Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hiding Force refresh in Dashboard #28249

Open
3 tasks done
abhishekindigg opened this issue Apr 28, 2024 · 6 comments
Open
3 tasks done

Hiding Force refresh in Dashboard #28249

abhishekindigg opened this issue Apr 28, 2024 · 6 comments

Comments

@abhishekindigg
Copy link

Bug description

Hello,

I want to disable Force Refresh in Dashboard for users. It should only be accessed by the admins.

I created a new role and given only read only permissions, still users are able to do force refresh.

Which permission should I revoke for Gamma users to hide this option ?

How to reproduce the bug

Go to the dashboard.
In menu, use Force refresh.

Screenshots/recordings

image

Superset version

3.1.2

Python version

3.11

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • I have searched Superset docs and Slack and didn't find a solution to my problem.
  • I have searched the GitHub issue tracker and didn't find a similar bug report.
  • I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
@abhishekindigg
Copy link
Author

Can someone help ?

@rusackas
Copy link
Member

I'm not sure if there is such a granular permission for that. I'm curious the use case and why you wouldn't want users to refresh... maybe for embedded purposes?

Maybe @eschutho or @dpgaspar know a permission that can address this.

@abhishekindigg
Copy link
Author

@rusackas Frequent refresh causes a lot of query to Athena which also increases our Athena cost.

@rusackas
Copy link
Member

Sounds reasonable, but just to play devil's advocate here... are you sure you have a lot of users doing "force refresh" or is the dashboard's cache timeout too short? Also maybe worth noting that people can still run these queries via the chart builder or SQL lab views as frequently as they want.

Another solution would be to put a tool in the middle that queries athena on a schedule (or provides an additional layer of caching, at least), keeping the resulting data in a more cost-effective warehouse/lake/db/etc. which you'd connect Superset to.

@dpgaspar
Copy link
Member

I'm not sure if there is such a granular permission for that. I'm curious the use case and why you wouldn't want users to refresh... maybe for embedded purposes?

Maybe @eschutho or @dpgaspar know a permission that can address this.

No specific permission for it. As you said, user's can always hit the endpoint explore_json or chart/data`, rate limit could be a solution also

@mistercrunch
Copy link
Member

I'm adding a note here as I'm thinking about evolving the security model, and going with a hierarchical action model. I want to make sure that the model we'll come up with will work to support the perm requests across the community.

Here the resource would be Dashboard and action would be read.refresh.force, where composing a role you could specify you give read.* minus !read.refresh.force. Clearly will require work to attach perms to actions across the frontend/backend, but seems the model I have in mind (and will publish soon) should support this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mistercrunch @rusackas @dpgaspar @abhishekindigg