Apache Superset Cannot use drill-by/drill-to in embedded mode without can explore on Superset permission

When a dashboard is accessed using the embedding UI, the Drill By/Drill to Detail functions in the right click menu and chart menu are only available if the guest user Role has the can explore on Superset permission. However, this permission also enables heading links to the Explore screen, along with other chart menu options which are not desirable in an embedded chart, e.g.:

• View Query
• Edit Chart

If the user does have the can explore on Superset but lacks the can samples on Datasource permission, the Drill to detail [by] menu items appear but the data cannot be loaded.

How to reproduce the bug

1. Set up an embedded dashboard, with a chart such as a Pie Chart that has drill functionality.
2. Give the guest user Role can explore on Superset permission.
3. Load the embedded dashboard.
4. Right click on the chart.

Expected results

Given some other permission applied to the guest user (I'm unsure which one is appropriate, or if a new one is needed), and given they don't have can explore on Superset: * You can use the drill functions in the right click and chart menu. If the user does not have can samples on Datasource permission, Drill to detail and Drill to detail by will not appear in the menu. * You cannot click on the header of the chart (it's not a link). * Edit Chart and View Query will not appear in the menu.

Actual results

• You can use the drill functions in the menu. If the user does not have can samples on Datasource permission, opening Drill to detail or Drill to detail by will display an error Error: Access is Denied.
• You can click on the header of the chart, which will take you to a blank page
• You can open the chart menu and Edit Chart, which will take you to a blank page
• You can open the chart menu and View Query successfully

Screenshots

If applicable, add screenshots to help explain your problem.

Environment

(please complete the following information):

• browser type and version: Google Chrome Version 117.0.5938.149 (Official Build) (x86_64)
• superset version: 3.0.0
• python version: 3.9.1
• node.js version: v16.9.1
• any feature flags active:
• ALERT_REPORTS
• EMBEDDED_SUPERSET
• HORIZONTAL_FILTER_BAR
• DASHBOARD_CROSS_FILTERS
• DRILL_TO_DETAIL
• DRILL_BY
• ENABLE_TEMPLATE_PROCESSING

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• [x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
• [x] I have reproduced the issue with at least the latest released version of superset.
• [x] I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

The files in which the permissions are checked and need updating are:

• ChartContextMenu.tsx
• SliceHeaderControls/index.tsx
• SliceHeader/index.tsx

Comment From: Truffula

I've seen a suggestion in Slack that can explore on Superset is the appropriate permission — that doesn't fix it (that permission isn't referenced in the relevant files) and I'm not sure whether it is the right permission to check.

Comment From: cwegener

I may have mentioned the incorrect permission in that old Slack thread. Link

What is actually needed is:

• can read on Explore
• can samples on Datasource
• can explore json on Superset (I'm not 100% sure if that one is actually needed for drill by)

can explore on Superset is not needed at all and it does have the unintended side-effects you describe.

Comment From: ggam

Getting the correct permissions for using embedded is indeed very difficult and hard to maintain. As of now, not even the Gamma role contains all the needed permissions.

The best solution would probably be to have a new standard "Embedded" role that one can use a base.

Comment From: Truffula

As best as I can work out, this is the bare minimum list for an embedded dashboard with Drill By (currently) which I've applied to my Guest user:

can read on Dashboard
can read on Chart
can read on DashboardFilterStateRestApi
can write on DashboardFilterStateRestApi
can time range on Api
can samples on Datasource
all datasource access on all_datasource_access*
can explore on Superset**
can fetch datasource metadata on Superset
can read on Dataset

I think this needs a fix, should work with specified datasets, though I'm not sure if guest tokens restrict the datasets or leave it open to all *to address under this bug, should work with can read on Explore

@cwegener you're right, can explore Json on Superset doesn't seem to be needed.

Comment From: justin-tomlinson

im still struggling with the above as well Our primary usecae is embedded and we want to enable the drill by and drill to detail options as it changes the way we design dashboards. we are still back on v2.1.1 but assume things havent changed on 3.x. Ive also noticed the cross filter scoping option is available with the above permissions. The user cannot change them but its confusing as an option that seems available to the end user

Comment From: Purush0th

I have I've added all these permissions along with Public + Gamma.

can read on Dashboard
can read on Chart
can read on DashboardFilterStateRestApi
can write on DashboardFilterStateRestApi
can time range on Api
can samples on Datasource
all datasource access on all_datasource_access
can explore on Superset
can fetch datasource metadata on Superset
can read on Dataset

But drilldown not working with embedded.

