GitHub user dosubot[bot] added a comment to the discussion: [5.0] Guest token RLS not working using embedded Superset SDK after 4.1.3->5.0.0 upgrade
<!-- Answer --> Here are the most common reasons guest token RLS rules aren’t applied in Superset 5.0.0, even with the right config: 1. **GLOBAL_ASYNC_QUERIES is enabled:** There’s a known issue where enabling this flag causes RLS filtering with guest tokens to fail or be ignored in embedded dashboards. Try disabling it and restarting Superset—this has resolved similar problems for others ([source](https://github.com/apache/superset/issues/31492)). 2. **Config file not loaded (especially in Docker):** If you’re running Superset in Docker, make sure your config is in `./docker/pythonpath_dev/superset_config_docker.py` on the host, not `/app/superset/config.py` inside the container. After editing, fully restart the containers (`docker compose down -v && docker compose up`). You can confirm the flag is active by checking `window.featureFlags` in the browser console ([source](https://github.com/apache/superset/issues/33702)). 3. **RLS rule structure:** For dataset-specific RLS, each rule should use the key `dataset` (integer dataset ID), not `datasource`. Omitting `dataset` makes the rule global. Using `datasource` causes Superset to apply the rule to all datasets, which can break filtering if columns don’t exist everywhere ([source](https://github.com/apache/superset/issues/34203#issuecomment-3083509840)). 4. **Guest role permissions:** The embedding role (e.g., Gamma or custom guest role) must have permissions like `can_set_embedded` on Dashboard, `can_read`, `can_list`, `can_show`, `can_get`, `can_external_metadata` on Dashboard, Chart, Dataset, Database, and `can_access` on Superset ([source](https://github.com/apache/superset/issues/36186)). 5. **Session state:** If the embedding browser is logged in as an admin or a user with more rights than the guest role, Superset may use that session instead of the guest token, causing RLS to be ignored. Try in a private/incognito window or a browser with no active Superset session ([source](https://github.com/apache/superset/issues/23056)). 6. **Token claims:** The guest token must include `user`, `resources`, `rls_rules`, `type: guest`, `iat`, `exp`, and `aud` matching `GUEST_TOKEN_JWT_AUDIENCE`, and be signed with the correct secret and algorithm ([source](https://github.com/apache/superset/issues/36377)). If you’ve checked all of the above and RLS still isn’t applied, try with a minimal dashboard and a simple RLS clause to rule out dataset-specific issues. If you’re willing, share a sample guest token payload and your config file (with secrets redacted) and I can help spot subtle issues. Let me know if you’re using Docker, if GLOBAL_ASYNC_QUERIES is enabled, and if you see any errors in the logs or browser console. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/263a9257-58dc-4432-b9d8-30d5827bd357?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/263a9257-58dc-4432-b9d8-30d5827bd357?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/263a9257-58dc-4432-b9d8-30d5827bd357?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/263a9257-58dc-4432-b9d8-30d5827bd357?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/263a9257-58dc-4432-b9d8-30d5827bd357?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/263a9257-58dc-4432-b9d8-30d5827bd357?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/263a9257-58dc-4432-b9d8-30d5827bd357?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Here%20are%20the%20most%20common%20reasons%20guest%20token%20RLS%20rules%20aren%E2%80%99t%20applied%20in%20Superset%205.0.0%2C%20even%20with%20the%20right%20config%3A%0A%0A1.