves your issues, but I hope it helps :)it works for me and my superset verison is 2.1.0. it's interesting the dashboard rbac works on development like run it on PyCharm even though the status is draft, but on live you need to change it to Published.
May I ask how did you resolve this RBAC issue? After publishing my dashboard, I still don't see the role-based access drop-down menu, mine just looks similar to this using v2.1.0
Did you change anything in .py files other than adding FEATURE_FLAGS = {"DASHBOARD_RBAC": True} to superset_config.py?
