Apache Superset after calling charts and datasets, api/v1/chart/data api getting 403 forbidden error

Bug description

after calling charts and datasets, api/v1/chart/data api getting 403 forbidden error . immediately 8088 main application showing access denied and logging out react embededd aplicationg 403 error why . please help me on that

superset_config.py

import logging import os

from celery.schedules import crontab from flask_caching.backends.filesystemcache import FileSystemCache

logger = logging.getLogger()

DATABASE_DIALECT = os.getenv("DATABASE_DIALECT") DATABASE_USER = os.getenv("DATABASE_USER") DATABASE_PASSWORD = os.getenv("DATABASE_PASSWORD") DATABASE_HOST = os.getenv("DATABASE_HOST") DATABASE_PORT = os.getenv("DATABASE_PORT") DATABASE_DB = os.getenv("DATABASE_DB")

EXAMPLES_USER = os.getenv("EXAMPLES_USER") EXAMPLES_PASSWORD = os.getenv("EXAMPLES_PASSWORD") EXAMPLES_HOST = os.getenv("EXAMPLES_HOST") EXAMPLES_PORT = os.getenv("EXAMPLES_PORT") EXAMPLES_DB = os.getenv("EXAMPLES_DB")

SQLALCHEMY_DATABASE_URI = ( f"{DATABASE_DIALECT}://" f"{DATABASE_USER}:{DATABASE_PASSWORD}@" f"{DATABASE_HOST}:{DATABASE_PORT}/{DATABASE_DB}" )

SQLALCHEMY_EXAMPLES_URI = ( f"{DATABASE_DIALECT}://" f"{EXAMPLES_USER}:{EXAMPLES_PASSWORD}@" f"{EXAMPLES_HOST}:{EXAMPLES_PORT}/{EXAMPLES_DB}" )

REDIS_HOST = os.getenv("REDIS_HOST", "redis") REDIS_PORT = os.getenv("REDIS_PORT", "6379") REDIS_CELERY_DB = os.getenv("REDIS_CELERY_DB", "0") REDIS_RESULTS_DB = os.getenv("REDIS_RESULTS_DB", "1")

RESULTS_BACKEND = FileSystemCache("/app/superset_home/sqllab")

CACHE_CONFIG = { "CACHE_TYPE": "RedisCache", "CACHE_DEFAULT_TIMEOUT": 300, "CACHE_KEY_PREFIX": "superset_", "CACHE_REDIS_HOST": REDIS_HOST, "CACHE_REDIS_PORT": REDIS_PORT, "CACHE_REDIS_DB": REDIS_RESULTS_DB, } DATA_CACHE_CONFIG = CACHE_CONFIG

class CeleryConfig: broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}" imports = ( "superset.sql_lab", "superset.tasks.scheduler", "superset.tasks.thumbnails", "superset.tasks.cache", ) result_backend = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_RESULTS_DB}" worker_prefetch_multiplier = 1 task_acks_late = False beat_schedule = { "reports.scheduler": { "task": "reports.scheduler", "schedule": crontab(minute="", hour=""), }, "reports.prune_log": { "task": "reports.prune_log", "schedule": crontab(minute=10, hour=0), }, }

CELERY_CONFIG = CeleryConfig

FEATURE_FLAGS = {"ALERT_REPORTS": True,"EMBEDDED_SUPERSET": True,"ALLOW_DATA_QUERY_GET": True} ALERT_REPORTS_NOTIFICATION_DRY_RUN = True WEBDRIVER_BASEURL = "http://superset:8088/"
WEBDRIVER_BASEURL_USER_FRIENDLY = WEBDRIVER_BASEURL SQLLAB_CTAS_NO_LIMIT = True WTF_CSRF_ENABLED = False

ENABLE_CORS = True ALLOW_CORS = True CORS_OPTIONS = { "supports_credentials": True, "allow_headers": [""], "resources": [""], "origins": ["http://localhost:3000","http://localhost:8088", "http://localhost:8888","http://localhost:3000/","http://10.100.170.9:3000/"], # replace the port-number # as per your application. } OVERRIDE_HTTP_HEADERS = {'X-Frame-Options': 'ALLOWALL'} TALISMAN_ENABLED = False

GUEST_ROLE_NAME = "Gamma"

try: import superset_config_docker from superset_config_docker import * # noqa

logger.info(
    f"Loaded your Docker configuration at " f"[{superset_config_docker.__file__}]"
)

except ImportError: logger.info("Using default Docker config...")

my react application

"use client";

import React, { useEffect } from "react"; import axios from "axios"; import { embedDashboard } from "@superset-ui/embedded-sdk";

const supersetUrl = "http://localhost:8088"; const supersetApiUrl = ${supersetUrl}/api/v1/security; const dashboardId = "af70a229-7d8e-4917-8ce3-795ca257fa85";

const DashboardPage = () => { useEffect(() => { async function getToken() { try { const loginBody = { password: "admin", provider: "db", refresh: true, username: "sracharts", }; const { data } = await axios.post( ${supersetApiUrl}/login, loginBody, { headers: { "Content-Type": "application/json" }, withCredentials: true, } ); const accessToken = data.access_token; console.log("Access Token:", accessToken);

