dosubot[bot] commented on issue #40423: URL: https://github.com/apache/superset/issues/40423#issuecomment-4536933170
<!-- Greeting --> Hi @jmaitrehenry! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> This is a known issue with Superset 6.1.0's MCP service. The root cause is that **per-request JWT authentication is not supported in v6.1.0** — the MCP routes are served by a FastMCP/ASGI sub-app that bypasses Flask's `@before_request` JWT middleware, so `g.user` is never set and `user_id` remains `None` [[1]](https://github.com/apache/superset/issues/40225). Without a valid user session, the RBAC permission check attempts to access `PermissionView` relationships (lazy-loaded by default), but since there's no properly bound SQLAlchemy session in this context, you get the `DetachedInstanceError`. **Fix/Workaround**: Set `MCP_DEV_USERNAME` in your config to delegate all MCP operations to a specific Superset user account: ```python MCP_DEV_USERNAME = "your-service-account-username" ``` This was confirmed by a maintainer as the only supported authentication path in 6.1.0 [[1]](https://github.com/apache/superset/issues/40225). Your JWT configuration (`MCP_AUTH_ENABLED`, `MCP_JWT_SECRET`, etc.) won't actually authenticate requests in this version because the middleware never fires for `/mcp/*` routes. **Important caveats**: - All MCP tool calls will execute as this single delegated account (collapses RLS and audit trail to one user) - The account needs sufficient FAB roles/permissions to access dashboards (at minimum an Admin or Alpha-level role for `list_dashboards`) - Per-request JWT→user mapping is expected to land in a future release The secondary `DBEventLogger.log()` error you're seeing is likely a cascading failure from the same issue — the logger tries to record the failed tool call but also can't resolve the user context. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=reply-with-mention&utm_term=apache%2Fsuperset).* --- Docs are dead. Just use [Dosu](https://dosu.dev?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-tagline&utm_term=apache%2Fsuperset). [](https://app.dosu.dev/response-feedback?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-feedback&utm_term=apache%2Fsuperset&message_id=0b9acc65-5fc9-4e39-8611-e2ff87acb8cb) [](https://github.dosu.com/apache/superset?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-ask-repo&utm_term=apache%2Fsuperset) [](https://app.dosu.dev/signup?referrer=openSource&source=github-footer&utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=static-docs-share-team&utm_term=apache%2Fsuperset) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
