/api/v1/chart/{pk}/data does not respect Guest Token resource limitations

[lindenh]

When creating a guest token with resources to allow access to (namely dashboards), access to charts should be limited to those on that dashboard.

How to reproduce the bug

1. Create a guest token using the /api/v1/security/guest_token endpoint, giving it some dashboard:

{
    "user": {},
    "resources": [
        {
            "type": "dashboard",
            "id": "user-dash"
        }
    ],
    "rls": []
}

2. Use this guest token with the header X-Guesttoken (or whatever the config is set to for guest token headers) to grab a chart at /api/v1/chart/{pk}/data with a chart NOT on the above given dashboard
3. See data is pulled back

Expected results

Some unauthorized error.

Actual results

Data is correctly pulled back from any chart.

Screenshots

If applicable, add screenshots to help explain your problem.

Environment

(please complete the following information):

• browser type and version:
• superset version: superset version
• python version: python --version
• node.js version: node -v
• any feature flags active: EMBEDDED_SUPERSET

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

This could also be considered a security issue, since RLS is also applied to guest tokens. In our case, we have some dashboards that do not need RLS and some that absolutely need them. The only way (without changing the dataset) to disable RLS for embedded dashboards is by creating a guest token without them, there are no settings on dashboards/charts to ignore it.

The workaround we're doing is to add false as rls_required to our datasets, and either having RLS clauses per user or having the clause "rls_required=false" which will error out charts without that column. This isn't a desirable workaround.

[jfrag1]

What version of Superset are you using? There's been some work done on this area recently (#24789, #25081), and I'd be surprised to learn this is happening on 3.x.

[lindenh]

This is on 3.0.1. We'll be upgrading over to 3.0.2 and I'm willing to try to test it off of master at some point in the current/next week, but I didn't see anything in the recent changelogs that would indicate this would be fixed

[hash-data]

same issue is faced by me @jfrag1 and I don't think their is fix for it. It is serious vulnerability

[jfrag1]

I'm not able to reproduce this issue, requesting the /api/v1/chart/{pk}/data endpoint with a guest token always returns a 404 for me, regardless of whether the chart is on the dashboard or not.

One thing to note is I have gamma permissions for the GUEST_ROLE_NAME, if you gave the guest role admin permissions, I could see this happening though.

[hash-data]

Ideally the guest role (in your case Gamma) can have any permission but based on the resource it got generated on, it should only access those datasets which were used in that particular resource.

[jfrag1]

It does do that for the most part, but the admin role includes the all_datasource_access perm, which will give access to all datasources, and therefore all charts. It shouldn't be unexpected that making the guest role admin gives guest tokens admin access to all resources

[hash-data]

Hi @jfrag1 let me simplify this :
-> We have created a role for embed_dashboard, which is assigned to the user who creates the guest token.
-> Now embed_dashboard role has all dataset access
-> User-created guest token with dashboard_id 1
-> dashboard_id 1 uses two datasets which are dataset_1 and dataset_2.
-> Now when the user creates a guest token with resource_id (dashboard in this case) can get all datasets data by hitting the above-mentioned API.
Ideally, user should be able to access the dataset which is used in that resource only(In this case dataset_1 and dataset_2).
(Mapping of permission in guest token about which dataset to show and which dataset not, also have to consider the resource it is being created on.)*

[hash-data]

@jfrag1 have you checked it?

[cw1427]

I used access-token to fetch the chart data but no matter which pk for the chart I changed, the api always response 404
api/v1/chart/{pk}/data/

[hash-data]

@cw1427 hi, I don't think this is related to the opened issue. We are still waiting for the community to take action on it. I don't know if @jfrag1 has any update on it.

[jfrag1]

-> We have created a role for embed_dashboard, which is assigned to the user who creates the guest token.
-> Now embed_dashboard role has all dataset access

You shouldn’t grant the embed_dashboard role all dataset access, it doesn’t need it. Guest tokens are granted access to all charts on the dashboard it’s created on. It works similar to how the DASHBOARD_RBAC feature flag works. A limited role like gamma is ideal since it gives the guest user enough base permissions to view the dashboard/charts in general but doesn’t grant access to any resources.

You could make an argument that a guest user should never be granted any admin-like/global resource access like all_dataset_access even if their role includes it, as I’m not sure of any use cases for having such a powerful guest user. That guardrail wouldn’t necessarily be trivial to implement, though.

@hash-data

[hash-data]

hi @jfrag1 that is just an example, we can give 5 dataset access let us say which include dataset_1 and dataset_2.
But here in this case if guest token is generated for dashboard 1 which uses dataset_1 and dataset_2 why guest token can access other 3 as well with that guest token?

In above answer I think you are saying just like dashboard_rbac the guest user have automatically dataset access of those dataset which are being used in dashboard.

[hash-data]

@jfrag1 thanks for the help I got your point

Summary on conversation

Just like dashboard_rbac the guest user have automatically dataset access of those dataset which are being used in dashboard. No need to provide dataset access explicitly. 

which is correct

I think we can close this issue as well (For resourse access we can raise a new issue)

[jfrag1]

@lindenh I'm going to close this issue. I hope the conversation here can help with resolving any issues you may still have. Please leave a comment here if you feel the issue hasn't been properly addressed.