Public role is too strong by default #29709
Comments
dosubot
bot
added
authentication
This comment was marked as off-topic.
This comment was marked as off-topic.
|
This is a good catch - I agree that Gamma permissions are too powerful for most people who want a Public viewer role. The set of permissions I've given to people is:
I shared that list with someone on Slack and they said that they also had to add these: I would be interested in blending it with yours to get the narrowest set possible, then recommending that to people -- or simply adding it as a default role in Superset. It's been a couple of years since I refined this list. I see a couple of mine that I think are clearly missing from yours, e.g., getting CSS templates and annotations. Are there are any on my list that seem problematic to you in terms of giving the user too much power? |
|
Maybe it's time to add a new built-in public role (Delta?) for this purpose, but just not wire it up to anything by default? Curious also to hear if/how @dpgaspar would like to weigh in on the above. |
|
I agree with @rusackas. I struggle since approximately 3 weeks to configure a proper "Public" role mixed or not with the RBAC feature. A proper minimal Public role should be included or at least documented. In addition I didn't found any documentation of permission. Is there one somewhere I have missed ? If not it's important to write one. |
|
@xavier-GitHub76 what is the "can write to DashboardPermalinkRestApi" permission for? |
|
@Arcelone I'm guessing it's so that dashboard permalinks can be accessed. E.g., accessing the dashboard at https://data.yourdomain.com/superset/dashboard/your-dashboard instead of https://data.yourdomain.com/superset/dashboard/101. Did you try that? |
|
@sfirke I didn't get what you said. When you share the dashboard permalink it looks like : https://data.yourdomain.com/superset/dashboard/aiiduzgxykrofbzh The receiver paste it in his browser and here you go. |
|
Related discussion: #25938 |
|
I will precise each permission (and issues if missing) |
|
Without "can write to DashboardPermalinkRestApi" : Issue #30004 |
|
Without "can time range on Api" : #30005 |
|
The display of dashboard is impossible (redirection to login page) without one of
|
|
To download a chart as CSV/Excel/Image --> permission "can csv on Superset " (label not precise) #30317 |
Bug description
Hello,
to implement the 'public' role, the documentation (https://superset.apache.org/docs/security/#public) indicates that the PUBLIC_ROLE_LIKE variable must be updated and gives the example of using the GAMMA role.
It is also specified that the GAMMA role provides access for consultation.
By applying these recommendations and defining a “datasource access on” permission, an anonymous user can consult :
(by accessing the various main menus)
Visible elements are related to the “datasource access on” permission but the gamma permissions used like template are too strong.
An anonymous user can start creating a diagram and freely query a dataset via the diagram editing screen.
It can also export all diagram data.
However, it cannot save the diagram.
In order to achieve “read only” behavior, you should set up a role limited to the strict minimum and use it as a reference for the “public” role.
Here are the permissions I've identified as mandatory for this role:
Of course, these permissions must be supplemented with the “datasource access on” permission.
With these permissions, an anonymous user will only be able to :
Best regards
How to reproduce the bug
Screenshots/recordings
No response
Superset version
master / latest-dev
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist
The text was updated successfully, but these errors were encountered: