apache / superset

Apache Superset is a Data Visualization and Data Exploration Platform
https://superset.apache.org/
Apache License 2.0
62.69k stars 13.84k forks source link

How to authenticate with REST API #2488

Closed amancevice closed 7 years ago

amancevice commented 7 years ago

Make sure these boxes are checked before submitting your issue - thank you!

Superset version

0.17.1

Expected results

N/A

Actual results

N/A

Steps to reproduce

Sorry if this has been answered somewhere else, but is there any documentation on how to authenticate through the REST API?

Specifically, I'd like to be able to return JSON from the /superset/explore_json/ endpoint (copied from the UI slice view) using cURL (or something similar) but I get the following response when I do:

{
  "message": "Access is Denied", 
  "severity": "danger"
}

Thanks

mistercrunch commented 7 years ago

This is how we do it in the unit tests: https://github.com/airbnb/superset/blob/master/tests/base_tests.py#L127

But that may vary depending on the type of authentication you use.

slarrain commented 7 years ago

Hey @amancevice did you figure this out? I have this exact use case and was wondering if you solve it. Thanks!

amancevice commented 7 years ago

@slarrain I did not -- gave up & moved on to other things. Sorry!

andrewsali commented 6 years ago

For those still looking for some kind of solution - the following example seems to work:

import requests
from bs4 import BeautifulSoup

# set up session for auth
s = requests.Session()
login_form = s.post("http://my_server/login")

# get Cross-Site Request Forgery protection token
soup = BeautifulSoup(login_form.text, 'html.parser')
csrf_token = soup.find('input',{'id':'csrf_token'})['value']

# login the given session
s.post('http://my_server/login/',data=dict(username='admin', password='my_passwd',csrf_token=csrf_token))

# run API call
print(s.get('http://my_server/users/api').text)
alexjacquot commented 6 years ago

Is there a documentation of the rest api ?

mistercrunch commented 6 years ago

The part we get for free on modelviews through FAB is documented here: https://github.com/dpgaspar/Flask-AppBuilder/blob/master/docs/quickhowto.rst#exposed-methods

kalimuthu123 commented 5 years ago

i need authentication by using json web tokens

prgx-mrodri01 commented 4 years ago

For those still looking for some kind of solution - the following example seems to work:

import requests
from bs4 import BeautifulSoup

# set up session for auth
s = requests.Session()
login_form = s.post("http://my_server/login")

# get Cross-Site Request Forgery protection token
soup = BeautifulSoup(login_form.text, 'html.parser')
csrf_token = soup.find('input',{'id':'csrf_token'})['value']

# login the given session
s.post('http://my_server/login/',data=dict(username='admin', password='my_passwd',csrf_token=csrf_token))

# run API call
print(s.get('http://my_server/users/api').text)

I had to change login_form = s.post("http://my_server/login") to login_form = s.get("http://my_server/login") for this to work. thanks!

pritypriya25 commented 3 years ago

The solution to the problem is pretty simple. Just hit post api "api/v1/security/login". Provide the JSON body with following { "password": "complex-password", "provider": "db", "refresh": true, "username": "admin" } The jwt token will be generated in the response.

imanju commented 3 years ago

Hi pritypriya25 its working for me.it generated jwt token. how can i need to fetch dashboard in superset through /dashboard/ endpoint can you please help me. Thank you

pritypriya25 commented 3 years ago

@imanju you can check superset api . It provides APIs for all kind of operations. https://superset.apache.org/docs/rest-api It also has a swagger ui where you can check for all APIs.

cyanoboy commented 3 years ago

The solution to the problem is pretty simple. Just hit post api "api/v1/security/login". Provide the JSON body with following { "password": "complex-password", "provider": "db", "refresh": true, "username": "admin" } The jwt token will be generated in the response.

This can be used with default authentication. But I'm using a custom Security Manager to login and I don't have a password for the superset user (since it uses an external OAuth2 provider). How can I login to the APIs?

harshgadhia commented 3 years ago

I have similar problem like @cyanoboy. I am also using a custom Security Manager(external OAuth2 provider). Couldn't find a way to get the JWT token to query the APIs.

