Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The DASHBOARD_RBAC feature flag doesn't seem to work as intended, even with the example dataset #31938

Open
3 tasks done
Mayeu opened this issue Jan 21, 2025 · 5 comments
Open
3 tasks done
Assignees
Labels
authentication:access-control Rlated to access control

Comments

@Mayeu
Copy link

Mayeu commented Jan 21, 2025

Bug description

Hello 👋,

Activating the DASHBOARD_RBAC feature flag doesn't work as intended, we can't share access to our dashboard that way on our production instance, and it doesn't work locally either with the example dataset.

  1. Checkout master (currently 63843c568255d5f1302815ed7614e93d7febadae)
  2. Activate the DASHBOARD_RBAC feature flag in docker/pythonpath_dev/superset_config.py
    FEATURE_FLAGS = {"ALERT_REPORTS": True, "DASHBOARD_RBAC": True}
  3. Start the non-dev compose with: docker compose -f docker-compose-non-dev.yml up --build
  4. Create a user, assign it the Gamma role Image
  5. Open a dashboard, assign it the gamma role, save the dashboard
    Image
  6. Open a private browser instance, log as the gamma user, open the dashboard, get an error (left gamma user, right admin user)
Image

Exception in the log:

superset_app          | 2025-01-21 09:05:48,960:WARNING:superset.views.error_handling:SupersetErrorException
superset_app          | Traceback (most recent call last):
superset_app          |   File "/app/.venv/lib/python3.11/site-packages/flask/app.py", line 1484, in full_dispatch_request
superset_app          |     rv = self.dispatch_request()
superset_app          |          ^^^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/.venv/lib/python3.11/site-packages/flask/app.py", line 1469, in dispatch_request
superset_app          |     return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
superset_app          |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/.venv/lib/python3.11/site-packages/flask_appbuilder/security/decorators.py", line 109, in wraps
superset_app          |     return f(self, *args, **kwargs)
superset_app          |            ^^^^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/superset/views/base_api.py", line 120, in wraps
superset_app          |     duration, response = time_function(f, self, *args, **kwargs)
superset_app          |                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/superset/utils/core.py", line 1363, in time_function
superset_app          |     response = func(*args, **kwargs)
superset_app          |                ^^^^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/superset/utils/log.py", line 303, in wrapper
superset_app          |     value = f(*args, **kwargs)
superset_app          |             ^^^^^^^^^^^^^^^^^^
superset_app          |   File "/app/superset/charts/data/api.py", line 239, in data
superset_app          |     command.validate()
superset_app          |   File "/app/superset/commands/chart/data/get_data_command.py", line 67, in validate
superset_app          |     self._query_context.raise_for_access()
superset_app          |   File "/app/superset/common/query_context.py", line 139, in raise_for_access
superset_app          |     self._processor.raise_for_access()
superset_app          |   File "/app/superset/common/query_context_processor.py", line 892, in raise_for_access
superset_app          |     security_manager.raise_for_access(query_context=self._query_context)
superset_app          |   File "/app/superset/security/manager.py", line 2350, in raise_for_access
superset_app          |     raise SupersetSecurityException(
superset_app          | superset.exceptions.SupersetSecurityException: This endpoint requires the datasource 20, database or `all_datasource_access` permission

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.11

Node version

16

Browser

Chrome

Additional context

  • I don't know which node version is used in the docker image.
  • I used Brave to test this, but I don't think the browser is relevant here.

I have read through various tickets that seems to also encounter this bug, but no solution describes there solved the issue , and most seems to only be for older version of Superset (and most where riddle with misleading AI slop).

So I decided to open this ticket to show that even with the example data this feature flag doesn't seem to work. Or maybe there are missing steps in the documentation for activating this?

Checklist

  • I have searched Superset docs and Slack and didn't find a solution to my problem.
  • I have searched the GitHub issue tracker and didn't find a similar bug report.
  • I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
@dosubot dosubot bot added the authentication:access-control Rlated to access control label Jan 21, 2025
Copy link

dosubot bot commented Jan 21, 2025

Hey @Mayeu! 👋

There are a few similar discussions related to issues with the DASHBOARD_RBAC feature in Apache Superset:

  1. Issue with Dashboard Access for Role-Based Permissions (DASHBOARD_RBAC=True) - This discussion is unsolved and might provide insights into similar problems [1].

  2. Non-admin user cannot see Edit Dashboard button, even on dashboards they own - This is another unsolved discussion that might be related to role-based access issues [2].

  3. A closed issue, RBAC not Working, was resolved by a pull request that fixed the use of normal RBAC when no roles were chosen [3].

Regarding your specific issue, the error message indicates that the user lacks the necessary datasource or all_datasource_access permission. When DASHBOARD_RBAC is enabled, users with the Gamma role need explicit datasource_access permissions for the datasets associated with the dashboard. You can add this permission by modifying the role's permissions in the security manager [4].

Additionally, ensure that the DASHBOARD_RBAC feature is correctly configured in your superset_config.py file, and that the roles are properly assigned to both the user and the dashboard [5].

To continue talking to Dosu, mention @dosu.


Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other

@Mayeu Mayeu changed the title DASHBOARD_RBAC doesn't work as intended, even with the example dataset DASHBOARD_RBAC doesn't seems work as intended, even with the example dataset Jan 21, 2025
@Mayeu
Copy link
Author

Mayeu commented Jan 21, 2025

Allowing myself to poke direct members of this repository (@villebro, @amitmiran137, @geido), because this bot answer is not useful. I know all those tickets, I have read them, and one of them is just a poor user fighting against that bot.

Please deactivate issue responses from that bot. Auto-labelling is fine, but on most issues I saw here the bot seems to just add noise and confuse users.

@Mayeu Mayeu changed the title DASHBOARD_RBAC doesn't seems work as intended, even with the example dataset The DASHBOARD_RBAC feature flag doesn't seem to work as intended, even with the example dataset Jan 21, 2025
@LevisNgigi
Copy link
Contributor

From the error it seems the gamma user does not have access to the data source the dashboard is deriving it's data from? Have you give the gamma user permission to access the data source as well? or only assigned the dashboard to the gamma role?

@vhf
Copy link
Contributor

vhf commented Jan 21, 2025

From the error it seems the gamma user does not have access to the data source the dashboard is deriving it's data from?

Correct, that's what DASHBOARD_RBAC is for, see the documentation: https://superset.apache.org/docs/using-superset/creating-your-first-dashboard/#manage-access-to-dashboards

  • Granting a role access to a dashboard will bypass dataset level checks. Having dashboard access implicitly grants read access to all the featured charts in the dashboard, and thereby also all the associated datasets.

As this issue demonstrates, enabling DASHBOARD_RBAC and granting a role access to a dashboard does not bypass dataset level checks, so that's a bug.

@rusackas
Copy link
Member

I always CC @dpgaspar when RBAC bugs come up 🤞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
authentication:access-control Rlated to access control
Projects
None yet
Development

No branches or pull requests

5 participants