fix: Revert "fix: Dashboard aware RBAC dataset permission (#24789)" #24996
Conversation
This reverts commit 7397ab3.
|
Thanks @jfrag1 for raising this. I did wonder if the form-data was trustworthy, but had assumed (wrongfully) that it was given it came from either the query-context or visualization. In #24804 I refactored the |
I see what you're saying, but in the case of the chart data endpoint, I simply don't see a way to determine the dashboard to pass. The only way we can determine a dashboard context is via the request payload, which is forgeable |
|
I spent a while trying to untangle this feature a while back and found there was a lot of undefined behavior or the logic broke superset's original security model. I think the previous PR was missing a check to ensure the Actually, it might even make sense to check the datasets being queried by the chart are a subset of the datasets of the dashboard. That would change the security model to "DASHBOARD_RBAC grants a user access to the dashboard and all datasets contained in the dashboard" which is closer to superset's original data access model. The only other way I can think this could be more fine-grained, and secure, would be to enumerate all the dimensions and metrics in the dashboard and ensure the chart's formData isn't querying anything outside of that set. But that would probably be far too expensive. |
|
@jfrag1 let me look into an alternative formulation. The issue with reverting this PR is it reopens a previous security vulnerability. |
@john-bodley as you are looking into a fix forward, not sure if this issue I reported may be related to the original PR that this is reverting. Looks like it has a similar error message from the screenshot in your original PR. |
|
/testenv up |
|
@jinghua-qa Ephemeral environment spinning up at http://34.210.72.178:8080. Credentials are |
|
Closing in favor of the fix forward #25008 |
|
Ephemeral environment shutdown and build artifacts deleted. |
SUMMARY
This reverts #24789 due to a security issue that could allow any user to retrieve data from any datasource.
The issue is that the dashboard id being checked here for the dashboard context comes from the request payload from the client, not a trusted backend source. Therefore a user can copy a valid request for a datasource they shouldn't have access to and simply change the dashboard id in the form data to a dashboard they have access to, bypassing this security check.
I can't think of a secure way to assert the presence of a dashboard context on the backend when retrieving chart data; the old approach may be the best we can do
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION