Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sandboxing on linked table column with multiple dimensions and remapping, then "dirty" query fails #15106

Closed
flamber opened this issue Mar 9, 2021 · 0 comments · Fixed by #25012
Closed

Sandboxing on linked table column with multiple dimensions and remapping, then "dirty" query fails #15106

flamber opened this issue Mar 9, 2021 · 0 comments · Fixed by #25012
Assignees
@noahmoss
Labels
Administration/Data Sandboxes Enterprise Sandboxing Administration/Table Metadata Priority:P2 Average run of the mill bug Querying/Nested Queries Questions based on other saved questions Querying/Remapping Remapped display values, whether human-readable values or Field->Field remappings .Reproduced Issues reproduced in test (usually Cypress) Type:Bug Product defects
Projects
Cypress Testing
Milestone
0.44.2

Comments

@flamber
Copy link
Contributor

flamber commented Mar 9, 2021

Describe the bug
When having multiple dimensions and remapping on one of them, and sandboxing a linked table column, then "dirty" queries fail.

To Reproduce

  1. Admin > People > create user "U1" with attribute user_id=1
  2. Admin > Data Model > Sample Dataset
    a. Order > User ID > "Display values" = "Use foreign key" (Name)
    b. Reviews > Product ID > change foreign key reference from "Products.ID" to "Orders.ID"
    image
  3. Admin > Permissions > Data > Sample Dataset
    a. Sandbox Orders with column "Orders.User_ID" = attribute user_id
    b. Sandbox People with column "People.ID" = attribute user_id
    c. Sandbox Reviews with column "Order.User_ID" (yes, linked column) = attribute user_id
    image
  4. Login as "U1" and go to Reviews table - it will fail with You do not have permissions to run this query.
Full stacktrace 
2021-03-09 19:07:12,693 ERROR middleware.catch-exceptions :: Error processing query: null
{:database_id 1,
 :started_at #t "2021-03-09T19:07:12.102471+01:00[Europe/Copenhagen]",
 :error_type :missing-required-permissions,
 :json_query
 {:database 1,
  :query {:source-table 4},
  :type "query",
  :parameters [],
  :middleware {:js-int-to-string? true, :add-default-userland-constraints? true}},
 :native nil,
 :status :failed,
 :class clojure.lang.ExceptionInfo,
 :stacktrace
 ["--> query_processor.middleware.permissions$perms_exception.invokeStatic(permissions.clj:34)"
  "query_processor.middleware.permissions$perms_exception.invoke(permissions.clj:33)"
  "query_processor.middleware.permissions$fn__46263$check_ad_hoc_query_perms__46268$fn__46272.invoke(permissions.clj:54)"
  "query_processor.middleware.permissions$fn__46263$check_ad_hoc_query_perms__46268.invoke(permissions.clj:43)"
  "query_processor.middleware.permissions$fn__46300$check_query_permissions_STAR___46305$fn__46306.invoke(permissions.clj:65)"
  "query_processor.middleware.permissions$fn__46300$check_query_permissions_STAR___46305.invoke(permissions.clj:58)"
  "query_processor.middleware.permissions$check_query_permissions$fn__46319.invoke(permissions.clj:74)"
  "query_processor.middleware.pre_alias_aggregations$pre_alias_aggregations$fn__47880.invoke(pre_alias_aggregations.clj:40)"
  "query_processor.middleware.cumulative_aggregations$handle_cumulative_aggregations$fn__46517.invoke(cumulative_aggregations.clj:60)"
  "metabase_enterprise.sandbox.query_processor.middleware.row_level_restrictions$apply_row_level_permissions$fn__49452.invoke(row_level_restrictions.clj:326)"
  "query_processor.middleware.resolve_joined_fields$resolve_joined_fields$fn__48193.invoke(resolve_joined_fields.clj:94)"
  "query_processor.middleware.resolve_joins$resolve_joins$fn__48498.invoke(resolve_joins.clj:178)"
  "query_processor.middleware.add_implicit_joins$add_implicit_joins$fn__44842.invoke(add_implicit_joins.clj:181)"
  "query_processor.middleware.large_int_id$convert_id_to_string$fn__47153.invoke(large_int_id.clj:44)"
  "query_processor.middleware.format_rows$format_rows$fn__47133.invoke(format_rows.clj:74)"
  "query_processor.middleware.desugar$desugar$fn__46583.invoke(desugar.clj:21)"
  "query_processor.middleware.binning$update_binning_strategy$fn__45608.invoke(binning.clj:228)"
  "query_processor.middleware.resolve_fields$resolve_fields$fn__46126.invoke(resolve_fields.clj:24)"
  "query_processor.middleware.add_dimension_projections$add_remapping$fn__44472.invoke(add_dimension_projections.clj:316)"
  "query_processor.middleware.add_implicit_clauses$add_implicit_clauses$fn__44703.invoke(add_implicit_clauses.clj:146)"
  "metabase_enterprise.sandbox.query_processor.middleware.row_level_restrictions$apply_row_level_permissions$fn__49452.invoke(row_level_restrictions.clj:326)"
  "query_processor.middleware.upgrade_field_literals$upgrade_field_literals$fn__48928.invoke(upgrade_field_literals.clj:45)"
  "query_processor.middleware.add_source_metadata$add_source_metadata_for_source_queries$fn__44995.invoke(add_source_metadata.clj:122)"
  "metabase_enterprise.sandbox.query_processor.middleware.column_level_perms_check$maybe_apply_column_level_perms_check$fn__48969.invoke(column_level_perms_check.clj:25)"
