korbit-ai[bot] commented on code in PR #31844: URL: https://github.com/apache/superset/pull/31844#discussion_r1915591042
########## superset/config.py: ########## @@ -689,6 +689,10 @@ class D3TimeFormat(TypedDict, total=False): # This is merely a default EXTRA_SEQUENTIAL_COLOR_SCHEMES: list[dict[str, Any]] = [] +# The username to execute asynchronous tasks as (cache warmup, alerts & reports, +# thumbnails) if `ExecutorType.FIXED_USER` is chosen as the executor +ASYNC_TASK_FIXED_USER: str | None = "admin" Review Comment: ### Insecure default admin user for async tasks <sub></sub> <details> <summary>Tell me more</summary> ###### What is the issue? Default admin user is hardcoded for asynchronous tasks execution without proper security consideration. ###### Why this matters Using a hardcoded admin user for asynchronous tasks can lead to security vulnerabilities and lack of audit trails as all tasks would be executed with admin privileges by default. ###### Suggested change ∙ *Feature Preview* Change default to None to force explicit configuration: ```python ASYNC_TASK_FIXED_USER: str | None = None ``` </details> ###### Chat with Korbit by mentioning @korbit-ai, and give a 👍 or 👎 to help Korbit improve your reviews. <!--- korbi internal id:c0922580-af6c-435a-b4e0-5e0b045d5d0d --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
