Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Allow embedded guest user datasource access with dashboard context #25081

Conversation

jfrag1
Copy link
Member

@jfrag1 jfrag1 commented Aug 25, 2023

BACKGROUND

Recently, #24789 changed the way that datasource access is granted, specifically in the case that a user should have access to a datasource because they have access to a dashboard. Before #24789, datasource access was only granted as a result of dashboard access when DASHBOARD_RBAC was enabled, or when a guest user viewed an embedded dashboard while EMBEDDED_SUPERSET was enabled.

The PR made this process more secure, but only enabled it for DASHBOARD_RBAC, not embedded.

This PR is a follow-up that enables this for embedded. Without this PR, charts on embedded dashboards cannot load because guest users have no way to get access to the datasources.

Fixes #25006

cc @john-bodley

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

GIFs below are of a simple host app which renders an embedded superset dashboard

Before:
embedded_perms_before

After:
embedded_perms_after

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

"superset.extensions.feature_flag_manager._feature_flags",
EMBEDDED_SUPERSET=True,
)
@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices_class_scope")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change speeds these tests up significantly

@@ -1653,6 +1653,7 @@ def run_extra_queries(self) -> None:
query_obj["orderby"] = [(metric, asc)]
self.get_query_context_factory().create(
datasource={"id": self.datasource.id, "type": self.datasource.type},
form_data=self.form_data,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes #25006, form data wasn't being passed through to raise_for_access

@john-bodley john-bodley self-requested a review August 25, 2023 16:50
},
)
}
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice tests!

Copy link
Member

@eschutho eschutho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lgtm. Not sure if @john-bodley or @Vitor-Avila wanted to look before we merge it.

)
session = db.session
session.add(dataset)
session.commit()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect the commit is unnecessary. This would mean that lines 240 and 241 become.

db.session.rollback()

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I guess it's unnecessary for these and we could instead just run these tests within an uncommitted transaction. Do you feel that's preferable? Here I pretty much just copied the pattern from existing fixtures I saw which all committed their changes.

@Vitor-Avila
Copy link
Contributor

Thanks for working on this PR! 🙏

@eschutho eschutho merged commit 2b8d8da into apache:master Aug 28, 2023
@eschutho eschutho deleted the jack/embedded-guest-user-datasource-permissions branch August 28, 2023 16:48
@michael-s-molina michael-s-molina added the v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch label Aug 29, 2023
michael-s-molina pushed a commit that referenced this pull request Aug 30, 2023
cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
@mistercrunch mistercrunch added 🍒 3.0.0 🍒 3.0.1 🍒 3.0.2 🍒 3.0.3 🍒 3.0.4 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 3.1.0 labels Mar 8, 2024
@talk2morris
Copy link

talk2morris commented Mar 13, 2024

hello, how/when can we get this update in production?

@rusackas
Copy link
Member

hello, how/when can we get this update in production?

If you're running any of the versions tagged right above your comment, you should already have it :)

@talk2morris
Copy link

Thanks @rusackas I just upgraded to the latest release, however all my embeded charts stopped working. I am getting this error: 400 Bad Request: The CSRF session token is missing. Any thoughts on this?

@rusackas
Copy link
Member

Sorry, not sure what the cause of that would be.

@talk2morris
Copy link

okay, I was able to resolve that but now I have a new problem, the error is: Guest user cannot modify chart payload. Do you know how I can downgrade superset from 3.1.1 to 3.1.0?

@rusackas
Copy link
Member

@talk2morris that's being tracked here, you might want to ask on that thread if it's not already covered: #27177 (comment)

vinothkumar66 pushed a commit to vinothkumar66/superset that referenced this pull request Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/L v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch 🍒 3.0.0 🍒 3.0.1 🍒 3.0.2 🍒 3.0.3 🍒 3.0.4 🚢 3.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Filter box chart elements are returning an error asking for more permissions when embedded
8 participants