Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk) #22640
Comments
|
I do have the very same issue in version 2.0.1, ff RBAC enblad and the dashboard is in status "published", if no role is specified then when you try to open the dashboard (and you are not the owner or an admin), Superset gives an error message "Unxpected Error: Forbidden" |
|
Just opened a PR to propose a fix: #22642 |
|
possible duplicate of #17227 ? |
|
Hi @drummerwolli, yes indeed, but #22642 should fix the problem. |
|
@giovannipapini-agilelab Your changes still would not be working I applied your changes but still getting no access on dashboard |
I am working with Giovanni, actually it seems strange since it works for us. Did you change the status of the dashboard to "published", since RBAC, according to the documentation, applies to published dashboards. |
|
Right now if a dashboard is "draft" status and has no roles, any role can access it, even Public. But if it's published, then Public cannot access it. It looks like PR #22642 would reverse this. Would Public role then be able to access a Published dashboard with no role assigned? Or would it fall back to dataset access? Falling back to dataset access would be the desirable behavior for me. Otherwise there's always the risk that someone forgets to assign any role to a dashboard and then it's publicly-accessible by default. Right now that's the case and it's very sketchy: all Draft-status dashboards with no role assigned are publicly accessible. |
|
Hi there, 100% agree with @sfirke , i'm wondering what the use-case is for allowing global access to datasets (through dashboards) that would otherwise not be visible, just because a dashboard is in draft ? It's certain that our users will occasionally forget to publish dashboards, which leaves us wide open to leaking data, especially because dashboard URLs are so easy to guess ! I feel like I must be missing something somewhere because this seems to be a serious potential security hole for any org using superset for sensitive data, between disparate teams ? |
|
hi, is there any new information on this issue? (whether it's the feature flag not working as expected, or the fact that with the RBAC flag, an unpublished dashboard without a role is accessible using the "Public" role). Totally agree with @ivan-price-acted, it looks like a serious potential security issue... |
|
@nicolas-gaillard it was solved in 2.1 |
|
Oh awesome, thank you for your quick reply! But if it's the PR #23586 it doesn't seem to be available yet, right? |
|
it seems still not working on the latest tag docker image |
|
By most accounts, it sounds like this is closed. Can anyone confirm/deny whether this is still am issue in the currently supported versions (3.x)? |
|
@rusackas for us this is ok since the 2.1 fix... many thanks ! |
DASHBOARD_RBACdoes not behave as explained in documentation: it says 'Roles is a list which defines access to the dashboard. Granting a role access to a dashboard will bypass dataset level checks. If no roles are defined, then the dashboard is available to all roles.', but instead when I do not assign any role to the dashboard only admin and owners can access to it.How to reproduce the bug
DASHBOARD_RBACset toTrueExpected results
The dashboard
Actual results
A permission error
Screenshots
Environment
(please complete the following information):
1.5and2.0python --version 3.9Checklist
Make sure to follow these steps before submitting your issue - thank you!
Additional context
While investigating in the problem I found out that it is possible to access any dashboard with status DRAFT from any user (when dashboard has no RBAC role assigned).
The problem could probably be here:
superset/superset/security/manager.py
Line 1994 in 001100d
Indeed, I cannot figure out why the condition should be
or (not dashboard.published and not dashboard.roles)and notor (dashboard.published and not dashboard.roles).Is there a case in which a non-admin and non-owner user should view a (not even menu-listed) draft dashboard?
The text was updated successfully, but these errors were encountered: