korbit-ai[bot] commented on code in PR #31844:
URL: https://github.com/apache/superset/pull/31844#discussion_r1915591042


##########
superset/config.py:
##########
@@ -689,6 +689,10 @@ class D3TimeFormat(TypedDict, total=False):
 # This is merely a default
 EXTRA_SEQUENTIAL_COLOR_SCHEMES: list[dict[str, Any]] = []
 
+# The username to execute asynchronous tasks as (cache warmup, alerts & 
reports,
+# thumbnails) if `ExecutorType.FIXED_USER` is chosen as the executor
+ASYNC_TASK_FIXED_USER: str | None = "admin"

Review Comment:
   ### Insecure default admin user for async tasks <sub>![category 
Functionality](https://img.shields.io/badge/Functionality-0284c7)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   Default admin user is hardcoded for asynchronous tasks execution without 
proper security consideration.
   
   ###### Why this matters
   Using a hardcoded admin user for asynchronous tasks can lead to security 
vulnerabilities and lack of audit trails as all tasks would be executed with 
admin privileges by default.
   
   ###### Suggested change ∙ *Feature Preview*
   Change default to None to force explicit configuration:
   ```python
   ASYNC_TASK_FIXED_USER: str | None = None
   ```
   
   
   </details>
   
   ###### Chat with Korbit by mentioning @korbit-ai, and give a 👍 or 👎 to help 
Korbit improve your reviews.
   
   
   <!--- korbi internal id:c0922580-af6c-435a-b4e0-5e0b045d5d0d -->
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to