You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2020/09/16 11:26:57 UTC
[GitHub] [incubator-superset] maudrid opened a new issue #10905: How to secure newly added APIs
maudrid opened a new issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905
I've created an API in superset in the config file.
It shows up in swagger UI and I can call it successfully.
My next step is to make sure that it can only be accessed if you have the correct permissions.So first I tried adding the @protect() decorator.
This makes it so I get 401 when accessing the API.
```
{"message":"Access is Denied","severity":"danger"}
```
So far so good. Now I log in with an admin user using the /api/v1//security/login API and I get a token.
Then I set the Authorization header on my REST call to my new API and I still get 401.
So I thought maybe I need to add the permission to my role. So I add this decorator @permission_name("AAAAAA")
And I go to find that permission in the roles edit section, but it cannot be found.
I have tried several different ways to see if I can gain access to the API:
1. Tried to change the permission name to some existing permission
2. Instead of @protect() I tried @has_access_api
3. I have tried setting the class_permission_name
and a few other things and I have spent many hours on this so far searching the net and reading the code and documentation.Does anyone know what the correct way is to protect the API endpoint in the same way as the Dashboards and Charts APIs are protected?
For reference here is the basic code I am using without permissions:
```
class AuthorizationAPI(BaseApi):
csrf_exempt= True
@expose('/role/<role>', methods=["POST"])
@safe
def role(self, role):
#My code herefrom superset.app import SupersetAppInitializerclass MySupsersetAppInitializer(SupersetAppInitializer):
def init_views(self) -> None:
appbuilder.add_api(AuthorizationAPI)
super().init_views()APP_INITIALIZER = MySupsersetAppInitializer
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] maudrid commented on issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
maudrid commented on issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905#issuecomment-697874621
Thank you again for your response.
I have tried with Postman, curl and Swagger UI.
All with the same results.
Is there a way I can debug to see what if statement is causing it to fail?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] maudrid commented on issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
maudrid commented on issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905#issuecomment-694270193
@dpgaspar Thanks for you help, I am now a step closer.
My method now looks like this
```python
@expose('/role/<role>', methods=["POST"])
@permission_name("AAAAAA")
@protect()
@safe
def role(self, role):
```
After running superset init, I can see the new permission is automatically added to the Admin role:
`can AAAAAA on AuthorizationAPI`
But I still get a 401 error when accessing this method with a user that is in the Admin role.
Here is how I call the API:
```bash
curl 'https://mydomain.com/api/v1/authorizationapi/role/BBBB' -H 'Accept: */*' -H 'Authorization: Bearer eyJ0eX....zls22ebg' -H 'Origin: https://mydomain.com' -H 'Connection: keep-alive' --data-raw ''
```
What else should I look at next?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] maudrid closed issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
maudrid closed issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] maudrid commented on issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
maudrid commented on issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905#issuecomment-698732485
After spending too much time debugging I finally found the problem.
It all came down to the order of the decorators.
This order is working for me now:
```
class AuthorizationAPI(BaseApi):
csrf_exempt= True
@expose('/role/<role>', methods=["POST"])
@protect()
@safe
@permission_name("Add roles")
def role(self, role):
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] issue-label-bot[bot] commented on issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
issue-label-bot[bot] commented on issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905#issuecomment-693344244
Issue-Label Bot is automatically applying the label `#question` to this issue, with a confidence of 0.79. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!
Links: [app homepage](https://github.com/marketplace/issue-label-bot), [dashboard](https://mlbot.net/data/apache/incubator-superset) and [code](https://github.com/hamelsmu/MLapp) for this bot.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] nytai commented on issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
nytai commented on issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905#issuecomment-697889347
@maudrid you can use the python debugger to set a break point
https://docs.python.org/3/library/pdb.html
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] maudrid commented on issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
maudrid commented on issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905#issuecomment-698732485
After spending too much time debugging I finally found the problem.
It all came down to the order of the decorators.
This order is working for me now:
```
class AuthorizationAPI(BaseApi):
csrf_exempt= True
@expose('/role/<role>', methods=["POST"])
@protect()
@safe
@permission_name("Add roles")
def role(self, role):
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] maudrid commented on issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
maudrid commented on issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905#issuecomment-694176077
Thank you, I think I am missing the `superset init` step.
I will try that.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905#issuecomment-697213655
Ok!
Is your `curl` actually an HTTP POST and if still failing add a `-v` and post the output ? Have you tried the swagger UI to validate and test your new API ( `/swagger/v1` )?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] maudrid closed issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
maudrid closed issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on issue #10905: How to secure newly added APIs
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on issue #10905:
URL: https://github.com/apache/incubator-superset/issues/10905#issuecomment-694082326
Hi, this is more of an FAB question. You should use `@protect` with `BaseApi` or `ModelRestApi` classes, this will create a new permission pair, on your case it would be `can role on AuthorizationAPI`, after you need to run `superset init` so that superset itself creates the necessary permission on the DB and add it to the `Admin` role.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org