Copilot commented on code in PR #40357: URL: https://github.com/apache/superset/pull/40357#discussion_r3326659396
########## superset/mcp_service/plugin/tool/create_plugin.py: ########## @@ -0,0 +1,108 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.plugin.schemas import ( + CreatePluginRequest, + CreatePluginResponse, +) + +logger = logging.getLogger(__name__) Review Comment: `logging`/`logger` are unused in this module, which will fail Ruff (F401/F841) and break CI. Please remove the unused import/assignment (or start using `logger`). ########## superset/mcp_service/plugin/tool/update_plugin.py: ########## @@ -0,0 +1,116 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.plugin.schemas import ( + UpdatePluginRequest, + UpdatePluginResponse, +) + +logger = logging.getLogger(__name__) Review Comment: `logging`/`logger` are unused in this module, which will fail Ruff (F401/F841) and break CI. Please remove the unused import/assignment (or start using `logger`). ########## superset/mcp_service/plugin/tool/update_plugin.py: ########## @@ -0,0 +1,116 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.plugin.schemas import ( + UpdatePluginRequest, + UpdatePluginResponse, +) + +logger = logging.getLogger(__name__) + + +@tool( + tags=["mutate"], + class_permission_name="DynamicPlugin", + method_permission_name="write", + annotations=ToolAnnotations( + title="Update a dynamic plugin", + readOnlyHint=False, + destructiveHint=True, + ), +) +async def update_plugin( + request: UpdatePluginRequest, ctx: Context +) -> UpdatePluginResponse: + """Update an existing dynamic plugin's name, key, or bundle URL. + + Requires admin write access to DynamicPlugin and the DYNAMIC_PLUGINS + feature flag to be enabled. At least one of ``name``, ``key``, or + ``bundle_url`` must be provided; only the supplied fields are changed. + + Use ``create_plugin`` to look up the plugin ID if you only know the key. + """ + await ctx.info("Updating dynamic plugin: id=%s" % (request.id,)) + + try: + from sqlalchemy.exc import IntegrityError + + from superset import is_feature_enabled + from superset.extensions import db + from superset.models.dynamic_plugins import DynamicPlugin + + if not is_feature_enabled("DYNAMIC_PLUGINS"): + await ctx.warning("DYNAMIC_PLUGINS feature flag is not enabled") + return UpdatePluginResponse( + error=( + "The DYNAMIC_PLUGINS feature flag is not enabled on this instance." + ) + ) + + with event_logger.log_context(action="mcp.update_plugin.lookup"): + plugin = db.session.get(DynamicPlugin, request.id) + + if plugin is None: + await ctx.warning("Plugin not found: id=%s" % (request.id,)) + return UpdatePluginResponse( + error="No plugin found with id=%d. " + "Use the plugin ID returned by create_plugin." % request.id + ) + + if request.name is not None: + plugin.name = request.name + if request.key is not None: + plugin.key = request.key + if request.bundle_url is not None: + plugin.bundle_url = request.bundle_url + + with event_logger.log_context(action="mcp.update_plugin.save"): + db.session.commit() + + await ctx.info( + "Dynamic plugin updated: id=%s, key=%r" % (plugin.id, plugin.key) + ) + + return UpdatePluginResponse( + id=plugin.id, + name=plugin.name, + key=plugin.key, + bundle_url=plugin.bundle_url, + ) + + except IntegrityError as exc: + db.session.rollback() + msg = str(exc.orig) if exc.orig else str(exc) + await ctx.warning("Plugin update failed (duplicate field): %s" % (msg,)) + return UpdatePluginResponse( + error=( + "A plugin with the same name, key, or bundle_url already exists. " + "Each field must be unique." + ) + ) + except Exception as exc: + db.session.rollback() + await ctx.error( + "Unexpected error updating plugin: %s: %s" % (type(exc).__name__, str(exc)) + ) + raise Review Comment: The exception handlers call `db.session.rollback()` but `db` is imported inside the `try` block. If an exception is raised before `db` is imported (e.g. during imports/feature-flag checks), the handler will raise `UnboundLocalError` and mask the original failure. Also, rollback itself can fail; other MCP tools guard rollback in a nested try/except. ########## superset/mcp_service/plugin/tool/create_plugin.py: ########## @@ -0,0 +1,108 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.plugin.schemas import ( + CreatePluginRequest, + CreatePluginResponse, +) + +logger = logging.getLogger(__name__) + + +@tool( + tags=["mutate"], + class_permission_name="DynamicPlugin", + method_permission_name="write", + annotations=ToolAnnotations( + title="Register a dynamic plugin", + readOnlyHint=False, + destructiveHint=False, + ), +) +async def create_plugin( + request: CreatePluginRequest, ctx: Context +) -> CreatePluginResponse: + """Register a new dynamic (custom) plugin in Superset. Review Comment: These new MCP mutation tools introduce important behavior (feature-flag gating, RBAC enforcement, duplicate/IntegrityError handling, not-found handling) but there are no unit tests added for them. The repo has extensive unit tests for other MCP tools under `tests/unit_tests/mcp_service/**/tool/`, so this should be covered similarly to prevent regressions. ########## superset/mcp_service/plugin/tool/create_plugin.py: ########## @@ -0,0 +1,108 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.plugin.schemas import ( + CreatePluginRequest, + CreatePluginResponse, +) + +logger = logging.getLogger(__name__) + + +@tool( + tags=["mutate"], + class_permission_name="DynamicPlugin", + method_permission_name="write", + annotations=ToolAnnotations( + title="Register a dynamic plugin", + readOnlyHint=False, + destructiveHint=False, + ), +) +async def create_plugin( + request: CreatePluginRequest, ctx: Context +) -> CreatePluginResponse: + """Register a new dynamic (custom) plugin in Superset. + + Requires the DYNAMIC_PLUGINS feature flag to be enabled and admin write + access to DynamicPlugin. The ``key`` must match the package name from the + plugin's package.json and be unique across all registered plugins. + + After registration, Superset will load the plugin bundle from ``bundle_url`` + on the next page load. + """ + await ctx.info( + "Registering dynamic plugin: name=%r, key=%r" % (request.name, request.key) + ) + + try: + from sqlalchemy.exc import IntegrityError + + from superset import is_feature_enabled + from superset.extensions import db + from superset.models.dynamic_plugins import DynamicPlugin + + if not is_feature_enabled("DYNAMIC_PLUGINS"): + await ctx.warning("DYNAMIC_PLUGINS feature flag is not enabled") + return CreatePluginResponse( + error=( + "The DYNAMIC_PLUGINS feature flag is not enabled on this instance." + ) + ) + + with event_logger.log_context(action="mcp.create_plugin.create"): + plugin = DynamicPlugin( + name=request.name, + key=request.key, + bundle_url=request.bundle_url, + ) + db.session.add(plugin) + db.session.commit() + + await ctx.info( + "Dynamic plugin registered: id=%s, key=%r" % (plugin.id, plugin.key) + ) + + return CreatePluginResponse( + id=plugin.id, + name=plugin.name, + key=plugin.key, + bundle_url=plugin.bundle_url, + ) + + except IntegrityError as exc: + db.session.rollback() + msg = str(exc.orig) if exc.orig else str(exc) + await ctx.warning("Plugin creation failed (duplicate field): %s" % (msg,)) + return CreatePluginResponse( + error=( + "A plugin with the same name, key, or bundle_url already exists. " + "Each field must be unique." + ) + ) + except Exception as exc: + db.session.rollback() + await ctx.error( + "Unexpected error creating plugin: %s: %s" % (type(exc).__name__, str(exc)) + ) + raise Review Comment: The exception handlers call `db.session.rollback()` but `db` is imported inside the `try` block. If an exception is raised before `db` is imported (e.g. during imports/feature-flag checks), the handler will raise `UnboundLocalError` and mask the original failure. Also, rollback itself can fail; other MCP tools guard rollback in a nested try/except. ########## superset/mcp_service/plugin/tool/update_plugin.py: ########## @@ -0,0 +1,116 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.plugin.schemas import ( + UpdatePluginRequest, + UpdatePluginResponse, +) + +logger = logging.getLogger(__name__) + + +@tool( + tags=["mutate"], + class_permission_name="DynamicPlugin", + method_permission_name="write", + annotations=ToolAnnotations( + title="Update a dynamic plugin", + readOnlyHint=False, + destructiveHint=True, + ), +) +async def update_plugin( + request: UpdatePluginRequest, ctx: Context +) -> UpdatePluginResponse: + """Update an existing dynamic plugin's name, key, or bundle URL. + + Requires admin write access to DynamicPlugin and the DYNAMIC_PLUGINS + feature flag to be enabled. At least one of ``name``, ``key``, or + ``bundle_url`` must be provided; only the supplied fields are changed. + + Use ``create_plugin`` to look up the plugin ID if you only know the key. + """ Review Comment: The docstring says to use `create_plugin` to look up a plugin ID by key, but `create_plugin` only registers a new plugin; it doesn't provide lookup functionality. This is misleading for callers. ########## superset/mcp_service/plugin/tool/update_plugin.py: ########## @@ -0,0 +1,116 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.plugin.schemas import ( + UpdatePluginRequest, + UpdatePluginResponse, +) + +logger = logging.getLogger(__name__) + + +@tool( + tags=["mutate"], + class_permission_name="DynamicPlugin", + method_permission_name="write", + annotations=ToolAnnotations( + title="Update a dynamic plugin", + readOnlyHint=False, + destructiveHint=True, + ), +) +async def update_plugin( + request: UpdatePluginRequest, ctx: Context +) -> UpdatePluginResponse: + """Update an existing dynamic plugin's name, key, or bundle URL. + + Requires admin write access to DynamicPlugin and the DYNAMIC_PLUGINS + feature flag to be enabled. At least one of ``name``, ``key``, or + ``bundle_url`` must be provided; only the supplied fields are changed. + + Use ``create_plugin`` to look up the plugin ID if you only know the key. + """ + await ctx.info("Updating dynamic plugin: id=%s" % (request.id,)) + + try: + from sqlalchemy.exc import IntegrityError + + from superset import is_feature_enabled + from superset.extensions import db + from superset.models.dynamic_plugins import DynamicPlugin + + if not is_feature_enabled("DYNAMIC_PLUGINS"): + await ctx.warning("DYNAMIC_PLUGINS feature flag is not enabled") + return UpdatePluginResponse( + error=( + "The DYNAMIC_PLUGINS feature flag is not enabled on this instance." + ) + ) + + with event_logger.log_context(action="mcp.update_plugin.lookup"): + plugin = db.session.get(DynamicPlugin, request.id) + + if plugin is None: + await ctx.warning("Plugin not found: id=%s" % (request.id,)) + return UpdatePluginResponse( + error="No plugin found with id=%d. " + "Use the plugin ID returned by create_plugin." % request.id + ) Review Comment: The not-found error message points users to `create_plugin`, but if the plugin already exists they may need to look up the ID via the Custom Plugins UI instead. As written, this guidance is confusing. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
