You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/03/29 08:33:57 UTC

[GitHub] [superset] xneg opened a new issue #19405: DASHBOARD_RBAC and ENABLE_ACCESS_REQUEST are incompatible

xneg opened a new issue #19405:
URL: https://github.com/apache/superset/issues/19405


   **Is your feature request related to a problem? Please describe.**
   We want to use role based access for our dashboards but also we want to use granter role so that some group of user (dashboard creators) could give access to their dashboards to other users.
   Now it is impossible cause [endpoint `dashboard`](https://github.com/apache/superset/blob/d304849b46b39bb6a261b735b7ca658962bc31e0/superset/views/core.py#L1942) where a check for `ENABLE_ACCESS_REQUEST` parameter is made has also check decorator `@check_dashboard_access`.
   Inside this decorator there is a check for `DASHBOARD_RBAC`:
   
   ```
   if is_feature_enabled("DASHBOARD_RBAC"):
       try:
           current_app.appbuilder.sm.raise_for_dashboard_access(dashboard)
       except DashboardAccessDeniedError as ex:
           return on_error(self, ex)
       except Exception as exception:
           raise exception
   ```
   So the user's request simply doesn't make it to `ENABLE_ACCESS_REQUEST` and returned with excpetion `You don't have access to this dashboard.`
   
   **Describe the solution you'd like**
   I'm not sure if it will help but maybe we can add additional condition in `check_dashboard_access` [decorator](https://github.com/apache/superset/blob/d304849b46b39bb6a261b735b7ca658962bc31e0/superset/utils/decorators.py#L88) like this
   ```
   if is_feature_enabled("DASHBOARD_RBAC") and not is_feature_enabled("ENABLE_ACCESS_REQUEST"):
   ```
   
   **Describe alternatives you've considered**
   Maybe I didn't understand how RBAC works and if it is compatible with requesting access. But still we need for dashboard creators to grant access to their dashboards to definite group of users and somehow manage this group.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org