Talisman Config not updated from superset_config.py

[not1q84-1]

When setting content-security-policy options through the superset_config file these are not accepted during startup

I am running superset from scratch (3.0.0. installed via pipenv from pypi) und python3.10. my superset config file as dev environment

How to reproduce the bug

1. Go to superset_config and amend / change the talisman content-security policy with 3rd party websites like (I copied this also under TALISMAN_DEV_CONFIG):

   TALISMAN_CONFIG = {
   "content_security_policy": {
       "default-src": ["'self'"],
       "frame-src": ["'self'", "https://service.xxxx.com"]
       "img-src": ["'self'", "data:", "https://service.xxxx.com"],
       "worker-src": ["'self'", "blob:"],
       "connect-src": [
           "'self'",
           "https://api.mapbox.com",
           "https://events.mapbox.com",
       ],
       "object-src": "'none'",
       "style-src": [
           "'self'",
           "'unsafe-inline'",
           "https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css",
       ],
       "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
   },
   "content_security_policy_nonce_in": ["script-src"],
   "force_https": False,```

2. Start superset
3. Create markdown chart with img-src / frame-src pointing to third party website

 <center>
    <img width = 20px style="padding-bottom:5px;padding-top:10px" src="data:image/png;base64....">
    </br>
    <img height = 70px src="https://service.xxxx.com/icons/Pfeil_oben_links.svg">
    <p style="font-size: 35px;font-weight:bold;padding-top:0px;padding-bottom:00px">-</p>
 </center>

6. Load page
7. Links are NOT loaded and browser console shows (directive in error message does NOTinclude changes to content-security-policy):

   Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data:".

8. However changing the config.py code directly can be used as a workaround:
   1. change the superset/config.py file directly in the package directory.
   2. Repeat steps 2 & 4 with fully refreshing browser - content is loaded

Expected results

content-security-policy should be read from the superset_config.py file and b e considered during startup

Actual results

settings are ignored and can only be changed in superset source code directly

Screenshots

If applicable, add screenshots to help explain your problem.

Environment

• browser type and version: Edge Version 117.0.2045.60 (64-Bit)
• superset version: 3.0.0
• python version: 3.10.13
• node.js version: node not installed
• any feature flags active:

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• [ x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
• [ x] I have reproduced the issue with at least the latest released version of superset.
• [ x] I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Add any other context about the problem here.

[suryag1988]

Even I face the same problem... Unable to load image file in Superset 3 dashboard.

[basarix]

Same here, but with the added bonus that including the TALISMAN_CONFIG block into my superset_config.py file (running a docker instalation of 3.0.1), makes superset crash on boot with a load of python errors.

[vglukhik]

same here. Version 3.1.0

UPD. Resolved

[rusackas]

TALISMAN_CONFIG is in there by default now, so it shouldn't be crashing (we would hear a LOT about that). You should be able to set img-src to be 'self' data: <URL> and it should work. Closing this since it's a config issue rather than a bug, but happy to revisit if needed.

[fzhan]

@rusackas could you please kindly point to the manual where 'content_security_policy' and other TALISMAN_CONFIG kvs can be set using helm? I've got nowhere.

Thanks,

[rusackas]

I don't know if there is such a guide, actually. I also don't use Helm (I live in a luxurious world where @craig-rueda and @dpgaspar do the infra magic for Preset), but maybe @villebro or @nytai can suggest something. If this does get resolved, we'd love to see the addition of more details in the documentation if you're up for it (cc @sfirke).

[sfirke]

In general for every deployment method it would be nice if we added both instructions specific to that method for where to put superset_config.py (I have a PR open to make this clearer for PyPI) and a troubleshooting step for users trying to verify that file is getting picked up.

I have sometimes advised people to enable a feature flag, then look to see if that corresponding functionality is enabled in the application. But we can do better and this comes up a lot.

[chrisvnimbus]

I am unsure why this was closed as completed when the core issue was not addressed. Per the documentation of superset "All the parameters and default values defined in superset/config.py can be altered in your local superset_config.py". Yet as of this moment the Talisman configuration defined in the local superset_config pointed at through SUPERSET_CONFIG_PATH still does not override superset/config.py.

[sfirke]

@chrisvnimbus how are you deploying Superset? There isn't something specific to Talisman here but it sounds like your superset_config.py file is not placed where it can be picked up by the application upon startup.

[chrisvnimbus]

All my superset_config settings are transferred correctly, yet the Talisman configuration does not seem affected. Other overrides in the file such as SECRET_KEY and the SQLALCHEMY_DATABASE_URI are loaded correctly, so the issue is not with my config file. However, the web frontend seems unaffected when it comes to any specified content security policy defined therein.

[sfirke]

I have my TALISMAN_CONFIG in my superset_config.py with my other settings and it's all getting picked up fine. I'm on Superset v4.0.2 but this has worked since Talisman got introduced. So I don't think it's that this simply doesn't work inside Superset.

Let's see, want to try temporarily setting TALISMAN_ENABLED = False in your superset_config.py as a test? I'm just trying to think of things to try.

[chrisvnimbus]

Setting Talisman_enabled as false does log me the expected warning that no security policy is defined, yet the web interface still seems to be held to the standard security policy defined in the superset/config.py, much like the original poster of this topic experienced.

[sfirke]

So is this two problems, then? 1) You have set TALISMAN_ENABLED = False and got confirmation in the form of the warning, yet the default security policy is still applying. 2) The TALISMAN_CONFIG you specify in superset_config.py is not getting applied, despite being sure that this file's other settings are being honored.

What version of Superset is this? Do you see anything relevant in the logs upon startup? And https://github.com/apache/superset/blob/master/superset/initialization/__init__.py#L590 seems to be the relevant part of the codebase if you want to look for possible problems.

[chrisvnimbus]

This is the latest version of Superset, running from the composed docker image at apachesuperset.docker.scarf.sh/apache/superset:${TAG:-latest}. It is delivered the custom superset_config .py in a volume mounted to /app/configs, which is specified in the environment variable SUPERSET_CONFIG_PATH, for good measure also in CONFIG_PATH_ENV_VAR, and the mount path /app/configs is added to PYTHONPATH.

While the backend part of Superset grabs this file succesfully and retrieves among other things the SECRET KEY and database connections from this, it seems the frontend related talisman configurations are not grabbed.

I am currently making a custom build from scratch and deploying the different containers seperately, but it's still strange that the delivered 'fast start' compose yaml ends in a container where only part of superset accepts te overrides made in the local superset_config.

[sfirke]

Can you see a version number in the UI or from running a command in the container? If that version is 4.0.2 (the latest official release) I'm still baffled but if it's 0.0.0-dev the nightly build then perhaps an error has crept into Superset.

[chrisvnimbus]

It is in fact version 4.0.2.

[brantian]

For anyone still facing this, I had DEBUG=True in my Superset configs, which makes TALISMAN_DEV_CONFIG override TALIMAN_CONFIG:

        # Talisman
        talisman_enabled = self.config["TALISMAN_ENABLED"]
        talisman_config = (
            self.config["TALISMAN_DEV_CONFIG"]
            if self.superset_app.debug or self.config["DEBUG"]
            else self.config["TALISMAN_CONFIG"]

https://github.com/apache/superset/blob/18c2376b5022afb9214314289636b0480081806a/superset/initialization/__init__.py#L617