dosubot[bot] commented on issue #36097: URL: https://github.com/apache/superset/issues/36097#issuecomment-3525813874
<!-- Greeting --> Hi @s-manzhak! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> 1. Yes, a `CustomSecurityManager` is supported for embedded dashboards as long as it extends `SupersetSecurityManager` and follows the expected contract for guest token creation and user/session handling. The backend must generate guest tokens with the correct claims (`user`, `resources`, `rls_rules`, etc.) and ensure the user context is compatible with Superset's expectations for embedded mode. Any deviation can break frontend initialization, especially with custom RLS rules. See the implementation details for guest token handling and RLS in the security manager for reference [(source)](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L241-L2816). 2. The embedded frontend does not require special initialization for custom security managers. It expects a valid guest token and user roles to initialize the Redux store and render the dashboard. If the backend response is malformed or missing expected user/session info (for example, due to misconfigured custom security logic), the Redux store context may not be set up correctly, leading to React error #185 [(source)](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/embedded/index.tsx#L31-L263). 3. The recommended way to inject dynamic RLS rules for guest tokens is to override `create_guest_access_token` in your custom security manager, ensuring the `rls` argument is a list of RLS rule dicts that match the expected format. The claims must be included in the token as `rls_rules`, and the frontend will consume them as part of the embedded dashboard context [(source)](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L241-L2816). The repeated backend warning `Failed to add user to db session: Class 'werkzeug.local.LocalProxy' is not mapped` suggests a misconfiguration in how user/session objects are handled—possibly returning a Flask `LocalProxy` instead of a real user object in some code paths. This can break the backend-to-frontend context propagation and result in missing Redux context, causing React error #185. Review your custom security manager to ensure it always returns a proper user object (not a proxy) and that all claims in the guest token are present and correctly formatted. If you fix the backend user/session handling and ensure the guest token and claims are correct, the embedded dashboard should initialize properly, even with dynamic RLS rules. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/52cd2b4b-83de-4a40-b634-d713992fd85d?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/52cd2b4b-83de-4a40-b634-d713992fd85d?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/52cd2b4b-83de-4a40-b634-d713992fd85d?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/52cd2b4b-83de-4a40-b634-d713992fd85d?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/52cd2b4b-83de-4a40-b634-d713992fd85d?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/52cd2b4b-83de-4a40-b634-d713992fd85d?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/52cd2b4b-83de-4a40-b634-d713992fd85d?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36097) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
