-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Dashboard access when DASHBOARD_RBAC is disabled #17511
fix: Dashboard access when DASHBOARD_RBAC is disabled #17511
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great, thanks for fixing!
@villebro @amitmiran137 these tests in
I added the following line giving access to any user if the dashboard is not published and has no roles. superset/superset/security/manager.py Line 1189 in 893595e
Can you confirm that this is the expected behavior? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original intention here was to keep the old behaviour before DASHBOARD_RBAC era where there was no enforcement to dashboard access at all
But I agree that access should be enforced.
There was another idea by @dpgaspar
That We might want to consider switching to 404 this would prevent malicious API calls from finding out which dashboard IDs exist and which are not.
Altough personaly I prefer 403
Right, I remember we were pretty prudent during review in making sure the behavior was unchanged when the feature flag was disabled. Regarding 403/404 , I'm also more a 403 type of guy for this sort of stuff, but I'm ok with 404 if that's the security pattern we've chosen. |
I tagged @john-bodley and @etr2460 for reviews - can you think of a reason why dashboard access should not be enforced? The |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, personally I think that this is getting hard to follow, security filters set here: https://github.com/apache/superset/blob/master/superset/dashboards/filters.py#L72 should probably use the same code path for raise_for_dashboard_access
@@ -327,6 +332,8 @@ def get_datasets(self, id_or_slug: str) -> Response: | |||
$ref: '#/components/responses/400' | |||
401: | |||
$ref: '#/components/responses/401' | |||
403: | |||
$ref: '#/components/responses/403' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with returning 403, although it's more coherent with the current setup that we return 404, note that the dashboard filter is serving has security so we only "show" resources that are available to the user. Also, exposing less detailed info about why a resource is not available for access to a user the better.
RFC is not 100% clear regarding this:
https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.3
https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.4
it's acceptable to return 404 if we don't want to disclose that the dashboard exists but it's access is forbidden to the user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dpgaspar We have other endpoints also returning 403. I'll bring this discussion to our meeting today and if we decide to return 404 I'll open another PR fixing all endpoints.
Codecov Report
@@ Coverage Diff @@
## master #17511 +/- ##
==========================================
- Coverage 76.99% 76.77% -0.22%
==========================================
Files 1046 1047 +1
Lines 56491 56505 +14
Branches 7798 7798
==========================================
- Hits 43494 43384 -110
- Misses 12741 12865 +124
Partials 256 256
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
* fix: Dashboard access when RBAC is disabled * Sends 403 when forbidden * Fixes issort * Changes assertion * Allow access to unpublished dashboards that don't have roles * Fixes the test_get_dashboard_changed_on test
SUMMARY
This PR fixes the security manager to also check for dashboard access when
DASHBOARD_RBAC
is disabled. Previously, ifDASHBOARD_RBAC
was disabled, this piece of code was skipped:I also changed some endpoints to emit a 403 when an access error occurs.
ADDITIONAL INFORMATION