[GitHub] [incubator-superset] maudrid opened a new issue #10905: How to secure newly added APIs

Wed, 16 Sep 2020 04:27:47 -0700 


maudrid opened a new issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905


   I've created an API in superset in the config file.
   It shows up in swagger UI and I can call it successfully.
   My next step is to make sure that it can only be accessed if you have the 
correct permissions.So first I tried adding the @protect() decorator.
   This makes it so I get 401 when accessing the API.
   ```
   {"message":"Access is Denied","severity":"danger"}
   ```
   So far so good. Now I log in with an admin user using the 
/api/v1//security/login API and I get a token.
   Then I set the Authorization header on my REST call to my new API and I 
still get 401.
   So I thought maybe I need to add the permission to my role. So I add this 
decorator @permission_name("AAAAAA")
   And I go to find that permission in the roles edit section, but it cannot be 
found.
   I have tried several different ways to see if I can gain access to the API:
   1. Tried to change the permission name to some existing permission
   2. Instead of @protect() I tried @has_access_api
   3. I have tried setting the class_permission_name
   and a few other things and I have spent many hours on this so far searching 
the net and reading the code and documentation.Does anyone know what the 
correct way is to protect the API endpoint in the same way as the Dashboards 
and Charts APIs are protected?
   For reference here is the basic code I am using without permissions:
   ```
   class AuthorizationAPI(BaseApi):
       csrf_exempt= True
       @expose('/role/<role>', methods=["POST"])
       @safe
       def role(self, role):
          #My code herefrom superset.app import SupersetAppInitializerclass 
MySupsersetAppInitializer(SupersetAppInitializer):
       def init_views(self) -> None:
           appbuilder.add_api(AuthorizationAPI)
           super().init_views()APP_INITIALIZER = MySupsersetAppInitializer
   ```


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to