rusackas opened a new pull request, #41305: URL: https://github.com/apache/superset/pull/41305
### SUMMARY The guest-token issuance endpoint recorded only the coarse action name via `@event_logger.log_this`, without the metadata needed to scope an investigation if a misissued or over-scoped token were later abused. This emits an explicit issuance event on successful guest-token creation capturing: - issuer user id - source IP - granted resources (`type:id`) - dataset allowlist - RLS dataset scope and rule count - a SHA-256 hash of the issued token (never the raw token) RLS clause text is intentionally omitted since it can carry data values. The metadata is assembled by a small pure helper, `build_guest_token_audit_payload`, so it is easy to test. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — audit logging. ### TESTING INSTRUCTIONS Unit tests in `tests/unit_tests/security/guest_token_audit_test.py`: - The payload captures issuer/source-IP/resources/datasets/RLS scope. - The raw token is never present; only its SHA-256 hash is recorded. - RLS clause text is not included. Run: `pytest tests/unit_tests/security/guest_token_audit_test.py` ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
