GitHub user dosubot[bot] added a comment to the discussion: AUTH_REMOTE_USER is not working after upgrade Apache superset 6.0.0rc4/3
<!-- Answer --> Yes, there are a few changes in Superset v6 (and Flask App Builder v5) that could affect your custom AUTH_REMOTE_USER implementation: - Your custom security manager must inherit from SupersetSecurityManager, not Flask AppBuilder's SecurityManager. This is now enforced at startup—if your class doesn't subclass SupersetSecurityManager, Superset will raise an exception and refuse to start. Double-check your inheritance chain to avoid silent failures or denied access on admin views. [See details](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/initialization/__init__.py#L238-L670) and [migration notes](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/UPDATING.md#L20-L739). - Middleware order is critical. If you use a proxy header (like HTTP_X_PROXY_REMOTE_USER), you must add a middleware to copy it to REMOTE_USER and register it in ADDITIONAL_MIDDLEWARE. This is still required in v6, and the middleware stack is applied in order. [See docs](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/configuration/networking-settings.mdx#L133-L141). - If you deploy under a subpath (using SUPERSET_APP_ROOT), bugs in URL prefixing or middleware order can break authentication flows. AppRootMiddleware must run before ProxyFix for correct SCRIPT_NAME/path handling. [See discussion](https://github.com/apache/superset/issues/35027). - User objects returned by your custom login logic must have all required attributes (like active and is_authenticated) and eager-loaded roles. Missing these can cause silent access denial. [See example](https://github.com/apache/superset/issues/35939). If your implementation fails after upgrade, check inheritance, middleware, user attributes, and run superset init to sync roles. No direct breaking changes to AUTH_REMOTE_USER were documented, but these indirect changes can impact custom setups. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/94297209-c7ee-4a6e-bdb0-869a5faf6c71?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/94297209-c7ee-4a6e-bdb0-869a5faf6c71?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/94297209-c7ee-4a6e-bdb0-869a5faf6c71?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/94297209-c7ee-4a6e-bdb0-869a5faf6c71?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/94297209-c7ee-4a6e-bdb0-869a5faf6c71?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/94297209-c7ee-4a6e-bdb0-869a5faf6c71?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/94297209-c7ee-4a6e-bdb0-869a5faf6c71?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Yes%2C%20there%20are%20a%20few%20changes%20in%20Superset%20v6%20%28and%20Flask%20App%20Builder%20v5%29%20that%20could%20affect%20your%20custom%20AUTH_REMOTE_USER%20implementation%3A%0A%0A-%20Your%20custom%20security%20manager%20must%20inherit%20from%20SupersetSecurityManager%2C%20not%20Flask%20AppBuilder%27s%20SecurityManager.%20This%20is%20now%20enforced%20at%20startup%E2%80%94if%20your%20class%20doesn%27t%20subclass%20SupersetSecurityManager%2C%20Superset%20will%20raise%20an%20exception%20and%20refuse%20to%20start.%20Double-check%20your%20inheritance%20chain%20to%20avoid%20silent%20failures%20or%20denied%20access%20on%20admin%20views.%20%5BSee%20details%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/ initialization/__init__.py%23L238-L670%29%20and%20%5Bmigration%20notes%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/UPDATING.md%23L20-L739%29.%0A%0A-%20Middleware%20order%20is%20critical.%20If%20you%20use%20a%20proxy%20header%20%28like%20HTTP_X_PROXY_REMOTE_USER%29%2C%20you%20must%20add%20a%20middleware%20to%20copy%20it%20to%20REMOTE_USER%20and%20register%20it%20in%20ADDITIONAL_MIDDLEWARE.%20This%20is%20still%20required%20in%20v6%2C%20and%20the%20middleware%20stack%20is%20applied%20in%20order.%20%5BSee%20docs%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/configuration/networking-settings.mdx%23L133-L141%29.%0A%0A-%20If%20you%20deploy%20under%20a%20subpath%20%28using%20SUPERSET_APP_ROOT%29%2C%20bugs%20in%20URL%20prefixing%20or%20middleware%20order%20can%20break%20authentication%20flows.%20AppRootMiddleware%20must%20run%20before%20ProxyFix%20for%20correct%20SCRIPT_NAME/path%20handling.%20%5B See%20discussion%5D%28https%3A//github.com/apache/superset/issues/35027%29.%0A%0A-%20User%20objects%20returned%20by%20your%20custom%20login%20logic%20must%20have%20all%20required%20attributes%20%28like%20active%20and%20is_authenticated%29%20and%20eager-loaded%20roles.%20Missing%20these%20can%20cause%20silent%20access%20denial.%20%5BSee%20example%5D%28https%3A//github.com/apache/superset/issues/35939%29.%0A%0AIf%20your%20implementation%20fails%20after%20upgrade%2C%20check%20inheritance%2C%20middleware%2C%20user%20attributes%2C%20and%20run%20superset%20init%20to%20sync%20roles.%20No%20direct%20breaking%20changes%20to%20AUTH_REMOTE_USER%20were%20documented%2C%20but%20these%20indirect%20changes%20can%20impact%20custom%20setups.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me% 20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36446) GitHub link: https://github.com/apache/superset/discussions/36446#discussioncomment-15186723 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