I do see that the request body has a provider field:

{
"password": "complex-password",
"provider": "db",
"refresh": true,
"username": "admin"
}

However, cannot find the right provider to use for the custom Security Manager. What to use when there is no username/password style db authentication.?

Any help is highly appreciated. Thanks in advance!

dshaqra commented 2 years ago

I have the same issue and am wondering if it's just more straight forward to get the token from the oath provider directly and use it within superset. It should work. I"m going to give it a try and see if it works.

nytai commented 2 years ago

I haven't really found a good way to authenticate non password based accounts against the rest api. So far only db and ldap work. What I have resorted to is creating a db based "service account" and using that for api actions

Synarcs commented 2 years ago

@nytai can this db based service account work if use auth_type as AUTH_Oauth. I assume the bearer token will be from the issuer signed rs256 token how can this be used with api in superset

xneg commented 2 years ago

Faced this problem trying to access explore_json with JWT token. This doesn't work cause this endpoint is missing @protected decorator. Want to make a PR to fix it (or receive feedback why I shouldn't do so).

Mehdi-YC commented 2 years ago

hello , i want to integrate superset with an external existing service , but the problem is that users have to login twice (one for the service and one for supsetset ) can i bypass it with the jwt token ?

did anyone face this before ?

xneg commented 2 years ago

@SAVE-POlNT we are doing exact this thing now. But, of course, there are some pitfalls and also it depends on existing service. I don't think this topic matches this issue but you can contact me directly so we could discuss your problem.

Mehdi-YC commented 2 years ago

@xneg i would like to , can yu please leave your discord or your e-mail so i can contact you ?

Synarcs commented 2 years ago

@xneg in Superset all the Api are build on top of Flask App builder BaseApi with all the security decorators borrowed from FAB. We tried to replicate some of the methods with our own FAB security views and security manager, since we are using OAUTH, either we use the global rs256 session token signed from IDP, or integrate vault by adding a custom Decorator to bypass the default FAB security decorators and use this token to authenticate. @nytai correct me, currently we use hvac integrated with FAB security, however is there any future plan to integrate the same in security manager of Superset, or change the Superset Api implementation in terms of security (flexibility to use custom decorators rather than the FAB one). Open for collaborating if any SIP is there to be done regarding this in the future.

xneg commented 2 years ago

@SAVE-POlNT you can find my email in my profile.

xneg commented 2 years ago

@vedangparasnis yes, I know about FAB but what I mean is that not all enpdoints in Superset have decorator @protected (from FAB) and this is a restriction to complete JWT integration.

Synarcs commented 2 years ago

@xneg , do you think it is a limitation of AUTH_DB type in Superset Security manager, correct me if I wrong, in other type excluding Remote_user the IDP session cookie bypasses these api security using the same global session token.

xneg commented 2 years ago

@vedangparasnis I think we misunderstand each other and sorry for misunderstanding. I was talking about OAuth authentication and using it to access endpoints.

cdmikechen commented 2 years ago

My company use flask-oidc to support oauth/oidc token, maybe we can extend superset api to better support non flask security authentication? And I suggest we'd better start a new discuss, this issue had been closed, so that many people can not take care of this issue.

lmingzhi commented 2 years ago

Thank to andrewsali commented on 18 Jan 2018, I finally figure out how to access the superset REST API by python code.

import requests
from bs4 import BeautifulSoup

# http://192.168.100.120:8088/swagger/v1
superset_host = '192.168.100.120:8088'
username = 'YOUR_username'
password = 'YOUR_password'

# set up session for auth
s = requests.Session()
login_form = s.post(f"http://{superset_host}/login")
# get Cross-Site Request Forgery protection token
soup = BeautifulSoup(login_form.text, 'html.parser')
csrf_token = soup.find('input',{'id':'csrf_token'})['value']
data = {
    'username': username,
    'password': password,
    'csrf_token':csrf_token
}
# login the given session
s.post(f'http://{superset_host}/login/', data=data)
print(dict(s.cookies))

url = f'http://{superset_host}/api/v1/chart/'
r = s.get(url)
print(r.json())