fix: Dashboard aware RBAC dataset permission #24789
Conversation
Codecov Report
@@ Coverage Diff @@
## master #24789 +/- ##
==========================================
- Coverage 68.99% 68.99% -0.01%
==========================================
Files 1906 1906
Lines 74133 74122 -11
Branches 8208 8208
==========================================
- Hits 51151 51140 -11
Misses 20859 20859
Partials 2123 2123
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 1 file with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
john-bodley
force-pushed
the
john-bodley--fix-24782-raise-for-access
branch
2 times, most recently
from
3c93b96
to
a1f351f
Compare
| mock_can_access.return_value = False | ||
| mock_can_access_schema.return_value = False | ||
| mock_is_owner.return_value = False | ||
|
|
||
| with self.assertRaises(SupersetSecurityException): | ||
| security_manager.raise_for_access(viz=test_viz) | ||
|
|
||
| @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices") |
There was a problem hiding this comment.
I'm not sure this is needed, i.e., test_get_dashboard_view__user_access_with_dashboard_permission might be suffice.
| @@ -191,7 +190,7 @@ def test_get_dashboard_view__user_access_with_dashboard_permission(self): | |||
|
|
|||
| request_payload = get_query_context("birth_names") | |||
| rv = self.post_assert_metric(CHART_DATA_URI, request_payload, "data") | |||
| self.assertEqual(rv.status_code, 200) | |||
| self.assertEqual(rv.status_code, 403) | |||
There was a problem hiding this comment.
This test (alongside others) was failing after the change which likely indicates that either i) RBAC was supposed to expand beyond the scope/context of the dashboard (and thus my understanding of said issue was misconstrued), or ii) was a mistake.
john-bodley
added
the
v3.0
john-bodley
force-pushed
the
john-bodley--fix-24782-raise-for-access
branch
from
a1f351f
to
71366fa
Compare
| @@ -159,41 +159,6 @@ def test_has_guest_access__unauthorized_guest_user__different_resource_type(self | |||
| has_guest_access = security_manager.has_guest_access(self.dash) | |||
| self.assertFalse(has_guest_access) | |||
|
|
|||
| def test_chart_raise_for_access_as_guest(self): | |||
There was a problem hiding this comment.
Conditional on my logic being correct, these tests are now superfluous as the irrespective of whether a guest is authorized or not, they don't have access to the chart, dataset, etc. unless it's in the context of RBAC. The logic previously outlined here condenses to the same logic which is defined in the security_tests.py.
john-bodley
changed the title
john-bodley
changed the title
john-bodley
force-pushed
the
john-bodley--fix-24782-raise-for-access
branch
from
71366fa
to
95356d1
Compare
|
@john-bodley @Vitor-Avila did a fix in #24808 giving access to datasets that power native filters, when using Dashboard RBAC. Can we include his changes here, or would that use case already work with your changes? |
|
Thanks @betodealmeida for sharing @Vitor-Avila's PR. Initially I can't say whether this change will resolve said issue as it's not apparent where (and with what arguments) the @Vitor-Avila would you mind using my branch to test your issue? Note assuming the approach outlined in this PR is correct (@villebro it's probably the definitive expert on this) and it doesn't address @Vitor-Avila's issue, I do sense the right solution there is make sure that the access for native filters is akin to that of dashboard charts. Personally I'm a tad worried about the Additionally at Airbnb we use a completely different security model—access is purely defined at the dataset level—and thus I struggle to grok what the logic should be, i.e., I likely lack the necessary context. |
|
hey @john-bodley, thanks for the quick response! My PR was actually not created with the I'll test if my issue is also addressed with your branch and report back -- thank you! 🙏 |
|
Thanks @Vitor-Avila for confirming. I thought that might be the case as the dashboard information is likely lacking from the form-data when the native dashboard filter datasource check is happening. #24804 is simply a refactor and thus wouldn't change anything. The challenge with the RBAC feature is opening up access only in the context of a dashboard. Furthermore I sense there's could be flaw with the model, i.e., a Gamma user (who has been granted access to a dashboard) could likely have broader access than an owner as it pertains to how access is determined for the datasets within the dashboard which are driving the native filters and charts. Again I need to provide a caveat with everything I say as I'm not overly familiar with how chart etc. access is defined. |
|
@john-bodley sorry I mis-read #24804 and thought you were re-adding the logic for In my previous test, I had only checked the issue I'm trying to fix for embedded users, but I just tried with the Not sure if we can keep the |
|
@Vitor-Avila I think we likely need to take a pause on this for now until collectively the community can agree on how the dashboard RBAC are supposed to work. Hopefully this can happen sometime next week once some of the Apache Superset committers who are well versed in this space are back online. The challenge otherwise is we could find ourselves playing whack-a-mole with trying to fix issues whilst simultaneously creating other ones. Taking a more holistic (30,000') view of problem will likely help everyone better grok the intention and thus what access controls are required. |
|
sure, that makes sense! It could also be a good opportunity to revisit if both flows ( |
| form_data | ||
| and (dashboard_id := form_data.get("dashboardId")) | ||
| and (dashboard := DashboardDAO.find_by_id(dashboard_id)) | ||
| and self.can_access_dashboard(dashboard) |
There was a problem hiding this comment.
I'm not too familiar with this feature either, but just noticed that the previous version checks for datasource access and the new one checks for dashboard access only. Is that what we want?
There was a problem hiding this comment.
@eschutho the logic is as follows. If you don't have explicit access to dataset you then fallback to the form-data of either the visualization or query-context to try to decipher the context. If it's in the context of a dashboard, i.e., you're viewing a chart in a dashboard, one checks whether you have access to the dashboard—per the can_access_dashboard method.
There was a problem hiding this comment.
Do we need to check that the purported chart whose data is being loaded actually exists on the dashboard?
|
@john-bodley are you ok with us merging #24808 while we wait for more feedback on RBAC for this PR? @Vitor-Avila's PR isn't for the DASHBOARD_RBAC flag specifically. |
john-bodley
force-pushed
the
john-bodley--fix-24782-raise-for-access
branch
from
0ce3494
to
c1f8acb
Compare
john-bodley
force-pushed
the
john-bodley--fix-24782-raise-for-access
branch
from
c1f8acb
to
a80cced
Compare
john-bodley
added
the
v3.0
(cherry picked from commit 7397ab3)
This reverts commit 7397ab3.
|
@john-bodley I discovered that this PR introduces a security issue that can allow any user to get data from any datasource. I've opened #24996 to revert this, see the PR description there for more details |
This reverts commit 7397ab3.
mistercrunch
added
🍒 3.0.0
🍒 3.0.1
🍒 3.0.2
🍒 3.0.3
🍒 3.0.4
🏷️ bot
SUMMARY
This PR (alongside #24806) fixes #24782.
Previously users were granted access to a dataset/chart associated with a dashboard (per the RBAC dashboard roles) however it wasn't context aware, i.e., access was granted irrespective of the context of the request. Specifically this PR ensures that role based dashboard access only occurs within the confines of a dashboard.
TESTING INSTRUCTIONS
Added unit tests.
BEFORE
AFTER
ADDITIONAL INFORMATION
cc: @mdeshmu @sfirke