Bug description
Trying to apply different RLS clause for different datasets by passing dataset ID, but every time superset is applying each clause to all charts/datasets which is ending up as Errors, Error: column "businessowner" does not exist.
Code
public async Task<string> GenerateUserSpecificGuestTokenAsync(string dashboardId, string email, List<string> roles)
{
string adminToken = await GetAdminAccessTokenAsync();
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", adminToken);
// ✅ Correct RLS rules with dataset-specific bindings
var rlsRules = new List<object>
{
new {
datasource = new { id = 41, type = "table" },
clause = $"'{email}' = ANY(capabilityowner)"
},
new {
datasource = new { id = 42, type = "table" },
clause = $"'{email}' = ANY(businessowner) OR '{email}' = ANY(technicalowner)"
},
new {
datasource = new { id = 43, type = "table" },
clause = $"'{email}' = ANY(businessowner) OR '{email}' = ANY(technicalowner)"
}
};
var guestTokenRequest = new
{
user = new
{
username = _guestUserName,
},
resources = new List<object>
{
new { type = "dashboard", id = dashboardId }
},
rls = rlsRules, // ✅ Pass under "rls", not "rls_rules"
duration = 600
};
var guestTokenUrl = $"{_supersetUrl}/api/v1/security/guest_token/";
var response = await _httpClient.PostAsync(
guestTokenUrl,
new StringContent(JsonSerializer.Serialize(guestTokenRequest), Encoding.UTF8, "application/json")
);
response.EnsureSuccessStatusCode();
var responseData = JsonSerializer.Deserialize<JsonElement>(await response.Content.ReadAsStringAsync());
return responseData.GetProperty("token").GetString();
}
The JSON guest token when decoded does not contain details of DataSource which is being passed while generating it. Is that the problem?
Screenshots/recordings
Superset version
master / latest-dev
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
Hi @saadmuqtadeer! I'm Dosu and I’m helping the superset team.
Superset expects each RLS rule in the guest token payload to use the key dataset (an integer dataset ID), not datasource. If you use datasource, Superset treats the rule as global and applies it to all datasets, which causes errors when columns referenced in the clause don't exist in every dataset see code logic.
Here's how your rlsRules should look:
var rlsRules = new List<object>
{
new {
dataset = 41,
clause = $"'{email}' = ANY(capabilityowner)"
},
new {
dataset = 42,
clause = $"'{email}' = ANY(businessowner) OR '{email}' = ANY(technicalowner)"
},
new {
dataset = 43,
clause = $"'{email}' = ANY(businessowner) OR '{email}' = ANY(technicalowner)"
}
};
Make sure the dataset field is an integer and matches the dataset's actual ID in Superset. This will ensure each RLS clause is only applied to the intended dataset. If you want a global RLS rule, omit the dataset field entirely in that rule.
The generated guest token itself won't show datasource details in the JWT payload, but Superset will apply the rules correctly if the payload structure is right reference.
If you still see errors, double-check that the dataset IDs are correct and that the referenced columns exist in those datasets.
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
