akerkau opened a new issue, #36186: URL: https://github.com/apache/superset/issues/36186
### Bug description ### Issue Using the Devtools in the browser, we're seeing regular requests to `/superset/log?explode=events` that are 302 redirected to `/login/?next=http://superset.application.example.org/superset/log/?explode=events`. This is an issue because we restrict access to the `/login` path, thus resulting in 403 errors. Other than that, the dashboards seem to work correctly. ### Expected behavior Requests to `/superset/log?explode=events` are directly processed with a 200 OK. ### Details We have integrated Superset dashboards with our application using the Embedded SDK. Superset is provided on a subdomain (say "superset.application.example.org" to our application domain "application.example.org"). The corresponding settings for Embedding, CSP, etc. were set (see `superset_config.py` below). In the version we use, there should be no issues with an empty `WTF_CSRF_EXEMPT_LIST` as in [issue 30717](https://github.com/apache/superset/issues/30717). Checking the request headers, `X-CSRFToken` is set on other requests and missing on `/superset/log`... which to my understanding is the correct behavior. I tried to get extensive logging using the environment variable `FLASK_DEBUG: True`, but there's no issues reported (expect for the notorious [Class 'werkzeug.local.LocalProxy' is not mapped](https://github.com/apache/superset/issues/26020)). In addition, I tried to set the correct `WTF_CSRF_EXEMPT_LIST` explicitly without effect. ### Screenshots/recordings _No response_ ### Superset version 5.0.0 ### Python version 3.10 ### Node version Not applicable ### Browser Firefox ### Additional context We're running Superset 5.0.0 in Kubernetes (with a custom Docker image: official image plus `psycopg2`). Superset was installed via Helm Chart 0.15.0. I want to avoid spamming with the complete `values.yaml`, thus only the `superset_config.py` and environment variables in the following. ### /app/pythonpath/superset_config.py ``` import os from flask_caching.backends.rediscache import RedisCache def env(key, default=None): return os.getenv(key, default) # Redis Base URL REDIS_BASE_URL=f"{env('REDIS_PROTO')}://{env('REDIS_HOST')}:{env('REDIS_PORT')}" # Redis URL Params REDIS_URL_PARAMS = "" # Build Redis URLs CACHE_REDIS_URL = f"{REDIS_BASE_URL}/{env('REDIS_DB', 1)}{REDIS_URL_PARAMS}" CELERY_REDIS_URL = f"{REDIS_BASE_URL}/{env('REDIS_CELERY_DB', 0)}{REDIS_URL_PARAMS}" MAPBOX_API_KEY = env('MAPBOX_API_KEY', '') CACHE_CONFIG = { 'CACHE_TYPE': 'RedisCache', 'CACHE_DEFAULT_TIMEOUT': 300, 'CACHE_KEY_PREFIX': 'superset_', 'CACHE_REDIS_URL': CACHE_REDIS_URL, } DATA_CACHE_CONFIG = CACHE_CONFIG SQLALCHEMY_DATABASE_URI = f"postgresql+psycopg2://{env('DB_USER')}:{env('DB_PASS')}@{env('DB_HOST')}:{env('DB_PORT')}/{env('DB_NAME')}" SQLALCHEMY_TRACK_MODIFICATIONS = True class CeleryConfig: imports = ("superset.sql_lab", ) broker_url = CELERY_REDIS_URL result_backend = CELERY_REDIS_URL CELERY_CONFIG = CeleryConfig RESULTS_BACKEND = RedisCache( host=env('REDIS_HOST'), port=env('REDIS_PORT'), key_prefix='superset_results', ) # Overrides GUEST_ROLE_NAME = "Embedded" # Custom role GUEST_TOKEN_JWT_SECRET = env('GUEST_TOKEN_JWT_SECRET') GUEST_TOKEN_JWT_EXP_SECONDS = 300 # 5 minutes TALISMAN_CONFIG = { "content_security_policy": { "frame-ancestors": ["'self'", "https://application.example.org/";], "base-uri": ["'self'"], "default-src": ["'self'"], "img-src": ["'self'", "blob:", "data:"], "worker-src": ["'self'", "blob:"], "connect-src": ["'self'"], "object-src": "'none'", "style-src": ["'self'", "'unsafe-inline'"], "script-src": ["'self'", "'strict-dynamic'"], }, "content_security_policy_nonce_in": ["script-src"], "force_https": False, "session_cookie_secure": False, } TALISMAN_DEV_CONFIG = TALISMAN_CONFIG FEATURE_FLAGS = { "EMBEDDED_SUPERSET": True, "EXTRA_CATEGORICAL_COLOR_SCHEMES": True } LANGUAGES = { "en": {"flag": "us", "name": "English"}, "de": {"flag": "de", "name": "German"} } CACHE_CONFIG = { "CACHE_TYPE": "SimpleCache", # Local in-memory cache "CACHE_DEFAULT_TIMEOUT": 86400 # 1 day in seconds } DATA_CACHE_CONFIG = CACHE_CONFIG # Do not use async queries (requiring Redis) CELERY_CONFIG = None RESULTS_BACKEND = None EXTRA_CATEGORICAL_COLOR_SCHEMES = [ [… omitted …] ] ``` ### Environment variables These are the additional environment variables with most values redacted. ``` DB_HOST: <external Postgres> DB_NAME: superset_integ DB_PASS: <…> DB_PORT: 5432 DB_USER: superset_integ GUEST_TOKEN_JWT_SECRET: <custom secure secret> REDIS_HOST: dummy SUPERSET_ADMIN_EMAIL: <…> SUPERSET_ADMIN_FIRSTNAME: <…> SUPERSET_ADMIN_LASTNAME: <…> SUPERSET_ADMIN_PASS: <…> SUPERSET_ADMIN_USER: <…> SUPERSET_PORT=8088 SUPERSET_SECRET_KEY: <custom secure key> ``` ### Checklist - [x] I have searched Superset docs and Slack and didn't find a solution to my problem. - [x] I have searched the GitHub issue tracker and didn't find a similar bug report. - [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