%20%2A%2AGLOBAL_ASYNC_QUERIES%20is%20enabled%3A%2A%2A%20There%E2%80%99s%20a%20known%20issue%20where%20enabling%20this%20flag%20causes%20RLS%20filtering%20with%20guest%20tokens%20to%20fail%20or%20be%20ignored%20in%20embedded%20dashboards.%20Try%20disabling%20it%20and%20restarting%20Superset%E2%80%94this%20has%20resolved%20similar%20problems%20for%20others%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/31492%29%29.%0A%0A2.%20%2A%2AConfig%20file%20not%20loaded%20%28especially%20in%20Docker%29%3A%2A%2A%20If%20you%E2%80%99re%20running%20Superset%20in%20Docker%2C%20make %20sure%20your%20config%20is%20in%20%60./docker/pythonpath_dev/superset_config_docker.py%60%20on%20the%20host%2C%20not%20%60/app/superset/config.py%60%20inside%20the%20container.%20After%20editing%2C%20fully%20restart%20the%20containers%20%28%60docker%20compose%20down%20-v%20%26%26%20docker%20compose%20up%60%29.%20You%20can%20confirm%20the%20flag%20is%20active%20by%20checking%20%60window.featureFlags%60%20in%20the%20browser%20console%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/33702%29%29.%0A%0A3.%20%2A%2ARLS%20rule%20structure%3A%2A%2A%20For%20dataset-specific%20RLS%2C%20each%20rule%20should%20use%20the%20key%20%60dataset%60%20%28integer%20dataset%20ID%29%2C%20not%20%60datasource%60.%20Omitting%20%60dataset%60%20makes%20the%20rule%20global.%20Using%20%60datasource%60%20causes%20Superset%20to%20apply%20the%20rule%20to%20all%20datasets%2C%20which%20can%20break%20filtering%20if%20columns%20don%E2%80%99t%20exist%20everywhere%20%28%5Bsource%5D%28https%3A//github.com/ apache/superset/issues/34203%23issuecomment-3083509840%29%29.%0A%0A4.%20%2A%2AGuest%20role%20permissions%3A%2A%2A%20The%20embedding%20role%20%28e.g.%2C%20Gamma%20or%20custom%20guest%20role%29%20must%20have%20permissions%20like%20%60can_set_embedded%60%20on%20Dashboard%2C%20%60can_read%60%2C%20%60can_list%60%2C%20%60can_show%60%2C%20%60can_get%60%2C%20%60can_external_metadata%60%20on%20Dashboard%2C%20Chart%2C%20Dataset%2C%20Database%2C%20and%20%60can_access%60%20on%20Superset%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/36186%29%29.%0A%0A5.%20%2A%2ASession%20state%3A%2A%2A%20If%20the%20embedding%20browser%20is%20logged%20in%20as%20an%20admin%20or%20a%20user%20with%20more%20rights%20than%20the%20guest%20role%2C%20Superset%20may%20use%20that%20session%20instead%20of%20the%20guest%20token%2C%20causing%20RLS%20to%20be%20ignored.%20Try%20in%20a%20private/incognito%20window%20or%20a%20browser%20with%20no%20active%20Superset%20session%20%28%5Bsource%5D%28https%3A//github. com/apache/superset/issues/23056%29%29.%0A%0A6.%20%2A%2AToken%20claims%3A%2A%2A%20The%20guest%20token%20must%20include%20%60user%60%2C%20%60resources%60%2C%20%60rls_rules%60%2C%20%60type%3A%20guest%60%2C%20%60iat%60%2C%20%60exp%60%2C%20and%20%60aud%60%20matching%20%60GUEST_TOKEN_JWT_AUDIENCE%60%2C%20and%20be%20signed%20with%20the%20correct%20secret%20and%20algorithm%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/36377%29%29.%0A%0AIf%20you%E2%80%99ve%20checked%20all%20of%20the%20above%20and%20RLS%20still%20isn%E2%80%99t%20applied%2C%20try%20with%20a%20minimal%20dashboard%20and%20a%20simple%20RLS%20clause%20to%20rule%20out%20dataset-specific%20issues.%20If%20you%E2%80%99re%20willing%2C%20share%20a%20sample%20guest%20token%20payload%20and%20your%20config%20file%20%28with%20secrets%20redacted%29%20and%20I%20can%20help%20spot%20subtle%20issues.%0A%0ALet%20me%20know%20if%20you%E2%80%99re%20using%20Docker%2C%20if%20GLOBAL_ASYNC_QUERIES%20is%20enabled%2C%20and%20if%20you%20 see%20any%20errors%20in%20the%20logs%20or%20browser%20console.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36494) GitHub link: https://github.com/apache/superset/discussions/36494#discussioncomment-15222256 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
