[dashboard-rbac] Support Fallback to dataset permissions even when ff is on

[kamalkeshavani-aiinside]

Is your feature request related to a problem? Please describe.
With 'DASHBOARD_RBAC' ff on, when I don’t assign any role in dashboard props but the role has access to required dataset, still I get this error You don't have access to this dashboard.

Describe the solution you'd like
As the documentation mentions here, the fallback to dataset permission should work with ff enabled.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
I confirmed the same behavior in 1.3.2.
https://apache-superset.slack.com/archives/C01B6H6U8S2/p1625000708004100

[geido]

Hello @kamalkeshavani-aiinside I am marking this as a bug as you pointed out that should be the default behavior. I am also marking the issue as requiring validation from a committer. Thank you!

[MM-Lehmann]

I can confirm this bug in 1.4.1. the dashboard_rbac feature, although being 'stable', does not work for me in this context.

[nikhil-kuyya-talentas]

i understanding this and tested in my forked repo.

• DASHBORAD_RBAC : True
• User has acess to datasets or alpha role kind.
• If admin published the dashboard alpha role user can see the dashboard in dashboard list view page but not able to view the dashboard in /dashboard/
• If the role to the dashboard for the alpha is given then only able to view the dashoard in dashboard/<idorslug>

this is what my understanding is. hope other is seeing these and not my custom changes in my fork.(which hadn't done to dashboard stuff majorly).

[MM-Lehmann]

Is there any acknowledgement by the dev team of this issue? At the very least, the FF should be marked testing or even dev. Everything else is misleading IMHO.
PS: still buggy in 1.5.0 (fresh, unmodified image)
PPS: potential dupe: #18634

[villebro]

Is there any acknowledgement by the dev team of this issue? At the very least, the FF should be marked testing or even dev. Everything else is misleading IMHO. PS: still buggy in 1.5.0 (fresh, unmodified image) PPS: potential dupe: #18634

@MM-Lehmann it should be assumed that any feature flag that's disabled by default is considered experimental. Having said that we do appreciate that the issue has been raised, and I can take a look at fixing this if I can repro it.

[akotuc]

Hello,

I'm experiencing the same issue in 1.4.2 version.

• DASHBORAD_RBAC is enabled
• Dashboard has empty roles setting in dashboard properties
• User has access to underlying datasets (verified since the user can access the dashboard if the FF is disabled and also can see the dashboard in dashboard list)
• Getting error when click on the dashboard in the list of dashboards (please check image), if I reload (URL pointing directly to the dashboard) I get You don't have access to this dashboard. message.
• I can see the following in the log:

2022-06-02 17:01:31,696:ERROR:root:You don't have access to this dashboard.
Traceback (most recent call last):
  File "/app/superset/utils/cache.py", line 157, in wrapper 
    raise_for_access(*args, **kwargs)    
  File "/app/superset/dashboards/api.py", line 352, in <lambda>     
    raise_for_access=lambda _self, id_or_slug: DashboardDAO.get_by_id_or_slug(    
  File "/app/superset/dashboards/dao.py", line 46, in get_by_id_or_slug    
    security_manager.raise_for_dashboard_access(dashboard)  
  File "/app/superset/security/manager.py", line 1189, in raise_for_dashboard_access      
    raise DashboardAccessDeniedError()   
superset.dashboards.commands.exceptions.DashboardAccessDeniedError: You don't have access to this dashboard.    
    
During handling of the above exception, another exception occurred: 
    
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/flask_appbuilder/api/__init__.py", line 85, in wraps     
    return f(self, *args, **kwargs)      
  File "/app/superset/views/base_api.py", line 85, in wraps 
    raise ex
  File "/app/superset/views/base_api.py", line 82, in wraps 
    duration, response = time_function(f, self, *args, **kwargs)    
  File "/app/superset/utils/core.py", line 1471, in time_function   
    response = func(*args, **kwargs)     
  File "/app/superset/utils/log.py", line 242, in wrapper   
    value = f(*args, **kwargs)    
  File "/app/superset/dashboards/api.py", line 398, in get_charts   
    charts = DashboardDAO.get_charts_for_dashboard(id_or_slug)      
  File "/app/superset/dashboards/dao.py", line 56, in get_charts_for_dashboard    
    return DashboardDAO.get_by_id_or_slug(id_or_slug).slices
  File "/app/superset/dashboards/dao.py", line 46, in get_by_id_or_slug    
    security_manager.raise_for_dashboard_access(dashboard)
  File "/app/superset/security/manager.py", line 1189, in raise_for_dashboard_access
    raise DashboardAccessDeniedError()
superset.dashboards.commands.exceptions.DashboardAccessDeniedError: You don't have access to this dashboard. 

[sadovinma]

Same problem.
Version: 1.5.0
No roles assigned in dashboard but nobody with alpha role and access to all databases can open it.

[akotuc]

Does anyone has update on this issue please? E.g. has anyone tested this in v2?
Thanks

[mattitoo]

This still exists in 1.5.1
The dashboard is shown in the "Dashboard Overview", but a user can not open the dashboard when no role is assigned, but he/she has access to the underlying datasource.
All the charts in the Dashboard can be opened and viewed. But the dashboard shows the above error.

[mattitoo]

I can also confirm the bug exists on 2.0.0 (tested locally with Docker Image)

[amitmiran137]

This is not a bug from my point of view
I think there should be multiple option for handling access:
Dataset permissions only
Dashboard rbac only
Dashboard rbac + fallback to dataset permissions

Anyone at this point van go ahead and implement option #3 by adding a MODE config flag to support each of the option instead of a ff that can only be addressed with 2 viable option

Ff is meant for testing features and I think this feature is already mature enough and it should be converted into a mode config

[mattitoo]

I agree that there several possibilities, but an "Unexpected error" is raised directly in the frontend for the enduser.
That definitely should not be the case.

[giovannipapini-agilelab]

Hi, #22642 should fix the issue.

[rusackas]

Closing this issue in favor of the newer one, #22640.