superset
superset copied to clipboard
apache
[dashboard-rbac] Support Fallback to dataset permissions even when ff is on
Is your feature request related to a problem? Please describe.
With 'DASHBOARD_RBAC' ff on, when I don’t assign any role in dashboard props but the role has access to required dataset, still I get this error You don't have access to this dashboard.
Describe the solution you'd like As the documentation mentions here, the fallback to dataset permission should work with ff enabled.
Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.
Additional context I confirmed the same behavior in 1.3.2. https://apache-superset.slack.com/archives/C01B6H6U8S2/p1625000708004100
Hello @kamalkeshavani-aiinside I am marking this as a bug as you pointed out that should be the default behavior. I am also marking the issue as requiring validation from a committer. Thank you!
I can confirm this bug in 1.4.1. the dashboard_rbac feature, although being 'stable', does not work for me in this context.
i understanding this and tested in my forked repo.
- DASHBORAD_RBAC : True
- User has acess to datasets or alpha role kind.
- If admin published the dashboard alpha role user can see the dashboard in dashboard list view page but not able to view the dashboard in /dashboard/
- If the role to the dashboard for the alpha is given then only able to view the dashoard in
dashboard/<idorslug>
this is what my understanding is. hope other is seeing these and not my custom changes in my fork.(which hadn't done to dashboard stuff majorly).
Is there any acknowledgement by the dev team of this issue? At the very least, the FF should be marked testing or even dev. Everything else is misleading IMHO.
PS: still buggy in 1.5.0 (fresh, unmodified image)
PPS: potential dupe: #18634
Is there any acknowledgement by the dev team of this issue? At the very least, the FF should be marked
testingor evendev. Everything else is misleading IMHO. PS: still buggy in 1.5.0 (fresh, unmodified image) PPS: potential dupe: #18634
@MM-Lehmann it should be assumed that any feature flag that's disabled by default is considered experimental. Having said that we do appreciate that the issue has been raised, and I can take a look at fixing this if I can repro it.
Hello,
I'm experiencing the same issue in 1.4.2 version.
- DASHBORAD_RBAC is enabled
- Dashboard has empty
rolessetting in dashboard properties - User has access to underlying datasets (verified since the user can access the dashboard if the FF is disabled and also can see the dashboard in dashboard list)
- Getting error when click on the dashboard in the list of dashboards (please check image), if I reload (URL pointing directly to the dashboard) I get
You don't have access to this dashboard.message. - I can see the following in the log:
2022-06-02 17:01:31,696:ERROR:root:You don't have access to this dashboard.
Traceback (most recent call last):
File "/app/superset/utils/cache.py", line 157, in wrapper
raise_for_access(*args, **kwargs)
File "/app/superset/dashboards/api.py", line 352, in <lambda>
raise_for_access=lambda _self, id_or_slug: DashboardDAO.get_by_id_or_slug(
File "/app/superset/dashboards/dao.py", line 46, in get_by_id_or_slug
security_manager.raise_for_dashboard_access(dashboard)
File "/app/superset/security/manager.py", line 1189, in raise_for_dashboard_access
raise DashboardAccessDeniedError()
superset.dashboards.commands.exceptions.DashboardAccessDeniedError: You don't have access to this dashboard.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/flask_appbuilder/api/__init__.py", line 85, in wraps
return f(self, *args, **kwargs)
File "/app/superset/views/base_api.py", line 85, in wraps
raise ex
File "/app/superset/views/base_api.py", line 82, in wraps
duration, response = time_function(f, self, *args, **kwargs)
File "/app/superset/utils/core.py", line 1471, in time_function
response = func(*args, **kwargs)
File "/app/superset/utils/log.py", line 242, in wrapper
value = f(*args, **kwargs)
File "/app/superset/dashboards/api.py", line 398, in get_charts
charts = DashboardDAO.get_charts_for_dashboard(id_or_slug)
File "/app/superset/dashboards/dao.py", line 56, in get_charts_for_dashboard
return DashboardDAO.get_by_id_or_slug(id_or_slug).slices
File "/app/superset/dashboards/dao.py", line 46, in get_by_id_or_slug
security_manager.raise_for_dashboard_access(dashboard)
File "/app/superset/security/manager.py", line 1189, in raise_for_dashboard_access
raise DashboardAccessDeniedError()
superset.dashboards.commands.exceptions.DashboardAccessDeniedError: You don't have access to this dashboard.
Same problem. Version: 1.5.0 No roles assigned in dashboard but nobody with alpha role and access to all databases can open it.
Does anyone has update on this issue please? E.g. has anyone tested this in v2? Thanks
This still exists in 1.5.1 The dashboard is shown in the "Dashboard Overview", but a user can not open the dashboard when no role is assigned, but he/she has access to the underlying datasource. All the charts in the Dashboard can be opened and viewed. But the dashboard shows the above error.
I can also confirm the bug exists on 2.0.0 (tested locally with Docker Image)
This is not a bug from my point of view I think there should be multiple option for handling access: Dataset permissions only Dashboard rbac only Dashboard rbac + fallback to dataset permissions
Anyone at this point van go ahead and implement option #3 by adding a MODE config flag to support each of the option instead of a ff that can only be addressed with 2 viable option
Ff is meant for testing features and I think this feature is already mature enough and it should be converted into a mode config
I agree that there several possibilities, but an "Unexpected error" is raised directly in the frontend for the enduser. That definitely should not be the case.
Hi, https://github.com/apache/superset/pull/22642 should fix the issue.
Closing this issue in favor of the newer one, https://github.com/apache/superset/issues/22640.
