You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/02/28 10:31:15 UTC

[GitHub] [superset] rafalpas opened a new issue #18959: DASHBOARD_RBAC does not provide access to datasources used in DARSHBOARD_NATIVE_FILTERS

rafalpas opened a new issue #18959:
URL: https://github.com/apache/superset/issues/18959


   The Dashboard RBAC functionality provides implicit access to datasources used for all charts on a dashboard, so that charts can retrieve underlying data even if user does not have explicit access to datasources. This does not cover Dashboard Native Filters correctly - in case native filter uses a datasource **which is not used by any chart on the dashboard**, the implicit access is not granted and the filter fails to load data.
   
   #### How to reproduce the bug
   1. Create two datasources (A and B) that share a column name ("x") and type, so that it is possible to use filter created on A to filter the B
   2. Create a chart using datasource B
   3. Create a dashboard and add the chart to it
   4. Add a native filter using datasource A and column "x"
   5. Save the dashboard and make it public
   6. Create a role with access rights enough to view dashboards, but with **NO** explicit access to datasources A and B, e.g.
   ![image](https://user-images.githubusercontent.com/2510246/155964913-1bb8a2c9-60a1-46aa-b12c-0b7cd5a6c3d6.png)
   7. Assign this role to the dashboard:
   ![image](https://user-images.githubusercontent.com/2510246/155964957-43b6595a-b1e7-4a91-a2e9-772f0d3946a5.png)
   8. Create a new user account and grant the role to it
   9. Log in using this user account and access the dashboard
   
   ### Expected results
   The native filter is filled with data from datasource A.
   
   ### Actual results
   The native filter is stuck at "No data / Loading..."
   ![image](https://user-images.githubusercontent.com/2510246/155966024-6f81bced-d890-4faa-b9f9-eaa4b5e7dd50.png)
   
   #### Screenshots
   Included in reproduction procedure
   
   ### Environment
   - browser type and version: Microsoft Edge 97.0.1072.69
   - superset version: 1.4.1
   - python version: `python --version`
   - node.js version: `node -v`
   - any feature flags active: DASHBOARD_RBAC, DASHBOARD_NATIVE_FILTERS (both are important for this bug)
   
   ### Checklist
   Make sure to follow these steps before submitting your issue - thank you!
   - [ ] I have checked the superset logs for python stacktraces and included it here as text if there are any.
   - [x] I have reproduced the issue with at least the latest released version of superset.
   - [x] I have checked the issue tracker for the same issue and I haven't found one similar.
   
   ### Additional context
   A HTTP403 response to "/api/v1/chart/data" is visible in network logs with the following content
   `{"errors": [{"message": "This endpoint requires the datasource ..., database or\n            `all_datasource_access` permission", "error_type": "DATASOURCE_SECURITY_ACCESS_ERROR", "level": "error", "extra": {"link": "", "datasource": "..."}}]}`
   There is no problem if datasource A is used by any chart on dashboard, only if it is not used by any chart (used solely by the filter).
   There is no problem when using legacy filterboxes (because they are "charts" and thus the implicit access is granted?)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] villebro commented on issue #18959: DASHBOARD_RBAC does not provide access to datasources used in DARSHBOARD_NATIVE_FILTERS

Posted by GitBox <gi...@apache.org>.
villebro commented on issue #18959:
URL: https://github.com/apache/superset/issues/18959#issuecomment-1057940991


   Thanks for reporting @rafalpas ! @amitmiran137 have you run into this problem?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] amitmiran137 commented on issue #18959: DASHBOARD_RBAC does not provide access to datasources used in DARSHBOARD_NATIVE_FILTERS

Posted by GitBox <gi...@apache.org>.
amitmiran137 commented on issue #18959:
URL: https://github.com/apache/superset/issues/18959#issuecomment-1057959447


   we have not turned on native filters yet so no
   but surely we would investigate and see if we can fix the issue 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org