RBAC not working as expected

[Arcelone]

Bug description

RBAC on dashboard is not working as expected.

How to reproduce the bug

1. Enable RBAC feature
2. create a dashboard (add charts with some data) keep it as draft
3. Add the role "Public" in the role section of the dashboard
4. add permission to Public role (I tried first with this set of perms :

   can dashboard permalink on Superset
   can read on Chart
   can read on Dashboard
   can dashboard on Superset
   can explore json on Superset
   can read on DashboardPermalinkRestApi
   can time range on Api
   can read on CSS template 

   And then with all the Gamma permission)

5. copy permalink
6. open private web browser window
7. past the link

Screenshots/recordings

No response

Superset version

4.0.2

Python version

Not applicable

Node version

Not applicable

Browser

Safari

Additional context

Working with the official prebuilt docker image from tag.

If you don't enable the RBAC feature and add the all datasource access on all_datasource_access to the public role with the first minimal set of permission mentioned above and try tou access it with the permalink it works.

So if the RBAC feature works as described and "bypass dataset level checks" normally the 1st minimal set of permissions (so without all datasource access on all_datasource_access because the objectif of enabling the RBAC feature is to avoid to grant this pem) is supposed to work.

Logs from the superset_app container :

2024-08-01 11:07:10 192.168.65.1 - - [01/Aug/2024:09:07:10 +0000] "GET /superset/dashboard/p/olQD6DWLE8k/ HTTP/1.1" 302 219 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:10 192.168.65.1 - - [01/Aug/2024:09:07:10 +0000] "GET /dashboard/list/ HTTP/1.1" 200 50989 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:10 2024-08-01 09:07:10,812:DEBUG:superset.stats_logger:[stats_logger] (incr) DashboardRestApi.info.success
2024-08-01 11:07:10 2024-08-01 09:07:10,812:DEBUG:superset.stats_logger:[stats_logger] (timing) DashboardRestApi.info.time | 39.185575999908906 
2024-08-01 11:07:10 2024-08-01 09:07:10,812:WARNING:root:Class 'werkzeug.local.LocalProxy' is not mapped
2024-08-01 11:07:10 192.168.65.1 - - [01/Aug/2024:09:07:10 +0000] "GET /api/v1/dashboard/_info?q=(keys:!(permissions)) HTTP/1.1" 200 42 "http://localhost:8088/dashboard/list/?pageIndex=0&sortColumn=changed_on_delta_humanized&sortOrder=desc&viewMode=table" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:10 2024-08-01 09:07:10,849:DEBUG:superset.stats_logger:[stats_logger] (incr) DashboardRestApi.get_list.success
2024-08-01 11:07:10 2024-08-01 09:07:10,849:DEBUG:superset.stats_logger:[stats_logger] (timing) DashboardRestApi.get_list.time | 82.61035699979402 
2024-08-01 11:07:10 2024-08-01 09:07:10,850:WARNING:root:Class 'werkzeug.local.LocalProxy' is not mapped
2024-08-01 11:07:10 192.168.65.1 - - [01/Aug/2024:09:07:10 +0000] "GET /api/v1/dashboard/?q=(order_column:changed_on_delta_humanized,order_direction:desc,page:0,page_size:25) HTTP/1.1" 200 576 "http://localhost:8088/dashboard/list/?pageIndex=0&sortColumn=changed_on_delta_humanized&sortOrder=desc&viewMode=table" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:11 192.168.65.1 - - [01/Aug/2024:09:07:11 +0000] "POST /superset/log/?explode=events HTTP/1.1" 302 317 "http://localhost:8088/dashboard/list/?pageIndex=0&sortColumn=changed_on_delta_humanized&sortOrder=desc&viewMode=table" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
2024-08-01 11:07:11 192.168.65.1 - - [01/Aug/2024:09:07:11 +0000] "GET /login/?next=http://localhost:8088/superset/log/?explode%3Devents HTTP/1.1" 200 51619 "http://localhost:8088/dashboard/list/?pageIndex=0&sortColumn=changed_on_delta_humanized&sortOrder=desc&viewMode=table" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"

Checklist

• [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

The issue you're encountering with RBAC on the Superset dashboard might be due to several factors related to the DASHBOARD_RBAC feature and its configuration. Here are some key points to consider:

1. Feature Flag: Ensure that the DASHBOARD_RBAC feature flag is enabled. This flag is crucial for the RBAC rules to be enforced correctly.

   DEFAULT_FEATURE_FLAGS = {
       "DASHBOARD_RBAC": True,
       # other feature flags
   }

2. Dashboard Roles: The DASHBOARD_RBAC logic manages dashboard access through roles and is only applicable if the dashboard has roles set. Ensure that the dashboard has the appropriate roles assigned.

3. Draft Dashboards: Users with dashboard permissions cannot access draft dashboards even if they have the necessary roles. Ensure that the dashboard is published.

4. Permissions: The permissions you have set for the "Public" role seem comprehensive. However, ensure that the role has the necessary permissions to view the dashboard and its components. The following permissions are essential:

   • can read on Dashboard
   • can read on Chart
   • can dashboard permalink on Superset
   • can read on DashboardPermalinkRestApi

5. Public Access: Public users without explicit permissions cannot access dashboards, even if they are published. Ensure that the "Public" role has the necessary permissions.

6. Logs and Debugging: Utilize Superset's specific error types related to security access to diagnose issues. Look for DASHBOARD_SECURITY_ACCESS_ERROR in the logs to understand why access might be denied.

Here is a sample configuration for superset_config.py:

AUTH_ROLE_PUBLIC = 'Public'
PUBLIC_ROLE_LIKE = "Guest"  # Create a guest role for anonymous view dashboards

DEFAULT_FEATURE_FLAGS = {
    "DASHBOARD_RBAC": True,
    "ENABLE_TEMPLATE_PROCESSING": True,
    "DASHBOARD_NATIVE_FILTERS": True,
    "DASHBOARD_CROSS_FILTERS": True
}

Ensure that the "Public" role has the following permissions:

• can read on Dashboard
• can read on Chart
• can dashboard permalink on Superset
• can read on DashboardPermalinkRestApi

If the issue persists, you might want to check the detailed error objects returned by the SupersetSecurityManager class for more insights ^[1][2].

To continue talking to Dosu, mention @dosu.