  "query_processor.middleware.reconcile_breakout_and_order_by_bucketing$reconcile_breakout_and_order_by_bucketing$fn__48077.invoke(reconcile_breakout_and_order_by_bucketing.clj:97)"
  "query_processor.middleware.auto_bucket_datetimes$auto_bucket_datetimes$fn__45195.invoke(auto_bucket_datetimes.clj:139)"
  "query_processor.middleware.resolve_source_table$resolve_source_tables$fn__46173.invoke(resolve_source_table.clj:45)"
  "query_processor.middleware.parameters$substitute_parameters$fn__47862.invoke(parameters.clj:111)"
  "query_processor.middleware.resolve_referenced$resolve_referenced_card_resources$fn__46225.invoke(resolve_referenced.clj:79)"
  "query_processor.middleware.expand_macros$expand_macros$fn__46839.invoke(expand_macros.clj:155)"
  "query_processor.middleware.add_timezone_info$add_timezone_info$fn__45004.invoke(add_timezone_info.clj:15)"
  "query_processor.middleware.splice_params_in_response$splice_params_in_response$fn__48864.invoke(splice_params_in_response.clj:32)"
  "query_processor.middleware.resolve_database_and_driver$resolve_database_and_driver$fn__48088$fn__48092.invoke(resolve_database_and_driver.clj:31)"
  "driver$do_with_driver.invokeStatic(driver.clj:60)"
  "driver$do_with_driver.invoke(driver.clj:56)"
  "query_processor.middleware.resolve_database_and_driver$resolve_database_and_driver$fn__48088.invoke(resolve_database_and_driver.clj:25)"
  "query_processor.middleware.fetch_source_query$resolve_card_id_source_tables$fn__47079.invoke(fetch_source_query.clj:274)"
  "query_processor.middleware.store$initialize_store$fn__48873$fn__48874.invoke(store.clj:11)"
  "query_processor.store$do_with_store.invokeStatic(store.clj:44)"
  "query_processor.store$do_with_store.invoke(store.clj:38)"
  "query_processor.middleware.store$initialize_store$fn__48873.invoke(store.clj:10)"
  "query_processor.middleware.validate$validate_query$fn__48935.invoke(validate.clj:10)"
  "query_processor.middleware.normalize_query$normalize$fn__47205.invoke(normalize_query.clj:22)"
  "query_processor.middleware.add_rows_truncated$add_rows_truncated$fn__44860.invoke(add_rows_truncated.clj:35)"
  "metabase_enterprise.audit.query_processor.middleware.handle_audit_queries$handle_internal_queries$fn__31308.invoke(handle_audit_queries.clj:162)"
  "query_processor.middleware.results_metadata$record_and_return_metadata_BANG_$fn__48849.invoke(results_metadata.clj:147)"
  "query_processor.middleware.constraints$add_default_userland_constraints$fn__46460.invoke(constraints.clj:42)"
  "query_processor.middleware.process_userland_query$process_userland_query$fn__47951.invoke(process_userland_query.clj:135)"
  "query_processor.middleware.catch_exceptions$catch_exceptions$fn__46403.invoke(catch_exceptions.clj:173)"
  "query_processor.reducible$async_qp$qp_STAR___33116$thunk__33117.invoke(reducible.clj:103)"
  "query_processor.reducible$async_qp$qp_STAR___33116.invoke(reducible.clj:109)"
  "query_processor.reducible$sync_qp$qp_STAR___33125$fn__33128.invoke(reducible.clj:135)"
  "query_processor.reducible$sync_qp$qp_STAR___33125.invoke(reducible.clj:134)"
  "query_processor$process_userland_query.invokeStatic(query_processor.clj:237)"
  "query_processor$process_userland_query.doInvoke(query_processor.clj:233)"
  "query_processor$fn__49498$process_query_and_save_execution_BANG___49507$fn__49510.invoke(query_processor.clj:249)"
  "query_processor$fn__49498$process_query_and_save_execution_BANG___49507.invoke(query_processor.clj:241)"
  "query_processor$fn__49542$process_query_and_save_with_max_results_constraints_BANG___49551$fn__49554.invoke(query_processor.clj:261)"
  "query_processor$fn__49542$process_query_and_save_with_max_results_constraints_BANG___49551.invoke(query_processor.clj:254)"
  "api.dataset$run_query_async$fn__63828.invoke(dataset.clj:56)"
  "query_processor.streaming$streaming_response_STAR_$fn__63807$fn__63808.invoke(streaming.clj:72)"
  "query_processor.streaming$streaming_response_STAR_$fn__63807.invoke(streaming.clj:71)"
  "async.streaming_response$do_f_STAR_.invokeStatic(streaming_response.clj:65)"
  "async.streaming_response$do_f_STAR_.invoke(streaming_response.clj:63)"
  "async.streaming_response$do_f_async$fn__17489.invoke(streaming_response.clj:84)"],
 :context :ad-hoc,
 :error "You do not have permissions to run this query.",
 :row_count 0,
 :running_time 0,
 :preprocessed nil,
 :ex-data
 {:type :missing-required-permissions,
  :required-permissions #{"/db/1/schema/PUBLIC/table/3/query/"},
  :actual-permissions
  #{"/db/1/schema/PUBLIC/table/2/read/" "/collection/2/" "/db/1/schema/PUBLIC/table/4/read/"
    "/db/1/schema/PUBLIC/table/3/read/" "/collection/root/" "/collection/6/read/"
    "/db/1/schema/PUBLIC/table/3/query/segmented/" "/db/1/schema/PUBLIC/table/2/query/segmented/"
    "/db/1/schema/PUBLIC/table/4/query/segmented/" "/collection/8/"},
  :card-id nil,
  :permissions-error? true},
 :data {:rows [], :cols []}}
  1. While on the error, then save the question and refresh the browser, then it's possible to view the results. Until the saved question is "dirty" again (change filter/summarize).
    Alternatively, remove the remapping in step 2a, then the query works (even "dirty").

