hjadm commented on issue #39834:
URL: https://github.com/apache/superset/issues/39834#issuecomment-4389352822
Confirming this bug on Superset 6.0.0 using the Docker image
apache/superset:6.0.0.
I was able to confirm that the issue affects the following REST API
endpoints when using JWT Bearer authentication:
GET /api/v1/database/ → count: 0 ❌
GET /api/v1/dataset/ → count: 0 ❌
GET /api/v1/dashboard/ → count: 0 ❌
GET /api/v1/chart/ → count: 0 ❌
After applying the workaround, all four endpoints started returning the
correct counts, for example:
database: 2
dataset: 55
dashboard: 26
chart: 508
The workaround was applied successfully using FLASK_APP_MUTATOR:
def FLASK_APP_MUTATOR(app):
from flask import g, request
from flask_jwt_extended import decode_token
from superset import security_manager
@app.before_request
def _set_user_from_jwt():
auth_header = request.headers.get("Authorization", "")
if auth_header.startswith("Bearer "):
token = auth_header.split(" ", 1)[1]
try:
decoded = decode_token(token)
identity = decoded.get("sub")
if identity:
user = security_manager.load_user(identity)
if user and user.is_active:
g.user = user
except Exception:
pass
Important note: adding @app.before_request directly inside
superset_config.py without using FLASK_APP_MUTATOR does not work. It fails with:
ImportError: cannot import name 'app' from 'superset.app'
So FLASK_APP_MUTATOR appears to be the correct mechanism here, because it
receives the fully initialized Flask app instance.
A secondary fix was also necessary. The encrypted_extra KeyError on:
GET /api/v1/database/_info
required the following SQL fix:
UPDATE dbs
SET extra = (extra::jsonb || '{"encrypted_extra": ""}')::text
WHERE extra NOT LIKE '%encrypted_extra%';
After applying both fixes and restarting the container, all tested REST API
endpoints worked correctly with JWT Bearer authentication.
I also confirmed that guest token generation works correctly after the fix:
POST /api/v1/security/guest_token/ → 200
This endpoint was also affected, since it depends on g.user.
Verified in production on a multi-tenant Superset deployment serving
embedded dashboards.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
