Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use drill-by/drill-to in embedded mode without can explore on Superset permission #25630

Closed
3 tasks done
Truffula opened this issue Oct 13, 2023 · 10 comments · Fixed by #27029
Closed
3 tasks done

Cannot use drill-by/drill-to in embedded mode without can explore on Superset permission #25630

Truffula opened this issue Oct 13, 2023 · 10 comments · Fixed by #27029

Comments

@Truffula
Copy link

When a dashboard is accessed using the embedding UI, the Drill By/Drill to Detail functions in the right click menu and chart menu are only available if the guest user Role has the can explore on Superset permission. However, this permission also enables heading links to the Explore screen, along with other chart menu options which are not desirable in an embedded chart, e.g.:

  • View Query
  • Edit Chart

If the user does have the can explore on Superset but lacks the can samples on Datasource permission, the Drill to detail [by] menu items appear but the data cannot be loaded.

How to reproduce the bug

  1. Set up an embedded dashboard, with a chart such as a Pie Chart that has drill functionality.
  2. Give the guest user Role can explore on Superset permission.
  3. Load the embedded dashboard.
  4. Right click on the chart.

Expected results

Given some other permission applied to the guest user (I'm unsure which one is appropriate, or if a new one is needed), and given they don't have can explore on Superset:

  • You can use the drill functions in the right click and chart menu. If the user does not have can samples on Datasource permission, Drill to detail and Drill to detail by will not appear in the menu.
  • You cannot click on the header of the chart (it's not a link).
  • Edit Chart and View Query will not appear in the menu.

Actual results

  • You can use the drill functions in the menu. If the user does not have can samples on Datasource permission, opening Drill to detail or Drill to detail by will display an error Error: Access is Denied.
  • You can click on the header of the chart, which will take you to a blank page
  • You can open the chart menu and Edit Chart, which will take you to a blank page
  • You can open the chart menu and View Query successfully

Screenshots

If applicable, add screenshots to help explain your problem.

Environment

(please complete the following information):

  • browser type and version: Google Chrome Version 117.0.5938.149 (Official Build) (x86_64)
  • superset version: 3.0.0
  • python version: 3.9.1
  • node.js version: v16.9.1
  • any feature flags active:
    • ALERT_REPORTS
    • EMBEDDED_SUPERSET
    • HORIZONTAL_FILTER_BAR
    • DASHBOARD_CROSS_FILTERS
    • DRILL_TO_DETAIL
    • DRILL_BY
    • ENABLE_TEMPLATE_PROCESSING

Checklist

Make sure to follow these steps before submitting your issue - thank you!

  • I have checked the superset logs for python stacktraces and included it here as text if there are any.
  • I have reproduced the issue with at least the latest released version of superset.
  • I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

The files in which the permissions are checked and need updating are:

  • ChartContextMenu.tsx
  • SliceHeaderControls/index.tsx
  • SliceHeader/index.tsx
@Truffula
Copy link
Author

I've seen a suggestion in Slack that can explore on Superset is the appropriate permission — that doesn't fix it (that permission isn't referenced in the relevant files) and I'm not sure whether it is the right permission to check.

@cwegener
Copy link
Contributor

I may have mentioned the incorrect permission in that old Slack thread. Link

What is actually needed is:

  • can read on Explore
  • can samples on Datasource
  • can explore json on Superset (I'm not 100% sure if that one is actually needed for drill by)

can explore on Superset is not needed at all and it does have the unintended side-effects you describe.

@Truffula Truffula mentioned this issue Oct 20, 2023
Closed
@ggam
Copy link

ggam commented Oct 20, 2023

Getting the correct permissions for using embedded is indeed very difficult and hard to maintain. As of now, not even the Gamma role contains all the needed permissions.

The best solution would probably be to have a new standard "Embedded" role that one can use a base.

@Truffula
Copy link
Author

As best as I can work out, this is the bare minimum list for an embedded dashboard with Drill By (currently) which I've applied to my Guest user:

can read on Dashboard
can read on Chart
can read on DashboardFilterStateRestApi
can write on DashboardFilterStateRestApi
can time range on Api
can samples on Datasource
all datasource access on all_datasource_access*
can explore on Superset**
can fetch datasource metadata on Superset
can read on Dataset

*I think this needs a fix, should work with specified datasets, though I'm not sure if guest tokens restrict the datasets or leave it open to all
**to address under this bug, should work with can read on Explore

@cwegener you're right, can explore Json on Superset doesn't seem to be needed.

