dosubot[bot] commented on issue #36484: URL: https://github.com/apache/superset/issues/36484#issuecomment-3632352887
<!-- Greeting --> Hi @Flvn! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> This behavior in Superset 5.0.0 is due to how permissions are enforced for drill data versus dataset metadata. Drill data access can be granted via dashboard RBAC roles and the "can drill on dashboards" permission, so users can see the underlying data when drilling—even if they don't have explicit dataset permissions. However, loading dataset metadata (like column info) uses a different backend endpoint that always checks for explicit dataset access. If the user doesn't have the "datasource_access" permission on the dataset, Superset returns the "There was an error loading the dataset metadata" message, even though the data itself is visible via the drill feature. This is not a configuration issue but a result of the permission model in 5.0.0, which distinguishes between data access (dashboard-level permissions) and metadata access (dataset-level permissions). There is no feature flag or setting in 5.0.0 to allow dashboard-level permissions to grant metadata access; explicit dataset access is required for metadata loading to succeed. This means that, as of 5.0.0, managing drill access without also managing dataset permissions for metadata is not possible without code changes or future updates to the permission model. [Reference: code and permission checks](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L453-L2456) <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/804bc7ca-ba0e-43cd-8f32-f8101ae39840?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/804bc7ca-ba0e-43cd-8f32-f8101ae39840?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/804bc7ca-ba0e-43cd-8f32-f8101ae39840?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/804bc7ca-ba0e-43cd-8f32-f8101ae39840?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/804bc7ca-ba0e-43cd-8f32-f8101ae39840?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/804bc7ca-ba0e-43cd-8f32-f8101ae39840?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/804bc7ca-ba0e-43cd-8f32-f8101ae39840?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=This%20behavior%20in%20Superset%205.0.0%20is%20due%20to%20how%20permissions%20are%20enforced%20for%20drill%20data%20versus%20dataset%20metadata.%20Drill%20data%20access%20can%20be%20granted%20via%20dashboard%20RBAC%20roles%20and%20the%20%22can%20drill%20on%20dashboards%22%20permission%2C%20so%20users%20can%20see%20the%20underlying%20data%20when%20drilling%E2%80%94even%20if%20they%20don%27t%20have%20explicit%20dataset%20permissions.%20However%2C%20loading%20dataset%20metadata%20%28like%20column%20info%29%20uses%20a%20different%20backend%20endpoint%20that%20always%20checks%20for%20explicit%20dataset%20access.%20If%20the%20user%20doesn%27t%20have%20the%20%22datasource_access%22%20permission%20on%20the%20dataset%2C%20Superset%20returns%20the%20%22There %20was%20an%20error%20loading%20the%20dataset%20metadata%22%20message%2C%20even%20though%20the%20data%20itself%20is%20visible%20via%20the%20drill%20feature.%0A%0AThis%20is%20not%20a%20configuration%20issue%20but%20a%20result%20of%20the%20permission%20model%20in%205.0.0%2C%20which%20distinguishes%20between%20data%20access%20%28dashboard-level%20permissions%29%20and%20metadata%20access%20%28dataset-level%20permissions%29.%20There%20is%20no%20feature%20flag%20or%20setting%20in%205.0.0%20to%20allow%20dashboard-level%20permissions%20to%20grant%20metadata%20access%3B%20explicit%20dataset%20access%20is%20required%20for%20metadata%20loading%20to%20succeed.%20This%20means%20that%2C%20as%20of%205.0.0%2C%20managing%20drill%20access%20without%20also%20managing%20dataset%20permissions%20for%20metadata%20is%20not%20possible%20without%20code%20changes%20or%20future%20updates%20to%20the%20permission%20model.%20%20%0A%5BReference%3A%20code%20and%20permission%20checks%5D%28https%3A//github.com/apache /superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py%23L453-L2456%29) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36484) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
