MG-MW commented on issue #37100:
URL: https://github.com/apache/superset/issues/37100#issuecomment-4068822397
I also ran into this.
### Version
- Superset: `6.0.0`
- Flask-AppBuilder in our environment: `5.2.0`
### Summary
When Superset is configured for `AUTH_LDAP`, `AUTH_USER_REGISTRATION = True`
is needed for first-login LDAP user auto-provisioning via Flask-AppBuilder.
In Superset `6.0.0`, the new SPA login flow also interprets that same flag
as "show self-registration UI" and "enable reCAPTCHA", which causes two
regressions for LDAP setups:
1. A `Register` button appears on the login page, even though this is not
self-registration in the LDAP case.
2. Startup/request bootstrap fails unless `RECAPTCHA_PUBLIC_KEY` is present,
even though LDAP login should not need reCAPTCHA.
### Expected behavior
For `AUTH_LDAP`:
- `AUTH_USER_REGISTRATION = True` should continue to mean "allow first-login
user creation from LDAP".
- It should not automatically imply end-user self-registration UI.
- It should not require `RECAPTCHA_PUBLIC_KEY` / `RECAPTCHA_PRIVATE_KEY`.
### Actual behavior
With `AUTH_TYPE = AUTH_LDAP` and `AUTH_USER_REGISTRATION = True`:
- Superset 6 shows a register button in the new login UI.
- Superset accesses reCAPTCHA config as part of the login/bootstrap path.
- Without dummy reCAPTCHA keys, the app fails in this path.
### Why this looks like a regression
In Flask-AppBuilder LDAP auth, `AUTH_USER_REGISTRATION` is part of LDAP user
provisioning:
- Unknown LDAP users are rejected if the flag is false:
[dpgaspar/Flask-AppBuilder/blob/v5.2.0/flask_appbuilder/security/manager.py#L1205-L1206](https://github.com/dpgaspar/Flask-AppBuilder/blob/v5.2.0/flask_appbuilder/security/manager.py#L1205-L1206)
- Unknown LDAP users are auto-created if the flag is true:
[dpgaspar/Flask-AppBuilder/blob/v5.2.0/flask_appbuilder/security/manager.py#L1338-L1354](https://github.com/dpgaspar/Flask-AppBuilder/blob/v5.2.0/flask_appbuilder/security/manager.py#L1338-L1354)
Superset 6.0.0 then exposes the same flag directly to the SPA and derives
reCAPTCHA from it:
- `AUTH_USER_REGISTRATION` is forwarded to frontend config
[apache/superset/blob/6.0.0/superset/views/base.py#L408-L409](https://github.com/apache/superset/blob/6.0.0/superset/views/base.py#L408-L409):
https://github.com/apache/superset/blob/6a1c30e5e7c3e28d0549c9c2ac0ff61607f26a2f/superset/views/base.py#L408-L409
- reCAPTCHA is enabled whenever registration is on and auth is not OAuth
[apache/superset/blob/6.0.0/superset/views/base.py#L410-L417](https://github.com/apache/superset/blob/6.0.0/superset/views/base.py#L410-L417):
https://github.com/apache/superset/blob/6a1c30e5e7c3e28d0549c9c2ac0ff61607f26a2f/superset/views/base.py#L410-L417
- Superset 6 also always wires its SPA auth/register views here
[apache/superset/blob/6.0.0/superset/security/manager.py#L2869-L2877](https://github.com/apache/superset/blob/6.0.0/superset/security/manager.py#L2869-L2877):
https://github.com/apache/superset/blob/6a1c30e5e7c3e28d0549c9c2ac0ff61607f26a2f/superset/security/manager.py#L2869-L2877
That makes LDAP auto-provisioning look like end-user self-registration.
### Minimal config shape
```python
from flask_appbuilder.security.manager import AUTH_LDAP
AUTH_TYPE = AUTH_LDAP
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Viewer"
```
### Workaround
We currently work around this by overriding the frontend bootstrap payload
so that the SPA sees:
```python
RECAPTCHA_PUBLIC_KEY = " "
RECAPTCHA_PRIVATE_KEY = " "
def COMMON_BOOTSTRAP_OVERRIDES_FUNC(bootstrap_data: dict) -> dict:
conf = bootstrap_data.get("conf", {})
if conf.get("AUTH_TYPE") == AUTH_LDAP:
return {
**bootstrap_data,
"conf": {
**conf,
# Keep LDAP first-login auto provisioning on the backend,
# but do not expose self-registration in the Superset v6+ UI.
"AUTH_USER_REGISTRATION": False,
},
}
return bootstrap_data
```
while keeping backend `AUTH_USER_REGISTRATION = True` for LDAP
auto-provisioning.
That hides the register button, but it feels like a workaround rather than
the intended behavior.
### Suggested fix
For `AUTH_LDAP`, Superset should distinguish between:
- backend user auto-provisioning
- frontend self-registration UI
For example, the SPA login/register UI and reCAPTCHA requirement should not
be derived solely from `AUTH_USER_REGISTRATION` for LDAP.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
