dosubot[bot] commented on issue #38185: URL: https://github.com/apache/superset/issues/38185#issuecomment-3943624892
<!-- Greeting --> Hi @anuragKss! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> The most likely cause of your 403 error is a **missing "can log on Superset" permission** on your `read_only` role. Superset v6 introduced [stricter permission enforcement](https://github.com/apache/superset/discussions/37781#discussioncomment-15727259) compared to v4. Your `read_only` guest role needs **all five** of these permissions: - Can read on Dashboard - Can read on Chart - Can read on Dataset - Can read on Embedded Dashboard - **Can log on Superset** (critical - without this, `/superset/log` redirects to `/login` causing 403) The `datasource_access` permissions you've configured are actually not needed here—[once a guest user has access to a dashboard via guest token, they automatically have access to all associated datasets](https://github.com/apache/superset/issues/33698#issuecomment-2944183351). **To fix:** 1. Go to Security > List Roles > find "read_only" 2. Add the "can log on Superset" permission (and verify the other four are present) 3. Restart Superset after changing role permissions Also note that [Superset ignores any roles specified in the guest_token payload and always assigns the role from GUEST_ROLE_NAME](https://github.com/apache/superset/discussions/35670#discussioncomment-14695540), so the `read_only` role configuration is the key. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/9f75b96c-09ba-4288-8940-abf36c421fee?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/9f75b96c-09ba-4288-8940-abf36c421fee?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/9f75b96c-09ba-4288-8940-abf36c421fee?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/9f75b96c-09ba-4288-8940-abf36c421fee?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/9f75b96c-09ba-4288-8940-abf36c421fee?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/9f75b96c-09ba-4288-8940-abf36c421fee?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/9f75b96c-09ba-4288-8940-abf36c421fee?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20most%20likely%20cause%20of%20your%20403%20error%20is%20a%20%2A%2Amissing%20%22can%20log%20on%20Superset%22%20permission%2A%2A%20on%20your%20%60read_only%60%20role.%20Superset%20v6%20introduced%20%5Bstricter%20permission%20enforcement%5D%28https%3A//github.com/apache/superset/discussions/37781%23discussioncomment-15727259%29%20compared%20to%20v4.%0A%0AYour%20%60read_only%60%20guest%20role%20needs%20%2A%2Aall%20five%2A%2A%20of%20these%20permissions%3A%0A-%20Can%20read%20on%20Dashboard%0A-%20Can%20read%20on%20Chart%0A-%20Can%20read%20on%20Dataset%0A-%20Can%20read%20on%20Embedded%20Dashboard%0A-%20%2A%2ACan%20log%20on%20Superset%2A%2A%20%28critical%20-%20without%20this%2C%20%60/superset/log%60%20redirects%20to%20%60/login%60%20causing%20403%29%0A %0AThe%20%60datasource_access%60%20permissions%20you%27ve%20configured%20are%20actually%20not%20needed%20here%E2%80%94%5Bonce%20a%20guest%20user%20has%20access%20to%20a%20dashboard%20via%20guest%20token%2C%20they%20automatically%20have%20access%20to%20all%20associated%20datasets%5D%28https%3A//github.com/apache/superset/issues/33698%23issuecomment-2944183351%29.%0A%0A%2A%2ATo%20fix%3A%2A%2A%0A1.%20Go%20to%20Security%20%3E%20List%20Roles%20%3E%20find%20%22read_only%22%0A2.%20Add%20the%20%22can%20log%20on%20Superset%22%20permission%20%28and%20verify%20the%20other%20four%20are%20present%29%0A3.%20Restart%20Superset%20after%20changing%20role%20permissions%0A%0AAlso%20note%20that%20%5BSuperset%20ignores%20any%20roles%20specified%20in%20the%20guest_token%20payload%20and%20always%20assigns%20the%20role%20from%20GUEST_ROLE_NAME%5D%28https%3A//github.com/apache/superset/discussions/35670%23discussioncomment-14695540%29%2C%20so%20the%20%60read_only%60%20role%20configuration%20is%20the%20key.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/38185) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
