dosubot[bot] commented on issue #37927: URL: https://github.com/apache/superset/issues/37927#issuecomment-3890154285
<!-- Answer --> SIP-201 proposes a major overhaul of password and credential management in Superset for `AUTH_TYPE=AUTH_DB`, addressing long-standing security and usability gaps. The plan is organized into four pillars: secure authenticated password change (requiring current password, enforcing password policies, session invalidation, audit logging), self-service email-based password reset, admin-initiated password/email reset via UI and CLI, and security hardening (rate limiting, account lockout, audit logs, session management). Currently, Superset does not implement these features. The codebase still relies on Flask-AppBuilder’s built-in authentication and CLI commands, with no Superset-managed password reset tokens, audit logging tables, rate limiting, or session invalidation as described in SIP-201. There are no new REST API endpoints, CLI commands, or configuration flags for password policies or reset flows present in the main codebase. Recent PRs and discussions (e.g., [#37700](https://github.com/apache/superset/issues/37700), [#36223](https://github.com/apache/superset/issues/36223), [#36764](https://github.com/apache/superset/pull/36764)) show ongoing community interest and partial UI proposals, but the comprehensive solution remains unimplemented [source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L140-L2816). All new features in SIP-201 are designed to be opt-in via config flags, backward compatible, and scoped only to database-authenticated deployments. The proposal avoids modifying upstream FAB tables, instead introducing new Superset-managed tables for reset tokens, audit logs, and lockout tracking. For now, password management in Superset remains limited to the legacy flows, and the SIP-201 improvements are not yet available in the mainline code. If you need to track progress or contribute, keep an eye on the referenced issues and PRs. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/036d38b8-9ce4-4372-b126-306aa41de539?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/036d38b8-9ce4-4372-b126-306aa41de539?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/036d38b8-9ce4-4372-b126-306aa41de539?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/036d38b8-9ce4-4372-b126-306aa41de539?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/036d38b8-9ce4-4372-b126-306aa41de539?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/036d38b8-9ce4-4372-b126-306aa41de539?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/036d38b8-9ce4-4372-b126-306aa41de539?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=SIP-201%20proposes%20a%20major%20overhaul%20of%20password%20and%20credential%20management%20in%20Superset%20for%20%60AUTH_TYPE%3DAUTH_DB%60%2C%20addressing%20long-standing%20security%20and%20usability%20gaps.%20The%20plan%20is%20organized%20into%20four%20pillars%3A%20secure%20authenticated%20password%20change%20%28requiring%20current%20password%2C%20enforcing%20password%20policies%2C%20session%20invalidation%2C%20audit%20logging%29%2C%20self-service%20email-based%20password%20reset%2C%20admin-initiated%20password/email%20reset%20via%20UI%20and%20CLI%2C%20and%20security%20hardening%20%28rate%20limiting%2C%20account%20lockout%2C%20audit%20logs%2C%20session%20management%29.%0A%0ACurrently%2C%20Superset%20does%20not%20implement%20these%20features.%20Th e%20codebase%20still%20relies%20on%20Flask-AppBuilder%E2%80%99s%20built-in%20authentication%20and%20CLI%20commands%2C%20with%20no%20Superset-managed%20password%20reset%20tokens%2C%20audit%20logging%20tables%2C%20rate%20limiting%2C%20or%20session%20invalidation%20as%20described%20in%20SIP-201.%20There%20are%20no%20new%20REST%20API%20endpoints%2C%20CLI%20commands%2C%20or%20configuration%20flags%20for%20password%20policies%20or%20reset%20flows%20present%20in%20the%20main%20codebase.%20Recent%20PRs%20and%20discussions%20%28e.g.%2C%20%5B%2337700%5D%28https%3A//github.com/apache/superset/issues/37700%29%2C%20%5B%2336223%5D%28https%3A//github.com/apache/superset/issues/36223%29%2C%20%5B%2336764%5D%28https%3A//github.com/apache/superset/pull/36764%29%29%20show%20ongoing%20community%20interest%20and%20partial%20UI%20proposals%2C%20but%20the%20comprehensive%20solution%20remains%20unimplemented%20%5Bsource%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/ superset/security/manager.py%23L140-L2816%29.%0A%0AAll%20new%20features%20in%20SIP-201%20are%20designed%20to%20be%20opt-in%20via%20config%20flags%2C%20backward%20compatible%2C%20and%20scoped%20only%20to%20database-authenticated%20deployments.%20The%20proposal%20avoids%20modifying%20upstream%20FAB%20tables%2C%20instead%20introducing%20new%20Superset-managed%20tables%20for%20reset%20tokens%2C%20audit%20logs%2C%20and%20lockout%20tracking.%0A%0AFor%20now%2C%20password%20management%20in%20Superset%20remains%20limited%20to%20the%20legacy%20flows%2C%20and%20the%20SIP-201%20improvements%20are%20not%20yet%20available%20in%20the%20mainline%20code.%20If%20you%20need%20to%20track%20progress%20or%20contribute%2C%20keep%20an%20eye%20on%20the%20referenced%20issues%20and%20PRs.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/inte nt/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/37927) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
