cross filter not working when including dashboard in iframe

[jpchev]

Bug description

Hello,
I can integrate a dashboard in my UI via the iframe provided with the embedded sdk, but cross filters don't work, in particular I can't drill down and drill by in a pie chart.
I see a 404 error when calling
the call to the api /api/v1/dataset/1
whereas the same call works when browsing the same dashboard in the Apache Superset UI.

Here the call getting a 404 from the iframe, saved as a curl command

curl 'https://myurl/api/v1/dataset/1' \
  -H 'accept: application/json' \
  -H 'accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,ru;q=0.5' \
  -H 'cache-control: no-cache' \
  -H 'pragma: no-cache' \
  -H 'priority: u=1, i' \
  -H 'referer: https://myurl/embedded/d73e7841-9342-4afd-8e29-b4a416a2498c?uiConfig=0' \
  -H 'sec-ch-ua: "Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Linux"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: same-origin' \
  -H 'sec-fetch-site: same-origin' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36' \
  -H 'x-csrftoken: <csrftoken>' \
  -H 'x-guesttoken: <guesttoken>'
{"message":"Not found"}

and here I report the same call working in Apache Superset

curl 'https://myurl/api/v1/dataset/1' \
  -H 'accept: application/json' \
  -H 'accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,ru;q=0.5' \
  -H 'cache-control: no-cache' \
  -H 'cookie: session=<session>' \
  -H 'pragma: no-cache' \
  -H 'priority: u=1, i' \
  -H 'referer: https://myurl/superset/dashboard/1/?native_filters_key=DQm0kUmYbI87lXnWjTPKM4pmj0vR7Qy6pt67CgtJaJFSx15Tf-4dVVrkzVXkUPTP' \
  -H 'sec-ch-ua: "Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Linux"' \
  -H 'x-csrftoken: <csfrtoken> \

can you please look into this ?

Screenshots/recordings

No response

Superset version

4.0.2

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

Hey @jpchev! 👋 I'm here to help you out with your bug report!

I found some similar discussions and issues related to embedding dashboards and encountering errors:

1. Apache Superset Embedded Not Working - This discussion is unsolved and was last updated on October 4, 2024.
2. Embedding a dashboard using the Embedded SDK results in the chart POST request failing - This is another unsolved discussion, last updated on July 6, 2023.
3. Not able to embed superset in iframe - This discussion is also unsolved and was last updated on March 30, 2023.

Additionally, there was a closed issue that might be relevant:

• Embeded Dashboard superset api 500 error POST /api/v1/dashboard/{dashboard_id}/filter_state?tab_id={tab_id} - The suggested solution was to upgrade to the latest version of Superset (2.1.0-rc3) as it resolved the issue with the 500 error for the API call.

Regarding your specific issue with the 404 error when accessing datasets via API in embedded dashboards, it might be related to authentication or permissions. Ensure that the Guest Token used in the embedded scenario has the necessary permissions to access the dataset. The Superset UI might be using a session-based authentication, which could explain why it works there but not in the embedded iframe. You might need to verify the permissions associated with the Guest Token or check if there are any specific configurations required for cross filters in embedded dashboards, although I couldn't find specific documentation on that ^[1][2][3][4].

To continue talking to Dosu, mention @dosu.

[jpchev]

this seems indeed a problem with permissions, because the issue disappears after changing
GUEST_ROLE_NAME = 'Gamma'
to
GUEST_ROLE_NAME = 'Admin'
to the config.py file

but now I have a CSRF 400 issue.
Anyway, what are the missing permissions to make the role Gamma work, instead of switching to Admin?

[dosubot]

To resolve the issue with the 'Gamma' role not having sufficient permissions, you need to ensure that the role has the necessary permissions to access the datasets and perform the required actions. Here are some permissions that might be missing for the 'Gamma' role:

1. Dataset and Database Access:

   • Ensure that the 'Gamma' role has access to the specific datasets and databases needed for the dashboard. This might include permissions like can read on Dataset and can read on Database.

2. Cross-Filter and API Access:

   • If cross-filtering requires specific API access, ensure that the 'Gamma' role has the necessary permissions to access those endpoints.

3. Additional Permissions:

   • You might need to add permissions such as can explore on Superset or can explore_json on Superset if they are required for the cross-filter functionality.

4. Guest Token Permissions:

   • Verify that the guest token used in the embedded scenario has the necessary permissions associated with the 'Gamma' role.

To avoid the CSRF 400 issue, ensure that the CSRF token is correctly configured and included in your requests. You can also configure certain endpoints to be exempt from CSRF protection by adding them to the WTF_CSRF_EXEMPT_LIST in the configuration ^[1][2].

By adjusting these permissions, you should be able to use the 'Gamma' role effectively without switching to 'Admin'.

To continue talking to Dosu, mention @dosu.