Information about your Metabase Installation:
Tested 1.36.8 thru 1.38.1

Additional context
Related to #15105
@flamber flamber added Type:Bug Product defects Priority:P2 Average run of the mill bug Administration/Table Metadata Administration/Data Sandboxes Enterprise Sandboxing labels Mar 9, 2021
@nemanjaglumac nemanjaglumac added this to Backlog in Cypress Testing Mar 11, 2021
nemanjaglumac added a commit that referenced this issue Mar 12, 2021
@nemanjaglumac
Add repro for #15106
e9f41b2
nemanjaglumac added a commit that referenced this issue Mar 13, 2021
@nemanjaglumac
#15106 Repro: "Dirty" query fails when sandboxing on linked table col…
bdb688a 
…umn with multiple dimensions and remapping (#15141)
@nemanjaglumac nemanjaglumac mentioned this issue Mar 13, 2021
Merged
@nemanjaglumac nemanjaglumac added the .Reproduced Issues reproduced in test (usually Cypress) label Mar 13, 2021
@flamber flamber added the Querying/Nested Queries Questions based on other saved questions label Nov 2, 2021
@flamber flamber added the Querying/Remapping Remapped display values, whether human-readable values or Field->Field remappings label Mar 3, 2022
@camsaul camsaul removed their assignment Mar 25, 2022
@noahmoss noahmoss assigned noahmoss and unassigned dpsutton Aug 22, 2022
@noahmoss noahmoss mentioned this issue Aug 25, 2022
Merged
@flamber flamber added this to the 0.44.2 milestone Aug 29, 2022
@deploysentinel deploysentinel bot mentioned this issue Dec 28, 2022
Merged
@deploysentinel deploysentinel bot mentioned this issue Jan 11, 2023
Merged
@deploysentinel deploysentinel bot mentioned this issue Feb 14, 2023
Merged
@deploysentinel deploysentinel bot mentioned this issue Jul 6, 2023
Merged
@deploysentinel deploysentinel bot mentioned this issue Jul 18, 2023
Merged
@deploysentinel deploysentinel bot mentioned this issue Aug 23, 2023
Merged
@deploysentinel deploysentinel bot mentioned this issue Oct 18, 2023
Merged
This was referenced Jan 11, 2024
Merged
Merged
Merged
This was referenced Feb 6, 2024
Merged
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Open
Merged
Merged
Merged
Merged
Merged
@replay-io replay-io bot mentioned this issue Feb 13, 2024
Merged
@replay-io replay-io bot mentioned this issue Mar 1, 2024
Merged
This was referenced Mar 26, 2024
Merged
Merged
Merged
This was referenced Apr 9, 2024
Merged
Merged
Merged
Merged
Merged
This was referenced Apr 23, 2024
Merged
Merged
Merged
@replay-io replay-io bot mentioned this issue May 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noahmoss noahmoss

Labels
Administration/Data Sandboxes Enterprise Sandboxing Administration/Table Metadata Priority:P2 Average run of the mill bug Querying/Nested Queries Questions based on other saved questions Querying/Remapping Remapped display values, whether human-readable values or Field->Field remappings .Reproduced Issues reproduced in test (usually Cypress) Type:Bug Product defects
Projects
Cypress Testing
Backlog
Milestone
0.44.2
Development

Successfully merging a pull request may close this issue.

Make sandboxing middleware recursive metabase/metabase
5 participants
@flamber @camsaul @dpsutton @nemanjaglumac @noahmoss