Incubator-superset: Slice and Dashboard lists don't respect `database` and `schema`-related perms
Make sure these boxes are checked before submitting your issue - thank you!
- [x] I have checked the superset logs for python stacktraces and included it here as text if any
- [x] I have reproduced the issue with at least the latest released version of superset
- [x] I have checked the issue tracker for the same issue and I haven't found one similar
Superset version
Latest
Expected results
When database access on [db].(id:#) is granted to a role, it should have the effect of also granting datasource access on all data sources in the DB. Per https://superset.incubator.apache.org/security.html - "Database: Granting access to a database allows for the user to access all data sources within that database"
Actual results
It does not grant data source access. In order to grant data source access, the datasource_access permission has to be granted for each table in the DB.
Steps to reproduce
- Fresh install the current version of Superset
- Create new role, "Main", add
database_access on [main].(id:1) - Create new user with "Gamma" and "Main" roles
- Log in as new user
Notes
This is similar to #3085 but that issue was closed, and this issue is reproducible from a fresh install. The tables are accessible if datasource access is granted for each table, but in my DB, there are hundreds of tables and I'd prefer to not have to manually add each one as a permission. I'd be happy to investigate too if someone pointed me in the right direction.
awu
All 7 comments
It's not the way this works. When querying a specific datasource, it will confirm that you have either:
- all_access
- access to database
- access to datasource
mistercrunch
on 16 Oct 2018
@mistercrunch I don't understand. If I give a role the permission database_access on [db].(id#), and assign a user that role, then shouldn't they be able to view all charts/dashboards and query in SQL Lab on all data sources in that database according to point 2 in your comment? In my steps in the post, this isn't possible.
awu
on 16 Oct 2018
Database access should do that as you described. You're saying that's not the case? In both SQL Lab and explore view?
mistercrunch
on 16 Oct 2018
@mistercrunch so it seems that it does halfway work as described actually. Granting database access allows the user to build charts/dashboards/sql on data sources within the database, but upon saving charts/dashboards, the user cannot see them in "List Charts" or "List Dashboards"
awu
on 16 Oct 2018
Gotcha, let me point to the code that should handle this:
For charts: https://github.com/apache/incubator-superset/blob/master/superset/views/core.py#L95
For dashboards: https://github.com/apache/incubator-superset/blob/master/superset/views/core.py#L112
It's a matter of adding logic that add a logical OR on database or datasources, and it should be done in a single phase (subquery).
mistercrunch
on 16 Oct 2018
@mistercrunch: It seems that this issue is still present, at least in Superset 0.34.1. I also do not see why this issue had been closed, as there is no link to any PR or any stale-bot interaction.
Would you mind reopening it?
rumbin
on 7 Nov 2019
I'm seeing the same behaviour with the latest image from https://hub.docker.com/r/preset/superset/
grbinho
on 20 May 2020
Related issues
vylc
路
3Comments
joshuacano
路
3Comments
gbrian
路
3Comments
lenguyenthedat
路
3Comments
thoralf-gutierrez
路
3Comments
Most helpful comment
@mistercrunch: It seems that this issue is still present, at least in Superset 0.34.1. I also do not see why this issue had been closed, as there is no link to any PR or any stale-bot interaction.
Would you mind reopening it?