Bug description

I my local server i am checking for http://localhost:8088/api/v1/security/roles/ I am getting where as for the production instance which i running on clusters i am not getting any security roles API exposed. what might be the issue. I checked on swigger also i found local security role api are coming where as in production instance its not coming. Is anything missing in my configuration.

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • [ ] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [ ] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

The /api/v1/security/roles/ endpoint will only appear in Swagger and be accessible if certain conditions are met. In production, check that FAB_ADD_SECURITY_API is set to True (this is the default, but it may be overridden in superset_config.py or via environment variables), and that FAB_API_SWAGGER_UI is also True if you want it to show in Swagger. After changing these, you must run superset init in your production environment for the API to be registered (source).

Also, make sure your user has the 'list_roles' permission (typically only Admins). If the config and permissions are correct but the endpoint is still missing, compare your local and production superset_config.py and environment variables for differences, and check for any custom security manager overrides or deployment issues that might affect API registration (source).

If you still don't see the endpoint, review your production logs for errors during startup related to API registration. Let me know if you need help checking any of these!

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report πŸ› | Other  Join Discord Share on X

Comment From: Nagarajkalasagonda

@dosu. can you give me example how to config FAB_ADD_SECURITY_API

sample config file can you send

I want to understand exactly where i need to add it

Comment From: dosubot[bot]

To enable the security roles API in Superset, add this line to your superset_config.py file:

FAB_ADD_SECURITY_API = True

After saving the file, run superset init and restart your Superset server for the change to take effect. This will expose additional security endpoints (like /api/v1/security/roles/) and make them visible in Swagger UI if you have FAB_API_SWAGGER_UI enabled.

Note: This API exposes sensitive endpoints, so make sure only trusted users have the necessary permissions to access them.
Reference | Release notes

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report πŸ› | Other  Join Discord Share on X

Comment From: Nagarajkalasagonda

@dosu. Can i get any reference .py file with all required configuration

Comment From: dosubot[bot]

Here's a reference superset_config.py with the most common and required settings, including those for enabling the security roles API and Swagger UI. You can use this as a starting point and customize it for your environment:

# superset_config.py

# Enable the Flask-AppBuilder security REST API (required for /api/v1/security/roles/)
FAB_ADD_SECURITY_API = True

# Enable Swagger UI for API documentation (default: True)
FAB_API_SWAGGER_UI = True

# Example: Set your database URI (update as needed)
SQLALCHEMY_DATABASE_URI = "sqlite:////app/superset.db"

# Example: Secret key for session encryption (change this in production)
SECRET_KEY = "your-secret-key"

# Enable server-side sessions (optional, for extra security)
SESSION_SERVER_SIDE = True

# Content Security Policy (CSP) settings (recommended for production)
TALISMAN_ENABLED = True
TALISMAN_CONFIG = {
    "content_security_policy": {
        "default-src": ["'self'"],
        "img-src": ["'self'", "data:"],
        "style-src": ["'self'", "'unsafe-inline'"],
        "script-src": ["'self'", "'unsafe-inline'"],
        # Add other directives as needed
    },
    # "force_https": True,  # Uncomment if you want to enforce HTTPS
}

# Example: Feature flags (customize as needed)
FEATURE_FLAGS = {
    "ALERT_REPORTS": True,
    "ENABLE_TEMPLATE_PROCESSING": True,
}

# Example: Cache configuration (customize as needed)
CACHE_CONFIG = {
    "CACHE_TYPE": "SimpleCache",
}

# Example: Celery configuration for async tasks (customize as needed)
class CeleryConfig:
    broker_url = "redis://localhost:6379/2"
    result_backend = "redis://localhost:6379/3"
    imports = ("superset.sql_lab",)
    concurrency = 1

CELERY_CONFIG = CeleryConfig

# Add any other custom settings below

The most important lines for your use case are FAB_ADD_SECURITY_API = True and FAB_API_SWAGGER_UI = Trueβ€”these ensure the security roles API is enabled and visible in Swagger UI. For more details and advanced options, see the official security config docs and the integration test config example.

After editing your config, run superset init and restart the server for changes to take effect.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report πŸ› | Other  Join Discord Share on X

Comment From: rusackas

Let us know if the bot was right (I hope so) :D