Request:

POST https://example.com/datasource/samples?force=false&datasource_type=table&datasource_id=31&per_page=50&page=1 HTTP/1.1
Host: [example.com](http://example.com/)
Content-Type: application/json
Accept: application/json
X-GuestToken: XXXXX
X-CSRFToken: XXXX
sec-ch-ua-platform: "Windows"

Response:

HTTP/1.1 400 BAD REQUEST
Set-Cookie: session=eyJsb2NhbGUiOiJlbiJ9.ZYO_Zg.bTH-mcPMi1WMQbBfkCGF8AyJMJI; HttpOnly; Path=/; SameSite=Lax
{"errors": [{"message": "400 Bad Request: The CSRF session token is missing.", "error_type": "GENERIC_BACKEND_ERROR", "level": "error", "extra": {"issue_codes": [{"code": 1011, "message": "Issue 1011 - Superset encountered an unexpected error."}]}}]}

Could you tell what went wrong?

Comment From: cwegener

Response:

HTTP/1.1 400 BAD REQUEST Set-Cookie: session=eyJsb2NhbGUiOiJlbiJ9.ZYO_Zg.bTH-mcPMi1WMQbBfkCGF8AyJMJI; HttpOnly; Path=/; SameSite=Lax {"errors": [{"message": "400 Bad Request: The CSRF session token is missing.", "error_type": "GENERIC_BACKEND_ERROR", "level": "error", "extra": {"issue_codes": [{"code": 1011, "message": "Issue 1011 - Superset encountered an unexpected error."}]}}]}

That might be some new regression .. at first glance your request should be allowed ...

Comment From: Purush0th

Hi @cwegener we are using 3.0.2. Also, to generate guest token from the backend I'm creating a CSRF token which returns set-cookie response. But I'm not returning the CSRF to the embedded SDK, only the guest token.

Could that be problem?

async function getCsrfToken() {
  let config = {
    method: 'get',
    url: `${supersetBaseUrl}/security/csrf_token/`
  };

  var response = await axios.request(config);
  console.log(response.headers);
  const cookieName = "session";
  const sessionCookie = (response.headers['set-cookie'])
    .find(cookie => cookie.includes(cookieName))
    ?.match(new RegExp(`^${cookieName}=(.+?);`))
    ?.[1];

  return [response.data, sessionCookie];
}

async function getGuestToken(user, dashboardId, appToken, csrfToken, sessionCookie) {
  console.log(sessionCookie, csrfToken);
  try {
    let data = JSON.stringify({
      "user": user,
      "resources": [
        {
          "type": "dashboard",
          "id": dashboardId
        }
      ],
      "rls": []
    });

    let config = {
      method: 'post',
      url: `${supersetBaseUrl}/security/guest_token/`,
      headers: {
        'X-CSRFToken': csrfToken,
        'Authorization': 'Bearer ' + appToken,
        'Content-Type': 'application/json',
        'Cookie': 'session=' + sessionCookie
      },
      withCredentials: true,
      data: data
    };

    var response = await axios.request(config);
    return response.data;
  } catch (error) {

    return "";

  }

}

Comment From: Purush0th

Any fix for this?

Comment From: gpchandran

update: Hi All, I'm using Superset 3.1.0, From the Embedded Dashboard, Both Drill By and Drill to detail not working any work around or fix available for this issue?

Seem not related to Role/Permission issue, for debug tried Admin role for Embed guest user, didn't work. This requires fix.

@Purush0th @ggam @Truffula - did you get this working? please advise if any workaround or fixes?

Comment From: k-ayrault

Hi @gpchandran,

I’m experiencing the same issue with Superset 3.1.0 where both “Drill By” and “Drill to Detail” are not working in the Embedded Dashboard. I’ve also tested with an Admin role for the embed guest user, and it didn’t resolve the problem.

Has anyone managed to find a workaround or a fix for this issue? Any guidance would be greatly appreciated! 🙏

Comment From: rusackas

@k-ayrault we're no longer actively supporting 3.x versions. Can you check in 4.1.1?

Comment From: gpchandran

Hi @gpchandran,

I’m experiencing the same issue with Superset 3.1.0 where both “Drill By” and “Drill to Detail” are not working in the Embedded Dashboard. I’ve also tested with an Admin role for the embed guest user, and it didn’t resolve the problem.

