-
Notifications
You must be signed in to change notification settings - Fork 13.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(dashboard-rbac): use normal rbac when no roles chosen #23586
Conversation
Codecov Report
@@ Coverage Diff @@
## master #23586 +/- ##
==========================================
+ Coverage 67.72% 67.73% +0.01%
==========================================
Files 1916 1918 +2
Lines 74029 74067 +38
Branches 8040 8040
==========================================
+ Hits 50135 50172 +37
- Misses 21846 21847 +1
Partials 2048 2048
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
datasource_type=DatasourceType(datasource.type), | ||
datasource_id=datasource.id, | ||
session=db.session(), | ||
has_access_ = False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@villebro can all this logic reside in the security manager? The issue is having security logic outside of the security manager adds complexity if you have custom logic in your security manager which grants everyone access to view the dashboard but block at the chart level if you don't have access to the underlying dataset.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, it would probably make sense to have this in the security manager. However, in the scope of this PR I decided not to change the existing logic.
f"/superset/request_access/?dashboard_id={dashboard.id}" | ||
) | ||
|
||
if has_access_: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we break after confirming that they have access to at least one as opposed to all datasets?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Answering both this and the previous question here:
- The logic for reloading the datasets is to check if the user has access to at least one dataset on the dashboard. AFAIK, this is how regular dashboard RBAC (not the feature flag!) works - if you have access to at least one dataset on the dashboard, you are permitted to view the dashboard. Therefore, we break after confirming that the user is able to access at least one dataset. If we want to change this logic we need to also change the base filter that chooses which dashboards to display on the list view.
- The datasets are reloaded in the block above to check individually if the user has access to them or not. This check was previously only done if
ENABLE_ACCESS_REQUEST
was enabled - if not, the user would get an obscure React error (when linking from the dashboard page) or a while page with some unformatted text indicating that the user doesn't have access to the dashboard (direct link). Now the user is redirected to the list view with a toast, like we do for other similar access denied errors.
session=db.session(), | ||
has_access_ = False | ||
for datasource in dashboard.datasources: | ||
datasource = DatasourceDAO.get_datasource( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are the datasets reloaded?
…ache#23586)" This reverts commit a823033.
(cherry picked from commit a823033)
(cherry picked from commit a823033)
(cherry picked from commit a823033)
(cherry picked from commit a823033)
SUMMARY
Currently it's impossible to use the normal RBAC model when the Dashboard RBAC feature flag is enabled. This is contrary to the description, which on one hand states that when the FF is enabled and no roles are chosen, ALL datasets are accessible, and on the other hand states that regular dataset perms apply.
With these changes, the logic is as follows:
In addition, tests are added, and the documentation is aligned with how the feature actually works.
In addition, when trying to access a dashboard the user didn't have access to, they would either be greeted by one of the following:
Regular RBAC:
Dashboard RBAC:
Now they get redirected to the main page with the following toast:
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION