RBAC not Working

[LalaGabor]

Problem: Role Based Access Control is not enabling users to view Dashboards correctly.

Feature flag enabled: RBAC
Browser: Firefox
Superset Version 1.4

Background: I have assigned a user a role AlphaDG (essentially Gamma) and have assigned this role to a dashboard.

Expected outcome: Even though the user has not been assigned access to the underlying dataset(s), this user should be able to see the dashboard.

Actual outcome: The user is not able to see the dashboard (whether published or not)

[LalaGabor]

Perhaps I have not included a necessary permissions flag?

That being said, I have tested user roles who are give all permissions (except datasource access obviously, as this is why I am using RBAC.....)

[nikhil-kuyya-talentas]

DASHBOARD_RBAC is the feature flag you enabled right.

[srinisubramanian]

I had a similar issue:

User 1 - has access to a dataset via role AlphaCopy (all datasource access is removed)
User 2 - has access to same dataset via role GammaCopy
Dashboard 1 and Dashboard 2 - defined on dataset

Now feature flag is enabled and access is set as follows:
Dashboard 1 - No specific user set, so all users with access to dataset should have access
Dashboard 2 - Only Role AlphaCopy has access to it

Outcome expected: User 1 will have access to Dashboard 1 and Dashboard 2, User 2 will have access to only Dashboard 1
Actual Result: User 1 and User 2 didn't have access to any dashboards

I then gave specific access to Dashboard 1 to role AlphaCopy and GammaCopy. Same result

How exactly is the FEATURE FASHBOARD_RBAC supposed to work?

[MM-Lehmann]

I can confirm @srinisubramanian's observation. Same for me. I also pulled a fresh image without any modification (apart from the FF) to double check. The FF is not stable! Please investigate.

[villebro]

Ping @amitmiran137 , have you run into this? We're hoping to push out 1.5.1 in 1-2 weeks, so if this feature is currently broken it would be nice to get a fix for this in.

[amitmiran137]

Are you using the DASHBOARD_RBAC ff?

Ehy not use the new UI for editing a dashboard

We use it as one of the core features we use and it does work

Please answer those questions sk we can proceed

[srinisubramanian]

I just tested this again with 1.5.0 and it works. Maybe it was an older version issue?

[villebro]

Thanks @amitmiran137 and @srinisubramanian ! so we're ok closing this with the assumption that upgrading to 1.5 should fix the problem?

[srinisubramanian]

I guess so @villebro as of now the feature flag works after the upgrade to 1.5.0 that I did.

[MM-Lehmann]

Alright, this has become a bit unstructured. I was just picking up on parts of #18634 (comment) but actually my problem is described in #17227
So you might as well close this issue and continue discussion in the other one ;)
Sorry for the mess

[AkshayKumarC132]

I have issue with Superset v1.5.0 , I'm unable to Assign Roles for users in Dashboard Properties(Option is not showing). I have enabled DASHBOARD_RBAC=True in config.py Can anyone Help m

e

[MM-Lehmann]

I have issue with Superset v1.5.0 , I'm unable to Assign Roles for users in Dashboard Properties(Option is not showing). I have enabled DASHBOARD_RBAC=True in config.py Can anyone Help m e

Did you set the feature flag or just a variable?

[srinisubramanian]

As mentioned elsewhere it's working good for me. The only catch is I had to give access to users on each dashboard. Default access didn't work.

Did you also run superset init? If not please try that.

[nigzak]

could be a duplicate ticket to #19988 (happens also on V2.0.0)

[benjamin-mueller]

The error is in

superset/security/manager.py

in the has_rbac_access function

 def has_rbac_access() -> bool:
            return (not is_feature_enabled("DASHBOARD_RBAC")) or any(
                dashboard_role.id
                in [user_role.id for user_role in self.get_user_roles()]
                for dashboard_role in dashboard.roles
            )

Delete the "not" and everything works as expected. Sorry, first post here, have to read up on how to officially post such things.

[MM-Lehmann]

The error is in

superset/security/manager.py

in the has_rbac_access function

 def has_rbac_access() -> bool:
            return (not is_feature_enabled("DASHBOARD_RBAC")) or any(
                dashboard_role.id
                in [user_role.id for user_role in self.get_user_roles()]
                for dashboard_role in dashboard.roles
            )

Delete the "not" and everything works as expected. Sorry, first post here, have to read up on how to officially post such things.

Sorry @benjamin-mueller, that doesn't make sense. Your solution would completely bypass any role management introduced with the feature flag and grant all access, only because the FF is enabled.

[benjamin-mueller]

The role management is done somewhere else, as mentioned in the parent function

def raise_for_dashboard_access(self, dashboard: "Dashboard") -> None:
        """
        Raise an exception if the user cannot access the dashboard.
        This does not check for the required role/permission pairs,
        it only concerns itself with entity relationships.
        :param dashboard: Dashboard the user wants access to
        :raises DashboardAccessDeniedError: If the user cannot access the resource
        """

superset/superset/security/manager.py

Line 1916 in 2d16100

This does not check for the required role/permission pairs,

We tested it on our systems with roles assigned and it worked as expected, sorry.

[villebro]

FYI I believe I've hit this issue, and I'm working on a fix for it

[mdeshmu]

I can confirm that DASHBOARD_RBAC works on 1.5.1. We want to upgrade to 2.0.1 but fear that it will impact our production users if this is broken in 2.0.0. A fix will be really appreciated.

[wulfuric]

Agreed that there is a gap in user access, we're on 2.0.0, with DASHBOARD_RBAC enabled. Our ideal use case is

• All users who login get a custom role, something like dashboard_viewer
• We use dashboard RBAC to grant access to the full dashboard (view dashboard, see underlying datasets, and see filter datasets)
• We apply RLS rule that limits user based on templated {{ current_username }}

This way all users can login, see the dashboard, but only see rows they are associated with.

The issue now is we are getting the You don't have access to this dashboard - seems like the only workaround is the snippet Benjamin shared, it would not be scalable to add access for the 100+ users through dashboard ownership, sounds like this may have a fix on the way.

The other issue is datasets associated with native filters, when working around the above issue by adding my test user as an owner so it can hit the dashboard I'm getting permission errors on all native filters that utilize datasets NOT used by the dashboard. I believe the root of this is that hitting the dashboard/ID/datasets endpoint only returns chart datasets and not filters.

[TheofilosBel]

Hey guys,

I also had the same issue in both versions 1.5.1 and 2.0.0.

BUT after inspecting the code (specifically func raise_for_dashboard_access in branch 2.0 and line 1268) I figured out that you need your dashboards to be Published, but my dashboards were Draft

...
            can_access = (
                is_user_admin()
                or is_owner(dashboard, g.user)
                or (dashboard.published  and has_rbac_access()).   # <<HERE<<: dashboard.published
                or (not dashboard.published and not dashboard.roles)
            )
 ...

If I set the dashboard status to Published everything works like a charm in both v1.5.1 and v2.0.0

I don't know if this solves your issues, but I hope it helps :)

[lazuardi21]

I have issue with Superset v1.5.0 , I'm unable to Assign Roles for users in Dashboard Properties(Option is not showing). I have enabled DASHBOARD_RBAC=True in config.py Can anyone Help m e

I`ve same issue here with superset 2.0.0

what i`ve done is
adding this on config.py

#to Enabling DASHBOARD_RBAC (Role-Based Access Control) in Apache Superset - 2023-01-14
ENABLE_DASHBOARD_RBAC = True

then re inialize superset with
superset init

so i open dashboard and make it published and choose edit. show the image above.
how can i handle this?

[vlad-lits]

Which version should I use ? Feature flags still not working

[mdeshmu]

@lazuardi21

correct way to enable dashboard rbac is to add following to superset_config.py

FEATURE_FLAGS = {
"DASHBOARD_RBAC": True
}

[vlad-lits]

@mdeshmu thank u a lot, it worked

[lazuardi21]

Hi @mdeshmu thank u a lot, it worked.

I hope for this issue can be closed since it worked on my local.
Thank you!!

[mdeshmu]

@villebro can we close this issue?

[villebro]

Please take a look at #23586

[xiaotiao]

Hey guys,

I also had the same issue in both versions 1.5.1 and 2.0.0.

BUT after inspecting the code (specifically func raise_for_dashboard_access in branch 2.0 and line 1268) I figured out that you need your dashboards to be Published, but my dashboards were Draft

...
            can_access = (
                is_user_admin()
                or is_owner(dashboard, g.user)
                or (dashboard.published  and has_rbac_access()).   # <<HERE<<: dashboard.published
                or (not dashboard.published and not dashboard.roles)
            )
 ...

If I set the dashboard status to Published everything works like a charm in both v1.5.1 and v2.0.0

I don't know if this solves your issues, but I hope it helps :)

it works for me and my superset verison is 2.1.0. it's interesting the dashboard rbac works on development like run it on PyCharm even though the status is draft, but on live you need to change it to Published.

[ProjectsOfMLee]

Hey guys,
I also had the same issue in both versions 1.5.1 and 2.0.0.
BUT after inspecting the code (specifically func raise_for_dashboard_access in branch 2.0 and line 1268) I figured out that you need your dashboards to be Published, but my dashboards were Draft

...
            can_access = (
                is_user_admin()
                or is_owner(dashboard, g.user)
                or (dashboard.published  and has_rbac_access()).   # <<HERE<<: dashboard.published
                or (not dashboard.published and not dashboard.roles)
            )
 ...

If I set the dashboard status to Published everything works like a charm in both v1.5.1 and v2.0.0
I don't know if this solves your issues, but I hope it helps :)

it works for me and my superset verison is 2.1.0. it's interesting the dashboard rbac works on development like run it on PyCharm even though the status is draft, but on live you need to change it to Published.

May I ask how did you resolve this RBAC issue? After publishing my dashboard, I still don't see the role-based access drop-down menu, mine just looks similar to this using v2.1.0

Did you change anything in .py files other than adding FEATURE_FLAGS = {"DASHBOARD_RBAC": True} to superset_config.py?

[oguzhanyediel]

Hey guys,
I also had the same issue in both versions 1.5.1 and 2.0.0.
BUT after inspecting the code (specifically func raise_for_dashboard_access in branch 2.0 and line 1268) I figured out that you need your dashboards to be Published, but my dashboards were Draft

...
            can_access = (
                is_user_admin()
                or is_owner(dashboard, g.user)
                or (dashboard.published  and has_rbac_access()).   # <<HERE<<: dashboard.published
                or (not dashboard.published and not dashboard.roles)
            )
 ...

If I set the dashboard status to Published everything works like a charm in both v1.5.1 and v2.0.0
I don't know if this solves your issues, but I hope it helps :)

it works for me and my superset verison is 2.1.0. it's interesting the dashboard rbac works on development like run it on PyCharm even though the status is draft, but on live you need to change it to Published.

May I ask how did you resolve this RBAC issue? After publishing my dashboard, I still don't see the role-based access drop-down menu, mine just looks similar to this using v2.1.0

Did you change anything in .py files other than adding FEATURE_FLAGS = {"DASHBOARD_RBAC": True} to superset_config.py?

+++

[alexusbbb]

Version 3.1.0
Docker Swarm installation
Enable feature in /app/docker/pythonpath_dev/superset_config.py

1. so

FEATURE_FLAGS = {"DASHBOARD_RBAC": True}

2. and so
   #to Enabling DASHBOARD_RBAC (Role-Based Access Control) in Apache Superset - 2024-03-13
   ENABLE_DASHBOARD_RBAC = True

What am I doing wrong?

!!!Update!!!
I do Update service in docker swarm (restart container) and ... Victory! ))

superset_config.py

import logging
import os

from celery.schedules import crontab
from flask_caching.backends.filesystemcache import FileSystemCache

logger = logging.getLogger()

DATABASE_DIALECT = os.getenv("DATABASE_DIALECT")
DATABASE_USER = os.getenv("DATABASE_USER")
DATABASE_PASSWORD = os.getenv("DATABASE_PASSWORD")
DATABASE_HOST = os.getenv("DATABASE_HOST")
DATABASE_PORT = os.getenv("DATABASE_PORT")
DATABASE_DB = os.getenv("DATABASE_DB")

EXAMPLES_USER = os.getenv("EXAMPLES_USER")
EXAMPLES_PASSWORD = os.getenv("EXAMPLES_PASSWORD")
EXAMPLES_HOST = os.getenv("EXAMPLES_HOST")
EXAMPLES_PORT = os.getenv("EXAMPLES_PORT")
EXAMPLES_DB = os.getenv("EXAMPLES_DB")

# The SQLAlchemy connection string.
SQLALCHEMY_DATABASE_URI = (
    f"{DATABASE_DIALECT}://"
    f"{DATABASE_USER}:{DATABASE_PASSWORD}@"
    f"{DATABASE_HOST}:{DATABASE_PORT}/{DATABASE_DB}"
)

SQLALCHEMY_EXAMPLES_URI = (
    f"{DATABASE_DIALECT}://"
    f"{EXAMPLES_USER}:{EXAMPLES_PASSWORD}@"
    f"{EXAMPLES_HOST}:{EXAMPLES_PORT}/{EXAMPLES_DB}"
)

REDIS_HOST = os.getenv("REDIS_HOST", "redis")
REDIS_PORT = os.getenv("REDIS_PORT", "6379")
REDIS_CELERY_DB = os.getenv("REDIS_CELERY_DB", "0")
REDIS_RESULTS_DB = os.getenv("REDIS_RESULTS_DB", "1")

RESULTS_BACKEND = FileSystemCache("/app/superset_home/sqllab")

