You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2023/01/09 09:44:06 UTC

[GitHub] [superset] giovannipapini-agilelab opened a new issue, #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

giovannipapini-agilelab opened a new issue, #22640:
URL: https://github.com/apache/superset/issues/22640

   `DASHBOARD_RBAC` does not behave as explained in documentation: it says 'Roles is a list which defines access to the dashboard. Granting a role access to a dashboard will bypass dataset level checks. **If no roles are defined, then the dashboard is available to all roles.**', but instead when I do not assign any role to the dashboard only admin and owners can access to it.
   
   #### How to reproduce the bug
   
   1. Feature flag `DASHBOARD_RBAC` set to `True`
   2. Open a published dashboard that has no role assigned as a Alpha-role-assigned user
   
   ### Expected results
   
   The dashboard
   
   ### Actual results
   
   A permission error
   
   #### Screenshots
   
   ![image](https://user-images.githubusercontent.com/98460193/211276806-ac3eb874-f611-4266-9dac-10db9e29e783.png)
   
   
   ### Environment
   
   (please complete the following information):
   
   - browser type and version: both Edge and Firefox
   - superset version: both `1.5` and `2.0`
   - python version: `python --version 3.9`
   
   ### Checklist
   
   Make sure to follow these steps before submitting your issue - thank you!
   
   - [x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
   - [x] I have reproduced the issue with at least the latest released version of superset.
   - [x] I have checked the issue tracker for the same issue and I haven't found one similar.
   
   ### Additional context
   
   While investigating in the problem I found out that it is possible to access any dashboard with status DRAFT from any user (when dashboard has no RBAC role assigned). 
   
   The problem could probably be here: https://github.com/apache/superset/blob/001100ddf02db7be1ea94a1cac16475d00436b78/superset/security/manager.py#L1994
   
   Indeed, I cannot figure out why the condition should be `or (not dashboard.published and not dashboard.roles)` and not `or (dashboard.published and not dashboard.roles)`.
   
   Is there a case in which a non-admin and non-owner user should view a (not even menu-listed) draft dashboard?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] frabenetti commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by "frabenetti (via GitHub)" <gi...@apache.org>.

frabenetti commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1427727800

   > @giovannipapini-agilelab Your changes still would not be working I applied your changes but still getting no access on dashboard on alpha role without RBAC
   
   I am working with Giovanni, actually it seems strange since it works for us. Did you change the status of the dashboard to "published", since RBAC, according to the documentation, applies to published dashboards.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] giovannipapini-agilelab commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by GitBox <gi...@apache.org>.

giovannipapini-agilelab commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1375526958

   Just opened a PR to propose a fix: https://github.com/apache/superset/pull/22642


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] drummerwolli commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by "drummerwolli (via GitHub)" <gi...@apache.org>.

drummerwolli commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1418917227

   possible duplicate of https://github.com/apache/superset/issues/17227 ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] nicolas-gaillard commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by "nicolas-gaillard (via GitHub)" <gi...@apache.org>.

nicolas-gaillard commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1584626387

   Oh awesome, thank you for your quick reply :) 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] giovannipapini-agilelab commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by "giovannipapini-agilelab (via GitHub)" <gi...@apache.org>.

giovannipapini-agilelab commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1418941757

   Hi @drummerwolli, yes indeed, but https://github.com/apache/superset/pull/22642 should fix the problem.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] giovannipapini-agilelab commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by "giovannipapini-agilelab (via GitHub)" <gi...@apache.org>.

giovannipapini-agilelab commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1584618923

   @nicolas-gaillard it was solved in 2.1


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] Rohit-pawar902 commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by "Rohit-pawar902 (via GitHub)" <gi...@apache.org>.

Rohit-pawar902 commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1427468440

   @giovannipapini-agilelab Your changes still would not be working I applied your changes but still getting no access on dashboard
   on alpha role without RBAC 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk) [superset]

Posted by "rusackas (via GitHub)" <gi...@apache.org>.

rusackas commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1947490217

   By most accounts, it sounds like this is closed. Can anyone confirm/deny whether this is still am issue in the currently supported versions (3.x)?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] ivan-price-acted commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by "ivan-price-acted (via GitHub)" <gi...@apache.org>.

ivan-price-acted commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1510822601

   Hi there, 
   
   100% agree with @sfirke , i'm wondering what the use-case is for allowing global access to datasets (through dashboards) that would otherwise not be visible, just because a dashboard is in draft ?
   
   It's certain that our users will occasionally forget to publish dashboards, which leaves us wide open to leaking data, especially because dashboard URLs are so easy to guess !
   
   I feel like I must be missing something somewhere because this seems to be a serious potential security hole for any org using superset for sensitive data, between disparate teams ?
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] nicolas-gaillard commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by "nicolas-gaillard (via GitHub)" <gi...@apache.org>.

nicolas-gaillard commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1584616148

   hi, is there any new information on this issue? (whether it's the feature flag not working as expected, or the fact that with the RBAC flag, an unpublished dashboard without a role is accessible using the "Public" role).
   
   Totally agree with @ivan-price-acted, it looks like a serious potential security issue...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] sfirke commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by "sfirke (via GitHub)" <gi...@apache.org>.

sfirke commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1454061742

   Right now if a dashboard is "draft" status and has no roles, any role can access it, even Public.  But if it's published, then Public cannot access it.  It looks like PR #22642 would switch this.  Would Public role then be able to access a Published dashboard with no role assigned?  Or would it fall back to dataset access?
   
   Falling back to dataset access would be the desirable behavior for me.  Otherwise there's always the risk that someone forgets to assign any role to a dashboard and then it's publicly-accessible by default.  Right now that's the case and it's very sketchy: all Draft-status dashboards with no role assigned are publicly accessible.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] frabenetti commented on issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

Posted by GitBox <gi...@apache.org>.

frabenetti commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1375355087

   I do have the very same issue in version 2.0.1, ff RBAC enblad and the dashboard is in status "published", if no role is specified then when you try to open the dashboard (and you are not the owner or an admin), Superset gives an error message "Unxpected Error: Forbidden"


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk) [superset]

Posted by "rusackas (via GitHub)" <gi...@apache.org>.

rusackas closed issue #22640: Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)
URL: https://github.com/apache/superset/issues/22640


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk) [superset]

Posted by "ivan-price-acted (via GitHub)" <gi...@apache.org>.

ivan-price-acted commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1948301758

   @rusackas for us this is ok since the 2.1 fix.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk) [superset]

Posted by "giacomochiarella (via GitHub)" <gi...@apache.org>.

giacomochiarella commented on issue #22640:
URL: https://github.com/apache/superset/issues/22640#issuecomment-1894468285

   it seems still not working on the latest tag docker image


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org