@justin-tomlinson
Copy link

im still struggling with the above as well Our primary usecae is embedded and we want to enable the drill by and drill to detail options as it changes the way we design dashboards. we are still back on v2.1.1 but assume things havent changed on 3.x. Ive also noticed the cross filter scoping option is available with the above permissions. The user cannot change them but its confusing as an option that seems available to the end user

@Purush0th
Copy link

I have I've added all these permissions along with Public + Gamma.

can read on Dashboard
can read on Chart
can read on DashboardFilterStateRestApi
can write on DashboardFilterStateRestApi
can time range on Api
can samples on Datasource
all datasource access on all_datasource_access
can explore on Superset
can fetch datasource metadata on Superset
can read on Dataset

But drilldown not working with embedded.

image

Request:

POST https://example.com/datasource/samples?force=false&datasource_type=table&datasource_id=31&per_page=50&page=1 HTTP/1.1
Host: [example.com](http://example.com/)
Content-Type: application/json
Accept: application/json
X-GuestToken: XXXXX
X-CSRFToken: XXXX
sec-ch-ua-platform: "Windows"

Response:

HTTP/1.1 400 BAD REQUEST
Set-Cookie: session=eyJsb2NhbGUiOiJlbiJ9.ZYO_Zg.bTH-mcPMi1WMQbBfkCGF8AyJMJI; HttpOnly; Path=/; SameSite=Lax
{"errors": [{"message": "400 Bad Request: The CSRF session token is missing.", "error_type": "GENERIC_BACKEND_ERROR", "level": "error", "extra": {"issue_codes": [{"code": 1011, "message": "Issue 1011 - Superset encountered an unexpected error."}]}}]}

Could you tell what went wrong?

@cwegener
Copy link
Contributor

Response:

HTTP/1.1 400 BAD REQUEST
Set-Cookie: session=eyJsb2NhbGUiOiJlbiJ9.ZYO_Zg.bTH-mcPMi1WMQbBfkCGF8AyJMJI; HttpOnly; Path=/; SameSite=Lax
{"errors": [{"message": "400 Bad Request: The CSRF session token is missing.", "error_type": "GENERIC_BACKEND_ERROR", "level": "error", "extra": {"issue_codes": [{"code": 1011, "message": "Issue 1011 - Superset encountered an unexpected error."}]}}]}

That might be some new regression .. at first glance your request should be allowed ...

@Purush0th
Copy link

Purush0th commented Dec 21, 2023
edited
Loading

Hi @cwegener
we are using 3.0.2. Also, to generate guest token from the backend I'm creating a CSRF token which returns set-cookie response. But I'm not returning the CSRF to the embedded SDK, only the guest token.

Could that be problem?

async function getCsrfToken() {
  let config = {
    method: 'get',
    url: `${supersetBaseUrl}/security/csrf_token/`
  };

  var response = await axios.request(config);
  console.log(response.headers);
  const cookieName = "session";
  const sessionCookie = (response.headers['set-cookie'])
    .find(cookie => cookie.includes(cookieName))
    ?.match(new RegExp(`^${cookieName}=(.+?);`))
    ?.[1];

  return [response.data, sessionCookie];
}

async function getGuestToken(user, dashboardId, appToken, csrfToken, sessionCookie) {
  console.log(sessionCookie, csrfToken);
  try {
    let data = JSON.stringify({
      "user": user,
      "resources": [
        {
          "type": "dashboard",
          "id": dashboardId
        }
      ],
      "rls": []
    });

    let config = {
      method: 'post',
      url: `${supersetBaseUrl}/security/guest_token/`,
      headers: {
        'X-CSRFToken': csrfToken,
        'Authorization': 'Bearer ' + appToken,
        'Content-Type': 'application/json',
        'Cookie': 'session=' + sessionCookie
      },
      withCredentials: true,
      data: data
    };

    var response = await axios.request(config);
    return response.data;
  } catch (error) {

    return "";

  }

}

@Purush0th
Copy link

Any fix for this?

@gpchandran
Copy link

gpchandran commented Jan 19, 2024
edited
Loading

update:
Hi All, I'm using Superset 3.1.0, From the Embedded Dashboard, Both Drill By and Drill to detail not working any work around or fix available for this issue?

Seem not related to Role/Permission issue, for debug tried Admin role for Embed guest user, didn't work. This requires fix.

@Purush0th @ggam @Truffula - did you get this working? please advise if any workaround or fixes?

@sfirke sfirke mentioned this issue Feb 7, 2024
Merged
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: Add granular permissions for actions in Dashboard apache/superset
6 participants
@Purush0th @ggam @Truffula @cwegener @gpchandran @justin-tomlinson