CACHE_CONFIG = {
    "CACHE_TYPE": "RedisCache",
    "CACHE_DEFAULT_TIMEOUT": 300,
    "CACHE_KEY_PREFIX": "superset_",
    "CACHE_REDIS_HOST": REDIS_HOST,
    "CACHE_REDIS_PORT": REDIS_PORT,
    "CACHE_REDIS_DB": REDIS_RESULTS_DB,
}
DATA_CACHE_CONFIG = CACHE_CONFIG

class CeleryConfig:
    broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"
    imports = ("superset.sql_lab",)
    result_backend = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_RESULTS_DB}"
    worker_prefetch_multiplier = 1
    task_acks_late = False
    beat_schedule = {
        "reports.scheduler": {
            "task": "reports.scheduler",
            "schedule": crontab(minute="*", hour="*"),
        },
        "reports.prune_log": {
            "task": "reports.prune_log",
            "schedule": crontab(minute=10, hour=0),
        },
    }


CELERY_CONFIG = CeleryConfig

FEATURE_FLAGS = {
    "ALERT_REPORTS": True,
    "DASHBOARD_RBAC": True
}
ALERT_REPORTS_NOTIFICATION_DRY_RUN = True
WEBDRIVER_BASEURL = "http://superset:8088/"
# The base URL for the email report hyperlinks.
WEBDRIVER_BASEURL_USER_FRIENDLY = WEBDRIVER_BASEURL

SQLLAB_CTAS_NO_LIMIT = True

#to Enabling DASHBOARD_RBAC (Role-Based Access Control) in Apache Superset - 2024-03-13
ENABLE_DASHBOARD_RBAC = True


#
# Optionally import superset_config_docker.py (which will have been included on
# the PYTHONPATH) in order to allow for local settings to be overridden
#
try:
    import superset_config_docker
    from superset_config_docker import *  # noqa

    logger.info(
        f"Loaded your Docker configuration at " f"[{superset_config_docker.__file__}]"
    )
except ImportError:
    logger.info("Using default Docker config...")

superset init log

root@f16611d5216d:/app# superset init
Loaded your LOCAL configuration at [/app/docker/pythonpath_dev/superset_config.py]
logging was configured successfully
2024-03-14 09:14:49,198:INFO:superset.utils.logging_configurator:logging was configured successfully
2024-03-14 09:14:49,205:INFO:root:Configured event logger of type <class 'superset.utils.log.DBEventLogger'>
/usr/local/lib/python3.9/site-packages/flask_limiter/extension.py:293: UserWarning: Using the in-memory storage for tracking rate limits as no storage was explicitly specified. This is not recommended for production use. See: https://flask-limiter.readthedocs.io#configuring-a-storage-backend for documentation about configuring the storage backend.
  warnings.warn(
Syncing role definition
2024-03-14 09:14:53,741:INFO:superset.security.manager:Syncing role definition
Syncing Admin perms
2024-03-14 09:14:53,786:INFO:superset.security.manager:Syncing Admin perms
Syncing Alpha perms
2024-03-14 09:14:53,809:INFO:superset.security.manager:Syncing Alpha perms
Syncing Gamma perms
2024-03-14 09:14:54,340:INFO:superset.security.manager:Syncing Gamma perms
Syncing sql_lab perms
2024-03-14 09:14:54,870:INFO:superset.security.manager:Syncing sql_lab perms
Fetching a set of all perms to lookup which ones are missing
2024-03-14 09:14:55,371:INFO:superset.security.manager:Fetching a set of all perms to lookup which ones are missing
Creating missing datasource permissions.
2024-03-14 09:14:55,388:INFO:superset.security.manager:Creating missing datasource permissions.
Creating missing database permissions.
2024-03-14 09:14:55,418:INFO:superset.security.manager:Creating missing database permissions.
Cleaning faulty perms
2024-03-14 09:14:55,433:INFO:superset.security.manager:Cleaning faulty perms

[mtthsbrr]

Agreed that there is a gap in user access, we're on 2.0.0, with DASHBOARD_RBAC enabled. Our ideal use case is

• All users who login get a custom role, something like dashboard_viewer
• We use dashboard RBAC to grant access to the full dashboard (view dashboard, see underlying datasets, and see filter datasets)
• We apply RLS rule that limits user based on templated {{ current_username }}

This way all users can login, see the dashboard, but only see rows they are associated with.

The issue now is we are getting the You don't have access to this dashboard - seems like the only workaround is the snippet Benjamin shared, it would not be scalable to add access for the 100+ users through dashboard ownership, sounds like this may have a fix on the way.

The other issue is datasets associated with native filters, when working around the above issue by adding my test user as an owner so it can hit the dashboard I'm getting permission errors on all native filters that utilize datasets NOT used by the dashboard. I believe the root of this is that hitting the dashboard/ID/datasets endpoint only returns chart datasets and not filters.

@wulfuric
Was there a fix for missing filter datasets (datasets only serving for a filter but not for any chart in the dashboard) permissions when utilizing dashboard RBAC?

Our current workaround is to create a dummy chart from the filter dataset and hide it somewhere in the dashboard but that does not feel like a proper solution. :-/