Bug description
Hi, I have a local instance of Superset on my machine, and it has a bug that user's role will be reset to 4 (Gamma) after logged out. I have tried edit the user's role directly in the table ab_user_role inside Postgres DB and editing in UI, my Superset instance are integrating with Keycloak for SSO Any idea what is the cause of this bug and how to fix it? And what is the correct way to promote an user to Admin role?
Screenshots/recordings
No response
Superset version
master / latest-dev
Python version
3.9
Node version
I don't know
Browser
Chrome
Additional context
No response
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
The issue of a user's role resetting to Gamma after logging out when using SSO with Superset and Keycloak is likely due to the default role assignment settings in Superset. When a user logs in via SSO, their role is determined by the AUTH_USER_REGISTRATION_ROLE setting or the AUTH_ROLES_MAPPING if group-to-role mapping is configured.
To fix this bug and correctly promote a user to the Admin role, you should ensure that the AUTH_ROLES_MAPPING is correctly set up to map the appropriate OAuth groups to the desired Superset roles. Here is how you can configure it:
- Set up Role Mapping:
Ensure that your superset_config.py includes the correct mapping of OAuth groups to Superset roles. For example:
python
AUTH_ROLES_MAPPING = {
"superset_users": ["Gamma", "Alpha"],
"superset_admins": ["Admin"],
}
This configuration maps the OAuth group superset_admins to the Superset role Admin.
- Enable Role Syncing:
To ensure that roles are synced at each login, set AUTH_ROLES_SYNC_AT_LOGIN to True:
python
AUTH_ROLES_SYNC_AT_LOGIN = True
- Check User Registration Role:
Ensure that the AUTH_USER_REGISTRATION_ROLE is set to a role that makes sense for new users who do not belong to any mapped group:
python
AUTH_USER_REGISTRATION_ROLE = "Public"
By configuring these settings, you can ensure that users are assigned the correct roles based on their OAuth group membership, and that these roles are maintained across sessions [1].
To continue talking to Dosu, mention @dosu.
Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other
Comment From: hainenber
chào bạn, have you followed Dosu bot's recommendation and if that's the case, how goes it?
Comment From: sfirke
Yes I think Dosu is on the right track, kind of. I would put it like this: if your user roles are changing after logging out, when using SSO, and you don't want that, then set AUTH_ROLES_SYNC_AT_LOGIN = False in your config.
I use SSO groups to populate user roles upon first registration but I have some overwrites and so I have this set to False in my org's config.
If that's not a satisfactory resolution, please reply with more info and we can look at reopening this. I'll close for now since I believe this is resolved.
Comment From: denibrek
What could be the reason why the parameter AUTH_ROLES_SYNC_AT_LOGIN doesn't work as expected? I have configured the authentication via Keycloak, Superset resets the user role according to AUTH_USER_REGISTRATION_ROLE at each login and setting AUTH_ROLES_SYNC_AT_LOGIN = Falsedoesn't change anything.