Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC not working as expected #29823

Open
3 tasks done
Arcelone opened this issue Aug 1, 2024 · 1 comment
Open
3 tasks done

RBAC not working as expected #29823

Arcelone opened this issue Aug 1, 2024 · 1 comment
Labels
authentication:access-control Rlated to access control

Comments

@Arcelone
Copy link

Arcelone commented Aug 1, 2024
edited
Loading

Bug description

RBAC on dashboard is not working as expected.

How to reproduce the bug

  1. Enable RBAC feature
  2. create a dashboard (add charts with some data) keep it as draft
  3. Add the role "Public" in the role section of the dashboard
  4. add permission to Public role
    (I tried first with this set of perms :
can dashboard permalink on Superset
can read on Chart
can read on Dashboard
can dashboard on Superset
can explore json on Superset
can read on DashboardPermalinkRestApi
can time range on Api
can read on CSS template

And then with all the Gamma permission)
5. copy permalink
6. open private web browser window
7. past the link

Screenshots/recordings

No response

Superset version

4.0.2

Python version

Not applicable

Node version

Not applicable

Browser

Safari

Additional context

Working with the official prebuilt docker image from tag.

If you don't enable the RBAC feature and add the all datasource access on all_datasource_access to the public role with the first minimal set of permission mentioned above and try tou access it with the permalink it works.

So if the RBAC feature works as described and "bypass dataset level checks" normally the 1st minimal set of permissions (so without all datasource access on all_datasource_access because the objectif of enabling the RBAC feature is to avoid to grant this pem) is supposed to work.

Logs from the superset_app container :

2024-08-01 11:07:10 192.168.65.1 - - [01/Aug/2024:09:07:10  0000] "GET /superset/dashboard/p/olQD6DWLE8k/ HTTP/1.1" 302 219 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:10 192.168.65.1 - - [01/Aug/2024:09:07:10  0000] "GET /dashboard/list/ HTTP/1.1" 200 50989 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:10 2024-08-01 09:07:10,812:DEBUG:superset.stats_logger:[stats_logger] (incr) DashboardRestApi.info.success
2024-08-01 11:07:10 2024-08-01 09:07:10,812:DEBUG:superset.stats_logger:[stats_logger] (timing) DashboardRestApi.info.time | 39.185575999908906 
2024-08-01 11:07:10 2024-08-01 09:07:10,812:WARNING:root:Class 'werkzeug.local.LocalProxy' is not mapped
2024-08-01 11:07:10 192.168.65.1 - - [01/Aug/2024:09:07:10  0000] "GET /api/v1/dashboard/_info?q=(keys:!(permissions)) HTTP/1.1" 200 42 "http://localhost:8088/dashboard/list/?pageIndex=0&sortColumn=changed_on_delta_humanized&sortOrder=desc&viewMode=table" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:10 2024-08-01 09:07:10,849:DEBUG:superset.stats_logger:[stats_logger] (incr) DashboardRestApi.get_list.success
2024-08-01 11:07:10 2024-08-01 09:07:10,849:DEBUG:superset.stats_logger:[stats_logger] (timing) DashboardRestApi.get_list.time | 82.61035699979402 
2024-08-01 11:07:10 2024-08-01 09:07:10,850:WARNING:root:Class 'werkzeug.local.LocalProxy' is not mapped
2024-08-01 11:07:10 192.168.65.1 - - [01/Aug/2024:09:07:10  0000] "GET /api/v1/dashboard/?q=(order_column:changed_on_delta_humanized,order_direction:desc,page:0,page_size:25) HTTP/1.1" 200 576 "http://localhost:8088/dashboard/list/?pageIndex=0&sortColumn=changed_on_delta_humanized&sortOrder=desc&viewMode=table" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:11 192.168.65.1 - - [01/Aug/2024:09:07:11  0000] "POST /superset/log/?explode=events HTTP/1.1" 302 317 "http://localhost:8088/dashboard/list/?pageIndex=0&sortColumn=changed_on_delta_humanized&sortOrder=desc&viewMode=table" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:11 192.168.65.1 - - [01/Aug/2024:09:07:11  0000] "GET /login/?next=http://localhost:8088/superset/log/?explode=events HTTP/1.1" 200 51619 "http://localhost:8088/dashboard/list/?pageIndex=0&sortColumn=changed_on_delta_humanized&sortOrder=desc&viewMode=table" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"

Checklist

  • I have searched Superset docs and Slack and didn't find a solution to my problem.
  • I have searched the GitHub issue tracker and didn't find a similar bug report.
  • I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
@dosubot dosubot bot added the authentication:access-control Rlated to access control label Aug 1, 2024
@dosubot DosuBot
Copy link

dosubot bot commented Aug 1, 2024

The issue you're encountering with RBAC on the Superset dashboard might be due to several factors related to the DASHBOARD_RBAC feature and its configuration. Here are some key points to consider:

  1. Feature Flag: Ensure that the DASHBOARD_RBAC feature flag is enabled. This flag is crucial for the RBAC rules to be enforced correctly.

    DEFAULT_FEATURE_FLAGS = {
    "DASHBOARD_RBAC": True,
    # other feature flags
}

  2. Dashboard Roles: The DASHBOARD_RBAC logic manages dashboard access through roles and is only applicable if the dashboard has roles set. Ensure that the dashboard has the appropriate roles assigned.

  3. Draft Dashboards: Users with dashboard permissions cannot access draft dashboards even if they have the necessary roles. Ensure that the dashboard is published.

  4. Permissions: The permissions you have set for the "Public" role seem comprehensive. However, ensure that the role has the necessary permissions to view the dashboard and its components. The following permissions are essential:

    • can read on Dashboard
    • can read on Chart
    • can dashboard permalink on Superset
    • can read on DashboardPermalinkRestApi

  5. Public Access: Public users without explicit permissions cannot access dashboards, even if they are published. Ensure that the "Public" role has the necessary permissions.

  6. Logs and Debugging: Utilize Superset's specific error types related to security access to diagnose issues. Look for DASHBOARD_SECURITY_ACCESS_ERROR in the logs to understand why access might be denied.

Here is a sample configuration for superset_config.py:

AUTH_ROLE_PUBLIC = 'Public'
PUBLIC_ROLE_LIKE = "Guest"  # Create a guest role for anonymous view dashboards

DEFAULT_FEATURE_FLAGS = {
    "DASHBOARD_RBAC": True,
    "ENABLE_TEMPLATE_PROCESSING": True,
    "DASHBOARD_NATIVE_FILTERS": True,
    "DASHBOARD_CROSS_FILTERS": True
}

Ensure that the "Public" role has the following permissions:

  • can read on Dashboard
  • can read on Chart
  • can dashboard permalink on Superset
  • can read on DashboardPermalinkRestApi

If the issue persists, you might want to check the detailed error objects returned by the SupersetSecurityManager class for more insights [1][2].

To continue talking to Dosu, mention @dosu.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authentication:access-control Rlated to access control
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Arcelone