aminghadersohi opened a new pull request, #36173: URL: https://github.com/apache/superset/pull/36173
### SUMMARY Add database schema and UI for MCP (Model Context Protocol) service API key authentication. This PR adds the database layer (models and migration) plus a basic UI for users to manage their API keys. Authentication logic will be implemented separately in the superset-shell fork. **Database Changes:** - Add `ApiKey` model in `superset/models/mcp.py` - Add migration `2025-11-18_12-00_e8f4a3b2c1d0_add_mcp_api_keys.py` - Create `ab_api_key` table with proper indexes and foreign keys - Support for key expiration, revocation, and usage tracking - Workspace-scoped keys for multi-tenant isolation **Frontend Changes:** - Add API Keys section to User Info page at `/profile` - Add `ApiKeyList` component to display and manage API keys - Add `ApiKeyCreateModal` for creating new API keys - API keys shown only once at creation for security **The ab_api_key table stores:** - bcrypt hash (never plaintext) - Workspace scoping for multi-tenancy - Expiration and revocation support - Usage tracking with last_used_on timestamp - User ownership for RBAC ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF The UI adds a new collapsible "API Keys" section to the User Info page where users can: - View all their API keys with status (Active/Revoked/Expired) - Create new API keys with a name and optional workspace - Revoke existing API keys - See key prefix for identification (full key shown only once at creation) ### TESTING INSTRUCTIONS **Database Migration:** 1. Run `superset db upgrade` to apply the migration 2. Verify `ab_api_key` table exists with all columns and indexes 3. Run `superset db downgrade` to test rollback 4. Run `superset db upgrade` again **UI Testing:** 1. Log in to Superset 2. Navigate to Settings > User Info (or `/profile`) 3. Expand the "API Keys" section 4. Click "Create API Key" 5. Enter a name (e.g., "Test Key") and optional workspace 6. Submit and verify the full API key is shown once 7. Verify the key appears in the list with "Active" status 8. Click "Revoke" on a key and verify it shows "Revoked" status 9. Verify all table columns display correctly (Name, Key Prefix, Workspace, Created, Last Used, Status) **Backend Testing:** The API endpoints (`/api/v1/me/api_keys/`) will be implemented in a separate PR in the manager repository. This PR only adds the database models and basic UI. ### ADDITIONAL INFORMATION - [x] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [x] Migration is atomic, supports rollback & is backwards-compatible - [x] Confirm DB migration upgrade and downgrade tested - [x] Runtime estimates: Migration is instant (creates empty table with indexes) - [x] Changes UI - [x] Introduces new feature or API (database model only, API endpoints in separate PR) **Related:** - Part of MCP service API key authentication feature - Works with preset-io/superset-shell#3252 for authentication logic - API endpoints will be added in separate manager PR -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
