GitHub user dosubot[bot] added a comment to the discussion: [5.0] Guest token RLS not working using embedded Superset SDK after 4.1.3->5.0.0 upgrade
<!-- Greeting --> Hi @alccta! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> The root cause is that in Superset 5.0.0, guest token RLS rules are only applied if the `EMBEDDED_SUPERSET` feature flag is enabled—this is a change from 4.1.3, where RLS was always applied for guest tokens. In 5.0.0, this flag defaults to `False`, so unless you explicitly enable it in your config, RLS rules from guest tokens will be ignored and not appended to dataset queries, which matches exactly what you're seeing [(source)](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/connectors/sqla/models.py#L719-L755). To restore RLS functionality for embedded dashboards with guest tokens, set the following in your `superset_config.py` (or `superset_config_docker.py` if using Docker): ```python FEATURE_FLAGS = { "EMBEDDED_SUPERSET": True, "EMBEDDABLE_CHARTS": True, } ENABLE_GUEST_TOKEN = True WTF_CSRF_ENABLED = False # or exempt the guest_token endpoint from CSRF ``` Also, make sure your guest token includes the correct audience (`GUEST_TOKEN_JWT_AUDIENCE`), your embedding role has the right permissions (including `can_set_embedded`), and your frontend sends the correct `dashboardId` in all chart requests [(reference)](https://github.com/apache/superset/discussions/33886). If you’re using Docker, config overrides must be in the right path and require a full container restart to take effect. If you still see all data after enabling the flag, double-check that your config is loaded and that your RLS rules reference valid columns and datasets [(reference)](https://github.com/apache/superset/issues/34203). Let me know if you want a checklist for other common pitfalls or more details on RLS rule structure! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/997c98f8-e5b4-43ca-9ed2-43fae1c441ba?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/997c98f8-e5b4-43ca-9ed2-43fae1c441ba?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/997c98f8-e5b4-43ca-9ed2-43fae1c441ba?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/997c98f8-e5b4-43ca-9ed2-43fae1c441ba?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/997c98f8-e5b4-43ca-9ed2-43fae1c441ba?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/997c98f8-e5b4-43ca-9ed2-43fae1c441ba?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/997c98f8-e5b4-43ca-9ed2-43fae1c441ba?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20root%20cause%20is%20that%20in%20Superset%205.0.0%2C%20guest%20token%20RLS%20rules%20are%20only%20applied%20if%20the%20%60EMBEDDED_SUPERSET%60%20feature%20flag%20is%20enabled%E2%80%94this%20is%20a%20change%20from%204.1.3%2C%20where%20RLS%20was%20always%20applied%20for%20guest%20tokens.%20In%205.0.0%2C%20this%20flag%20defaults%20to%20%60False%60%2C%20so%20unless%20you%20explicitly%20enable%20it%20in%20your%20config%2C%20RLS%20rules%20from%20guest%20tokens%20will%20be%20ignored%20and%20not%20appended%20to%20dataset%20queries%2C%20which%20matches%20exactly%20what%20you%27re%20seeing%20%5B%28source%29%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/connectors/sqla/models.py%23L719-L755%29.%0A%0ATo%20re store%20RLS%20functionality%20for%20embedded%20dashboards%20with%20guest%20tokens%2C%20set%20the%20following%20in%20your%20%60superset_config.py%60%20%28or%20%60superset_config_docker.py%60%20if%20using%20Docker%29%3A%0A%0A%60%60%60python%0AFEATURE_FLAGS%20%3D%20%7B%0A%20%20%20%20%22EMBEDDED_SUPERSET%22%3A%20True%2C%0A%20%20%20%20%22EMBEDDABLE_CHARTS%22%3A%20True%2C%0A%7D%0AENABLE_GUEST_TOKEN%20%3D%20True%0AWTF_CSRF_ENABLED%20%3D%20False%20%20%23%20or%20exempt%20the%20guest_token%20endpoint%20from%20CSRF%0A%60%60%60%0A%0AAlso%2C%20make%20sure%20your%20guest%20token%20includes%20the%20correct%20audience%20%28%60GUEST_TOKEN_JWT_AUDIENCE%60%29%2C%20your%20embedding%20role%20has%20the%20right%20permissions%20%28including%20%60can_set_embedded%60%29%2C%20and%20your%20frontend%20sends%20the%20correct%20%60dashboardId%60%20in%20all%20chart%20requests%20%5B%28reference%29%5D%28https%3A//github.com/apache/superset/discussions/33886%29.%0A%0AIf%20you%E2%80%99re%20using%20Docker%2C%20config%20 overrides%20must%20be%20in%20the%20right%20path%20and%20require%20a%20full%20container%20restart%20to%20take%20effect.%20If%20you%20still%20see%20all%20data%20after%20enabling%20the%20flag%2C%20double-check%20that%20your%20config%20is%20loaded%20and%20that%20your%20RLS%20rules%20reference%20valid%20columns%20and%20datasets%20%5B%28reference%29%5D%28https%3A//github.com/apache/superset/issues/34203%29.%0A%0ALet%20me%20know%20if%20you%20want%20a%20checklist%20for%20other%20common%20pitfalls%20or%20more%20details%20on%20RLS%20rule%20structure%21) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36494) GitHub link: https://github.com/apache/superset/discussions/36494#discussioncomment-15222071 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