    /*** Step 2: Fetch Guest Token ***/
    const guestTokenBody = JSON.stringify({
      resources: [{ type: "dashboard", id: dashboardId }],
      rls: [{"clause": "customer_id=4"}],
      user: { username: "sracharts", first_name: "Sra", last_name: "Application" },
    });

    const guestTokenResponse = await axios.post(
      `${supersetApiUrl}/guest_token/`,
      guestTokenBody,
      { headers: { "Content-Type": "application/json", Authorization: `Bearer ${accessToken}` },  withCredentials: true, }
    );
    const guestToken = guestTokenResponse.data.token;
    console.log("Guest Token:", guestToken);

    /*** Step 3: Embed Dashboard ***/
    const mountPoint = document.getElementById("superset-container");
    if (!mountPoint) {
      console.error("Error: mountPoint is null.");
      return;
    }

    console.log('mount points')

    embedDashboard({
      id: dashboardId,
      supersetDomain: supersetUrl,
      mountPoint,
      fetchGuestToken: () => guestToken,
      dashboardUiConfig: {
        filters: { expanded: true },
        urlParams: { standalone: 3 },
      },

    });

    /*** Step 4: Adjust Iframe Styles ***/
    setTimeout(() => {
      const iframe = document.querySelector("iframe");

      if (iframe) {
        iframe.style.width = "100%";
        iframe.style.minHeight = "100vh";
      }
    }, 1000);
  } catch (error) {
    console.error("Error fetching token:", error);
  }
}

getToken();

}, []);

return (

); };

export default DashboardPage;

Comment From: dosubot[bot]

Hey @Kranthi32! How's it going? If you need help with a bug, question, or becoming a contributor, I'm here to assist you.

I found a similar issue that was resolved, which might help you with the 403 Forbidden error you're encountering. The solution involves ensuring that the dashboardID is included in the form_data object when accessing the api/v1/chart/data endpoint. You can achieve this by adding the following lines of code in your React application:

const dashboardInfo = useSelector(state => state.dashboardInfo);
formData.dashboardId = dashboardInfo.id;

This fix addresses the issue where the dashboardID was not being included in the form_data object after the <Charts/> component refactor, which caused permission errors ^[1].

Additionally, ensure that your CORS configuration is correctly set up to allow requests from the domain of your React application. You have already enabled CORS and specified the allowed origins, which is a good step. Make sure that the ENABLE_CORS and ALLOW_CORS settings are correctly configured in your superset_config.py file ^[2].

Lastly, verify that the "Gamma" role has all the required permissions to access the necessary Superset API functions. The permissions needed are:

• can_csv on Superset
• can_dashboard on Superset
• can_explore on Superset
• can_share_chart on Superset
• can_share_dashboard on Superset
• can_explore_json on Superset
• can_userinfo on UserDBModelView
• can_view_chart_as_table on Dashboard
• can_view_query on Dashboard ^[3].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

Comment From: Kranthi32

in 4.1 tag changes not updated still issue is there

Comment From: Kranthi32

Please support to me i am new to superset how to resolve this iam using 4.1.1 tag @mostopalove can you please shaer your steps to resolve thuis

Comment From: Kranthi32

getting this error in 4.1.2 version embedding code

customer_id=4) GROUP BY year, region superset_app | LIMIT 50000 on schema public failed superset_app | Traceback (most recent call last): superset_app | File "/app/superset/connectors/sqla/models.py", line 1761, in query superset_app | df = self.database.get_df( superset_app | File "/app/superset/models/core.py", line 677, in get_df superset_app | self.db_engine_spec.execute(cursor, sql_, self) superset_app | File "/app/superset/db_engine_specs/base.py", line 1845, in execute superset_app | raise cls.get_dbapi_mapped_exception(ex) from ex superset_app | File "/app/superset/db_engine_specs/base.py", line 1841, in execute superset_app | cursor.execute(query) superset_app | psycopg2.errors.UndefinedColumn: column "customer_id" does not exist superset_app | LINE 4: WHERE (customer_id=4) AND year >= TO_TIMESTAMP('1960-01-01 0... superset_app | ^ superset_app | superset_app | 2025-03-27 09:58:18,468:WARNING:root:Class 'werkzeug.local.LocalProxy' is not mapped superset_app | 2025-03-27 09:58:18,484:DEBUG:superset.stats_logger:[stats_logger] (incr) ChartDataRestApi.data.warning superset_app | 2025-03-27 09:58:18,484:DEBUG:superset.stats_logger:[stats_logger] (timing) ChartDataRestApi.data.time | 1100.3494760007015 superset_app | 172.18.0.1 - - [27/Mar/2025:09:58:

Comment From: rusackas

Maybe @Vitor-Avila has some idea here, but I'm wondering if this is a bug or a config issue (token life, RBAC, or otherwise). I'm not sure how we'd reproduce this.

Comment From: Vitor-Avila

the latest error: psycopg2.errors.UndefinedColumn: column "customer_id" does not exist is likely coming from the RLS rules configured for the guest token. The sample SQL there LINE 4: WHERE (customer_id=4) suggests that the guest token might have an RLS rule defined as customer_id=4 and likely this dataset does not have this column.

You can update the RLS configuration to specify the dataset that should receive this condition.

Comment From: rusackas

Did the above comment help here? I'm assuming so based on the silence. Let us know if we can close this one out!