Re: [I] Api /api/v1/dashboard and /api/v1/chart returning empty responses when get request is made using user with Admin role in Python [superset]

Wed, 20 Aug 2025 05:39:33 -0700 


NemesisMate commented on issue #25890:
URL: https://github.com/apache/superset/issues/25890#issuecomment-3206154005

   I've invested quite some time on trying to make the JWT work on 5.0.0 (and 
the latest 4.X.X before it). The `Public` role has no permissions at all and it 
wouldn't make sense for it to be of any effect since my users don't have the 
role assigned.
   
   Instead, I'm assigning the roles in Keycloak and logging against it, 
forwarding the JWT Token on the API calls with no session cookie. The two 
issues I found were:
   1. The security manager tries to load the user by id, which in Keycloak is a 
UUID and differs from the one from Superset (int).
   2. Once fixed the point above, it was always returning empty result 
responses for all API requests.
   
   Mixing solutions from multiple sources and defining the following security 
manager fixed both:
   
   ```python
   from superset.security import SupersetSecurityManager
   from flask import Flask
   from flask_login import login_user
   from flask_jwt_extended import JWTManager
   
   class CustomSecurityManager(SupersetSecurityManager):
       def load_user_jwt(self, _jwt_header, jwt_data):
           identity = jwt_data.get("preferred_username")
           if not identity:
               return None
           return self.find_user(username=identity)
   
       def create_jwt_manager(self, app: Flask) -> JWTManager:
           def _load_user_jwt(_jwt_header, jwt_data):
               user = self.load_user_jwt(_jwt_header, jwt_data)
               login_user(user)  # sets g.user to jwt provided user
               return user
           jwt_manager = JWTManager()
           jwt_manager.init_app(app)
           jwt_manager.user_lookup_loader(_load_user_jwt)
           return jwt_manager
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org

Reply via email to