berlicon opened a new issue, #36019: URL: https://github.com/apache/superset/issues/36019
### Bug description Steps to reproduce: 1. We have User1 and User2 in Superset. 2. We have ClickHouse DB connected to Superset. 3. User1 has access to table1 in ClickHouse DB. User2 does not. 4. If User1 opens SQLLab and executes query: select * from table1 - he will get data from table1. 5. if User2 opens SQLLab and executes query: select * from table1 - he will give ClickHouse error "Code: 497. DB::Exception: User2: Not enough privileges.(ACCESS_DENIED)" 6. User1 creates dataset1 for table1. 7. User1 creates dashboard/chart for dataset1. 8. User1 opens dashboard and clicks Share/Copy permalink to clipboard. 9. User2 opens Superset and pastes permalink to browser. 10. User2 gets an error: "This endpoint requires the datasource table1, database or all_datasource_access permission". It is OK. 11. User1 adds User2 as coowner of dataset1 12. User2 clicks "Force refresh" on shared dashboard. 13. User2 can see data in dashboard. It is a BUG. User2 should not see any data in dashboard because he does not have access to table1 in Clickhouse. I investigated that query to database was executed under User1 even though User2 is actually watching the dashboard. I run the query: select * from system.processes -- in ClickHouse it shows which user really made the query and it was User1. See: https://clickhouse.com/docs/operations/system-tables/processes How/where I should change the Superset code in order to shared dashboard will be executed under shared user access rights? Or maybe I did that wrong way? ### Screenshots/recordings _No response_ ### Superset version 4.1.3 ### Python version 3.11 ### Node version 18 or greater ### Browser Chrome ### Additional context Actually it is the duplicate of this bug: https://github.com/apache/superset/issues/28214 I want to reopen that issue as far as no answer I have got there. ### Checklist - [x] I have searched Superset docs and Slack and didn't find a solution to my problem. - [x] I have searched the GitHub issue tracker and didn't find a similar bug report. - [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
