Dashboard RBAC access doesn't conform to documentation (and access permission exposes a possible security risk)

[giovannipapini-agilelab]

DASHBOARD_RBAC does not behave as explained in documentation: it says 'Roles is a list which defines access to the dashboard. Granting a role access to a dashboard will bypass dataset level checks. If no roles are defined, then the dashboard is available to all roles.', but instead when I do not assign any role to the dashboard only admin and owners can access to it.

How to reproduce the bug

1. Feature flag DASHBOARD_RBAC set to True
2. Open a published dashboard that has no role assigned as a Alpha-role-assigned user

Expected results

The dashboard

Actual results

A permission error

Screenshots

Environment

(please complete the following information):

• browser type and version: both Edge and Firefox
• superset version: both 1.5 and 2.0
• python version: python --version 3.9

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

While investigating in the problem I found out that it is possible to access any dashboard with status DRAFT from any user (when dashboard has no RBAC role assigned).

The problem could probably be here:

superset/superset/security/manager.py

Line 1994 in 001100d

or (not dashboard.published and not dashboard.roles)

Indeed, I cannot figure out why the condition should be or (not dashboard.published and not dashboard.roles) and not or (dashboard.published and not dashboard.roles).

Is there a case in which a non-admin and non-owner user should view a (not even menu-listed) draft dashboard?

[frabenetti]

I do have the very same issue in version 2.0.1, ff RBAC enblad and the dashboard is in status "published", if no role is specified then when you try to open the dashboard (and you are not the owner or an admin), Superset gives an error message "Unxpected Error: Forbidden"

[giovannipapini-agilelab]

Just opened a PR to propose a fix: #22642

[drummerwolli]

possible duplicate of #17227 ?

[giovannipapini-agilelab]

Hi @drummerwolli, yes indeed, but #22642 should fix the problem.

[rohitpawar2811]

@giovannipapini-agilelab Your changes still would not be working I applied your changes but still getting no access on dashboard
on alpha role without RBAC

[frabenetti]

@giovannipapini-agilelab Your changes still would not be working I applied your changes but still getting no access on dashboard on alpha role without RBAC

I am working with Giovanni, actually it seems strange since it works for us. Did you change the status of the dashboard to "published", since RBAC, according to the documentation, applies to published dashboards.

[sfirke]

Right now if a dashboard is "draft" status and has no roles, any role can access it, even Public. But if it's published, then Public cannot access it. It looks like PR #22642 would reverse this. Would Public role then be able to access a Published dashboard with no role assigned? Or would it fall back to dataset access?

Falling back to dataset access would be the desirable behavior for me. Otherwise there's always the risk that someone forgets to assign any role to a dashboard and then it's publicly-accessible by default. Right now that's the case and it's very sketchy: all Draft-status dashboards with no role assigned are publicly accessible.

[ivan-price-acted]

Hi there,

100% agree with @sfirke , i'm wondering what the use-case is for allowing global access to datasets (through dashboards) that would otherwise not be visible, just because a dashboard is in draft ?

It's certain that our users will occasionally forget to publish dashboards, which leaves us wide open to leaking data, especially because dashboard URLs are so easy to guess !

I feel like I must be missing something somewhere because this seems to be a serious potential security hole for any org using superset for sensitive data, between disparate teams ?

[nicolas-gaillard]

hi, is there any new information on this issue? (whether it's the feature flag not working as expected, or the fact that with the RBAC flag, an unpublished dashboard without a role is accessible using the "Public" role).

Totally agree with @ivan-price-acted, it looks like a serious potential security issue...

[giovannipapini-agilelab]

@nicolas-gaillard it was solved in 2.1

[nicolas-gaillard]

Oh awesome, thank you for your quick reply! But if it's the PR #23586 it doesn't seem to be available yet, right?

[giacomochiarella]

it seems still not working on the latest tag docker image