fix(helm): remove config overrides for CSRF #22716

reidab · 2023-01-13T06:32:25Z

SUMMARY

This PR removes the WTF_ CSRF-related overrides from the configuration file generated by the Helm chart, allowing the defaults from config.py to be used.

superset/superset/config.py

Lines 249 to 257 in 2ccdb72

    
           # Flask-WTF flag for CSRF 
        
           WTF_CSRF_ENABLED = True 
        
           # Add endpoints that need to be exempt from CSRF protection 
        
           WTF_CSRF_EXEMPT_LIST = [ 
        
               "superset.views.core.log", 
        
               "superset.views.core.explore_json", 
        
               "superset.charts.data.api.data", 
        
           ]

As noted in #22715, there may be better ways to handle the CSRF exclusion for these three routes outside of the config file to prevent this same mistake from being made in other context. This is just the simplest solution that solves the issue with the Helm chart clearing the list.

TESTING INSTRUCTIONS

Deploy a copy of Superset using the Helm chart
Navigate around the UI
Confirm that calls to /superset/log are returning 200 instead of 302 redirects to /login

ADDITIONAL INFORMATION

Has associated issue: Helm chart overrides default WTF_CSRF_EXEMPT_LIST with blank array #22715
Required feature flags:
Changes UI
Includes DB Migration (follow approval process in SIP-59)
- Migration is atomic, supports rollback & is backwards-compatible
- Confirm DB migration upgrade and downgrade tested
- Runtime estimates and downtime expectations provided
Introduces new feature or API
Removes existing feature or API

craig-rueda

You need to re-generate the helm README as the version bump requires this

This prevents the configuration generated by the helm chart from overriding the default WTF_ configuration values in config.py. Without these default values, calls to three logging and chart data endpoints will fail with CSRF errors.

reidab · 2023-01-13T18:26:52Z

You need to re-generate the helm README as the version bump requires this

@craig-rueda just re-generated the README and updated the branch.

reidab requested review from craig-rueda, dpgaspar and villebro as code owners January 13, 2023 06:32

pull-request-size bot added the size/XS label Jan 13, 2023

reidab force-pushed the rm-wtf-overrides-from-helm-config branch from 625b170 to 4a6cfaf Compare January 13, 2023 08:09

craig-rueda approved these changes Jan 13, 2023

View reviewed changes

fix(helm): remove config overrides for CSRF

de3407d

This prevents the configuration generated by the helm chart from overriding the default WTF_ configuration values in config.py. Without these default values, calls to three logging and chart data endpoints will fail with CSRF errors.

reidab force-pushed the rm-wtf-overrides-from-helm-config branch from 4a6cfaf to de3407d Compare January 13, 2023 18:26

pull-request-size bot added size/S and removed size/XS labels Jan 13, 2023

craig-rueda merged commit 85da86d into apache:master Jan 13, 2023

mistercrunch added the 🚢 2.1.3 label Feb 18, 2024

mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 2.1.0 and removed 🚢 2.1.3 labels Mar 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(helm): remove config overrides for CSRF #22716

fix(helm): remove config overrides for CSRF #22716

reidab commented Jan 13, 2023

craig-rueda left a comment

reidab commented Jan 13, 2023

	# Flask-WTF flag for CSRF
	WTF_CSRF_ENABLED = True

	# Add endpoints that need to be exempt from CSRF protection
	WTF_CSRF_EXEMPT_LIST = [
	"superset.views.core.log",
	"superset.views.core.explore_json",
	"superset.charts.data.api.data",
	]

fix(helm): remove config overrides for CSRF #22716

fix(helm): remove config overrides for CSRF #22716

Conversation

reidab commented Jan 13, 2023

SUMMARY

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

craig-rueda left a comment

Choose a reason for hiding this comment

reidab commented Jan 13, 2023