aminghadersohi opened a new pull request, #37973: URL: https://github.com/apache/superset/pull/37973
### SUMMARY Add API key authentication support to Superset by delegating to Flask-AppBuilder's SecurityManager. This enables programmatic access to Superset for MCP service integrations, CI/CD pipelines, and external applications without requiring browser-based login or frequent JWT refresh. **Architecture**: API key auth is implemented at the FAB layer so `@protect()` works automatically, avoiding split auth management. This benefits the broader FAB ecosystem. **Key changes:** - Update MCP auth to use FAB's `SecurityManager.validate_api_key()` - Add `FAB_API_KEY_ENABLED` and `FAB_API_KEY_PREFIXES` config options - Add frontend UI for API key management (list, create, revoke) - Add migration for `ab_api_key` table (FAB-managed) - Pin FAB to feature branch with API key support **Design decisions:** - API keys validated via prefix-based lookup + hash verification (werkzeug `check_password_hash`) — no plaintext storage - Key prefix configurable (`FAB_API_KEY_PREFIXES`, default `["sst_"]`) for identification and efficient DB lookup - `@protect()` checks API keys before JWT — deterministic auth path when prefix is detected - Keys inherit user's RBAC permissions via FAB's existing `has_access()` mechanism - UUID-based external references for key management (not auto-increment IDs) **Depends on:** https://github.com/dpgaspar/Flask-AppBuilder/pull/2431 (FAB feature branch — all CI green) **Related SIP:** https://github.com/apache/superset/issues/36175 ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A - New feature, no existing UI changes ### TESTING INSTRUCTIONS 1. Install FAB feature branch: `pip install git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth` 2. Set `FAB_API_KEY_ENABLED = True` in `superset_config.py` 3. Create an API key via `POST /api/v1/security/api_keys/` with Bearer JWT auth 4. Use the returned key with `Authorization: Bearer sst_...` on any protected endpoint 5. Verify key can be revoked via `DELETE /api/v1/security/api_keys/<uuid>` ### ADDITIONAL INFORMATION - [x] Has associated issue: Fixes #36175 - [ ] Required feature flags: - [x] Changes UI - [x] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [x] Migration is atomic, supports rollback & is backwards-compatible - [x] Confirm DB migration upgrade and downgrade tested - [x] Runtime estimates and downtime expectations provided - [x] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
