metabase icon indicating copy to clipboard operation
metabase copied to clipboard
Published 1 month ago verified publisher icon metabase

Metabase Users Changing to Default Permissions

Open vmoores-ds opened this issue 1 year ago • 1 comments

Describe the bug

We have certain users, when they log in their MB permissions are changed to default.

This creates issues viewing certain MB queries and tables. As a result the MB admin team have had to set up certain users permissions from default back to their required role multiple times. This has been occurring across multiple MB instances / environments.

We thought there may be an issue with LDAP that would be causing this, so we removed the users from the lists and it hasn't helped.

To Reproduce

This is happening for certain users only, at least once a week across multiple MB instances.

  1. Login to MB using username and password.
  2. Unable to access query
  3. MB Admin team change permissions to default
  4. User can then view query
  5. I believe the next time the user logs in on a new session it then causes an issue

Expected behavior

The queries should be visible

Logs

No response

Information about your Metabase installation

{
  "browser-info": {
    "language": "en-US",
    "platform": "Win32",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36",
    "vendor": "Google Inc."
  },
  "metabase-info": {
    "databases": [
      "postgres",
      "sqlserver",
      "athena",
      "redshift"
    ],
    "run-mode": "prod",
    "plan-alias": "",
    "version": {
      "date": "2024-08-21",
      "tag": "v0.50.21",
      "hash": "ec9f5d7"
    },
    "settings": {
      "report-timezone": "Europe/London"
    },
    "hosting-env": "unknown",
    "application-database": "postgres",
    "application-database-details": {
      "database": {
        "name": "PostgreSQL",
        "version": "14.10"
      },
      "jdbc-driver": {
        "name": "PostgreSQL JDBC Driver",
        "version": "42.7.3"
      }
    }
  },
  "system-info": {
    "file.encoding": "UTF-8",
    "java.runtime.name": "OpenJDK Runtime Environment",
    "java.runtime.version": "11.0.24+8",
    "java.vendor": "Eclipse Adoptium",
    "java.vendor.url": "https://adoptium.net/",
    "java.version": "11.0.24",
    "java.vm.name": "OpenJDK 64-Bit Server VM",
    "java.vm.version": "11.0.24+8",
    "os.name": "Linux",
    "os.version": "6.5.0-1024-aws",
    "user.language": "en",
    "user.timezone": "GMT"
  }
}

Severity

Medium

Additional context

No response

vmoores-ds avatar Aug 28 '24 10:08 vmoores-ds

Hi @vmoores-ds, thanks for the report. Could you clarify what you mean by "permissions are change to default"? Are the permissions in /admin/permissions being changed for specific groups or databases? Or are users being removed from the groups that they're expected to be in?

If you're using LDAP with group sync, this does sound like an issue there. What do you mean by "we removed the users from the lists"?

noahmoss avatar Aug 28 '24 10:08 noahmoss

hey, thanks for getting back to me so quickly.

Yes so to clarify, they had an existing group set up called 'Customer Success' assigned to them. When they log in on the next session, that group is dropped, so when I go to check on their user in Admin > People, the user will have 'Default' as the group next to their name. I will reassign 'Customer Success', which works until the next login session. I just tested this again with the user affected 2 Metabase User Default Group 2024-08-28 145802

I don't think it's an issue with the MB with group itself as there are only a couple of users which have 'Customer Success' as their group who have this issue. There's a number of others who have never experienced this.

For the LDAP group sync, the users which were affected by this issue have been removed from LDAP. We wanted to confirm it was not related to LDAP before reaching out.

vmoores-ds avatar Aug 28 '24 14:08 vmoores-ds

@vmoores-ds Is there a 'Customer Success' group in LDAP, and was this mapped properly to the corresponding Metabase group in the LDAP settings?

This definitely sounds like a LDAP group sync issue. Group sync runs only when a user logs in, and it updates the user's groups to match the groups returned from the LDAP server according to the predefined mappings. If something is configured slightly wrong it can lead to users being removed from groups unexpectedly. (Or there may be a bug, but I don't know where yet.)

What do you mean exactly by "the users have been removed from LDAP"?

noahmoss avatar Aug 28 '24 15:08 noahmoss

we can close this ticket. There was an issue with the active directory and therefore the LDAP list which was causing this. We removed and readded the user and this is now resolved. Thank you for your help!

vmoores-ds avatar Aug 29 '24 09:08 vmoores-ds