DASHBOARD_RBAC does not provide access to datasources used in DARSHBOARD_NATIVE_FILTERS

[rafalpas]

The Dashboard RBAC functionality provides implicit access to datasources used for all charts on a dashboard, so that charts can retrieve underlying data even if user does not have explicit access to datasources. This does not cover Dashboard Native Filters correctly - in case native filter uses a datasource which is not used by any chart on the dashboard, the implicit access is not granted and the filter fails to load data.

How to reproduce the bug

1. Create two datasources (A and B) that share a column name ("x") and type, so that it is possible to use filter created on A to filter the B
2. Create a chart using datasource B
3. Create a dashboard and add the chart to it
4. Add a native filter using datasource A and column "x"
5. Save the dashboard and make it public
6. Create a role with access rights enough to view dashboards, but with NO explicit access to datasources A and B, e.g.
   
7. Assign this role to the dashboard:
   
8. Create a new user account and grant the role to it
9. Log in using this user account and access the dashboard

Expected results

The native filter is filled with data from datasource A.

Actual results

The native filter is stuck at "No data / Loading..."

Screenshots

Included in reproduction procedure

Environment

• browser type and version: Microsoft Edge 97.0.1072.69
• superset version: 1.4.1
• python version: python --version
• node.js version: node -v
• any feature flags active: DASHBOARD_RBAC, DASHBOARD_NATIVE_FILTERS (both are important for this bug)

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

A HTTP403 response to "/api/v1/chart/data" is visible in network logs with the following content
{"errors": [{"message": "This endpoint requires the datasource ..., database or\n all_datasource_access permission", "error_type": "DATASOURCE_SECURITY_ACCESS_ERROR", "level": "error", "extra": {"link": "", "datasource": "..."}}]}
There is no problem if datasource A is used by any chart on dashboard, only if it is not used by any chart (used solely by the filter).
There is no problem when using legacy filterboxes (because they are "charts" and thus the implicit access is granted?)

[villebro]

Thanks for reporting @rafalpas ! @amitmiran137 have you run into this problem?

[amitmiran137]

we have not turned on native filters yet so no
but surely we would investigate and see if we can fix the issue

[MM-Lehmann]

Also, may or may not be related: There is still a problem with dashboard_rbac when using a public dashboard for unauthenticated users. When logging in (oauth), no dashboards can be seen, that have not set their "dashboard roles" (rely on dataset access).

[isabellalacerda]

Hi @MM-Lehmann did you find any solution to your problem? Is there a specific permission that allows public users to access native filters? I can only grant public access to dashboards where there's no native filter

[michael-hoffman-26]

Hi @rafalpas I tried to reproduce the bug.
But no Bug was found, and everything work as expected.
The user with permission to read the dashboard can load all the native filters, although there are not used inside the charts.
Using different "datasource" B for the native filter.
And I checked that "datasource" B does not appear inside the charts, of the dashboard.

[MM-Lehmann]

look at #16718. related?

[michalgala]

Check the all_datasource_access in the user roles

[rusackas]

I'm not sure if this is still an issue in current versions of Superset (3.x). If it is, we can re-open this, or feel free to open a new issue with updated context. We're no longer supporting Superset 2.x or prior, and it's been a while since this thread saw any activity, so I'm closing this as stale.