Has anyone managed to find a workaround or a fix for this issue? Any guidance would be greatly appreciated! 🙏

@k-ayrault what is in your config for below? GUEST_ROLE_NAME = "Gamma" This Env config should have all Drill to and Drill By Permissions, try something like this GUEST_ROLE_NAME = "Admin" and change to granular role # not recommended for Prpd

Comment From: mohitgullani9

Hi @gpchandran,

I’m experiencing the same issue with Superset 3.1.0 where both “Drill By” and “Drill to Detail” are not working in the Embedded Dashboard. I’ve also tested with an Admin role for the embed guest user, and it didn’t resolve the problem.

Has anyone managed to find a workaround or a fix for this issue? Any guidance would be greatly appreciated! 🙏

Hey did you find any solution, I'm trying to achieve the same functionality.

Comment From: gpchandran

Hi @gpchandran, I’m experiencing the same issue with Superset 3.1.0 where both “Drill By” and “Drill to Detail” are not working in the Embedded Dashboard. I’ve also tested with an Admin role for the embed guest user, and it didn’t resolve the problem. Has anyone managed to find a workaround or a fix for this issue? Any guidance would be greatly appreciated! 🙏

Hey did you find any solution, I'm trying to achieve the same functionality. HI @mohitgullani9 - It's working for me and my current Superset version (4.1.1) (it used to work for me in 3.1.0 but can't go back and test now) Please upgrade to latest 4.1.1 and try can you share your superset config.py ?, in your config you need add parameter as GUEST_ROLE_NAME = "Admin" and try (you need to have this in config level irrespective of User role)

After upgrading and adding this ENV parameter, if still issue open a new issue with more details

Comment From: ArvindKand

Hi @gpchandran, I’m experiencing the same issue with Superset 3.1.0 where both “Drill By” and “Drill to Detail” are not working in the Embedded Dashboard. I’ve also tested with an Admin role for the embed guest user, and it didn’t resolve the problem. Has anyone managed to find a workaround or a fix for this issue? Any guidance would be greatly appreciated! 🙏

Hey did you find any solution, I'm trying to achieve the same functionality. HI @mohitgullani9 - It's working for me and my current Superset version (4.1.1) (it used to work for me in 3.1.0 but can't go back and test now) Please upgrade to latest 4.1.1 and try can you share your superset config.py ?, in your config you need add parameter as GUEST_ROLE_NAME = "Admin" and try (you need to have this in config level irrespective of User role)

After upgrading and adding this ENV parameter, if still issue open a new issue with more details

@gpchandran sorry not clear, which ENV parameter? I am on 4.1.1 and i have GUEST_ROLE_NAME='Gamma' in my config. I have a user created for the embedded dashboard, can I add this user for GUEST_ROLE_NAME?

Comment From: gpchandran

GUEST_ROLE_NAME='Admin' Change like this and test Once it's working change back to

GUEST_ROLE_NAME='Gamma'

And the required embedded permissions to this role and test (mainly Guest Api token permissions)

On Sat, Feb 8, 2025, 10:44 AM ArvindKand @.***> wrote:

Hi @gpchandran https://github.com/gpchandran, I’m experiencing the same issue with Superset 3.1.0 where both “Drill By” and “Drill to Detail” are not working in the Embedded Dashboard. I’ve also tested with an Admin role for the embed guest user, and it didn’t resolve the problem. Has anyone managed to find a workaround or a fix for this issue? Any guidance would be greatly appreciated! 🙏

Hey did you find any solution, I'm trying to achieve the same functionality. HI @mohitgullani9 https://github.com/mohitgullani9 - It's working for me and my current Superset version (4.1.1) (it used to work for me in 3.1.0 but can't go back and test now) Please upgrade to latest 4.1.1 and try can you share your superset config.py ?, in your config you need add parameter as GUEST_ROLE_NAME = "Admin" and try (you need to have this in config level irrespective of User role)

After upgrading and adding this ENV parameter, if still issue open a new issue with more details

@gpchandran https://github.com/gpchandran sorry not clear, which ENV parameter? I am on 4.1.1 and i have GUEST_ROLE_NAME='Gamma' in my config. I have a user created for the embedded dashboard, can I add this user for GUEST_ROLE_NAME?

— Reply to this email directly, view it on GitHub https://github.com/apache/superset/issues/25630#issuecomment-2645836470, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACIDAIJRXRLTSJUVGATV2232OYX6XAVCNFSM6AAAAABVR56ZRKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNBVHAZTMNBXGA . You are receiving this because you were mentioned.Message ID: @.***>

Comment From: ArvindKand

GUEST_ROLE_NAME='Admin' Change like this and test Once it's working change back to

GUEST_ROLE_NAME='Gamma'

And the required embedded permissions to this role and test (mainly Guest Api token permissions) …

got it, thank you. Tried it and it worked.

Comment From: gpchandran

Glad it worked! Enjoy

On Sun, Feb 9, 2025, 6:10 AM ArvindKand @.***> wrote:

GUEST_ROLE_NAME='Admin' Change like this and test Once it's working change back to

GUEST_ROLE_NAME='Gamma'

And the required embedded permissions to this role and test (mainly Guest Api token permissions) … <#m_7380074362418744990_>

got it, thank you. Tried it and it worked.

— Reply to this email directly, view it on GitHub https://github.com/apache/superset/issues/25630#issuecomment-2646201482, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACIDAIOHFVBGHVDFLUU6FBL2O5ATZAVCNFSM6AAAAABVR56ZRKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNBWGIYDCNBYGI . You are receiving this because you were mentioned.Message ID: @.***>

Comment From: prsandeep

import React, { useEffect, useRef, useState } from 'react'; import { useNavigate } from 'react-router-dom'; import { embedDashboard } from '@superset-ui/embedded-sdk'; import { bugzillaApi } from '../services/bugzillaApi'; // Import the separate API service import '../bugzilla.css';

function BugzillaDashboard() { const navigate = useNavigate(); const dashboardId = 'e191eb89-281d-4d10-8bcd-2dc415b9514e'; const containerRef = useRef(null); const [loading, setLoading] = useState(true); const [error, setError] = useState(null); const [dashboardConfig, setDashboardConfig] = useState(null);

const handleGoBack = () => { navigate(-1); // Go back to previous page };

useEffect(() => { const embedSupersetDashboard = async () => { try { setLoading(true); setError(null);

    // Get guest token using the separate API service
    const tokenResponse = await bugzillaApi.getGuestToken(dashboardId);
    const guestToken = tokenResponse.data.token;

    if (!guestToken) {
      throw new Error('Guest token missing in response');
    }

    // // Optionally, get dashboard configuration
    // try {
    //   const configResponse = await bugzillaApi.getDashboardConfig(dashboardId);
    //   setDashboardConfig(configResponse.data);
    // } catch (configError) {
    //   console.warn('Could not fetch dashboard config:', configError);
    //   // Continue without config - not critical
    // }

    // Embed the dashboard
    await embedDashboard({
      id: dashboardId,
      supersetDomain: 'https://bidarshan-dev.dcservices.in/',
      mountPoint: containerRef.current,
      fetchGuestToken: () => guestToken,
      dashboardUiConfig: {
        hideTitle: true,
        hideChartControls: false,
        hideTab: false,
        hasDrillBy: true,
        // You can use dashboardConfig here if needed
        ...(dashboardConfig?.uiConfig || {})
      },
    });

    setLoading(false);
  } catch (err) {
    console.error('Error embedding Superset dashboard:', err);

    // Handle different types of errors
    const errorMessage = err.userMessage || err.message || 'Failed to load dashboard';
    setError(errorMessage);
    setLoading(false);
  }
};

embedSupersetDashboard();

}, [dashboardId]);

return (

  {loading && (
    <div style={{ 
      position: 'absolute', 
      top: 10, 
      left: 120, 
      zIndex: 1000,
      background: 'rgba(255, 255, 255, 0.9)',
      padding: '10px',
      borderRadius: '4px'
    }}>
      <p style={{ color: '#555', margin: 0 }}>Loading dashboard...</p>
    </div>
  )}

  {error && (
    <div style={{ 
      position: 'absolute', 
      top: 10, 
      left: 120, 
      zIndex: 1000,
      background: 'rgba(255, 0, 0, 0.1)',
      padding: '10px',
      borderRadius: '4px',
      border: '1px solid #ff0000'
    }}>
      <p style={{ color: 'red', margin: 0 }}>Error: {error}</p>
    </div>
  )}


  <div id="dashboard-container" ref={containerRef} />
</div>