anuragKss opened a new issue, #38185:
URL: https://github.com/apache/superset/issues/38185
### Bug description
We recently migrated from Superset v4 to v6. We are using the
@superset-ui/embedded-sdk to embed a dashboard in a React application. The
iframe successfully loads the Superset UI shell, but the network request to GET
/api/v1/dashboard/{id}/datasets fails with a 403 FORBIDDEN ({"message":
"Forbidden"}), causing the charts to fail to render.
**Steps to Reproduce**
Configure superset_config.py for embedding (CORS, SameSite=None,
GUEST_ROLE_NAME).
Create a custom read_only role.
Assign granular datasource_access (IDs 1-11) and schema_access to the
read_only role (since all_datasource_access behaves differently/is hidden in
v6).
Publish a dashboard and clear the "Allowed Domains" and Dashboard-level
Roles.
In Node.js, fetch an admin access token via /api/v1/security/login.
Use the admin token to fetch a Guest Token via /api/v1/security/guest_token/
passing the embedded UUID.
Pass the Guest Token to the React frontend using embedDashboard().
**superset_config.py:**
`SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = 'None'
WTF_CSRF_ENABLED = False
CORS_OPTIONS = {
"supports_credentials": True,
"allow_headers": [""],
"resources": [""],
"expose_headers": "",
"origins": ["http://localhost:5173";, "https://<SUPERSET_IP>:6443",
"https://<OTHER_APP_IP>:6443"],
}
ENABLE_CORS = True
HTTP_HEADERS = {"X-Frame-Options": "ALLOWALL"}
FRAME_ANCESTORS = [""]
FEATURE_FLAGS = {
"EMBEDDED_SUPERSET": True,
}
The Guest Role explicitly has datasource_access mapped to all required tables
GUEST_ROLE_NAME = "read_only"
JWT Config (Causes conflicts between /login and /guest_token)
JWT_ALGORITHM = "RS256"
JWT_DECODE_ALGORITHMS = ["RS256"]
with
open("/opt/superset/certs/superset_rs256_signed_keys/jwt_private_key.pem", "r")
as f:
JWT_PRIVATE_KEY = f.read()
with
open("/opt/superset/certs/superset_rs256_signed_keys/jwt_public_key.pem", "r")
as f:
JWT_PUBLIC_KEY = f.read()`
**Node.js Token Fetching:**
JavaScript
`const loginResp = await
axios.post(${process.env.SUPERSET_URL}/api/v1/security/login, {
username: "admin", password: "password", provider: "db", refresh: true,
});
const supersetToken = loginResp.data.access_token;
const guestTokenResp = await
axios.post(${process.env.SUPERSET_URL}/api/v1/security/guest_token/,
{
resources: [{ type: "dashboard", id: dashboardUUID }],
rls: [],
user: { username: "read_only", first_name: "read_only", last_name:
"read_only" }
},
{ headers: { Authorization: Bearer ${supersetToken} } }
);`
### Screenshots/recordings
_No response_
### Superset version
master / latest-dev
### Python version
3.9
### Node version
16
### Browser
Chrome
### Additional context
_No response_
### Checklist
- [ ] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [ ] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [ ] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
