How to authenticate with REST API

[amancevice]

Make sure these boxes are checked before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if any
• I have reproduced the issue with at least the latest released version of superset
• I have checked the issue tracker for the same issue and I haven't found one similar

Superset version

0.17.1

Expected results

N/A

Actual results

N/A

Steps to reproduce

Sorry if this has been answered somewhere else, but is there any documentation on how to authenticate through the REST API?

Specifically, I'd like to be able to return JSON from the /superset/explore_json/ endpoint (copied from the UI slice view) using cURL (or something similar) but I get the following response when I do:

{
  "message": "Access is Denied", 
  "severity": "danger"
}

Thanks

[mistercrunch]

This is how we do it in the unit tests:
https://github.com/airbnb/superset/blob/master/tests/base_tests.py#L127

But that may vary depending on the type of authentication you use.

[slarrain]

Hey @amancevice did you figure this out? I have this exact use case and was wondering if you solve it.
Thanks!

[amancevice]

@slarrain I did not -- gave up & moved on to other things. Sorry!

[andrewsali]

For those still looking for some kind of solution - the following example seems to work:

import requests
from bs4 import BeautifulSoup

# set up session for auth
s = requests.Session()
login_form = s.post("http://my_server/login")

# get Cross-Site Request Forgery protection token
soup = BeautifulSoup(login_form.text, 'html.parser')
csrf_token = soup.find('input',{'id':'csrf_token'})['value']

# login the given session
s.post('http://my_server/login/',data=dict(username='admin', password='my_passwd',csrf_token=csrf_token))

# run API call
print(s.get('http://my_server/users/api').text)

[alexjacquot]

Is there a documentation of the rest api ?

[mistercrunch]

The part we get for free on modelviews through FAB is documented here:
https://github.com/dpgaspar/Flask-AppBuilder/blob/master/docs/quickhowto.rst#exposed-methods

[kalimuthu123]

i need authentication by using json web tokens

[prgx-mrodri01]

For those still looking for some kind of solution - the following example seems to work:

import requests
from bs4 import BeautifulSoup

# set up session for auth
s = requests.Session()
login_form = s.post("http://my_server/login")

# get Cross-Site Request Forgery protection token
soup = BeautifulSoup(login_form.text, 'html.parser')
csrf_token = soup.find('input',{'id':'csrf_token'})['value']

# login the given session
s.post('http://my_server/login/',data=dict(username='admin', password='my_passwd',csrf_token=csrf_token))

# run API call
print(s.get('http://my_server/users/api').text)

I had to change login_form = s.post("http://my_server/login") to login_form = s.get("http://my_server/login")
for this to work. thanks!

[pritypriya25]

The solution to the problem is pretty simple. Just hit post api "api/v1/security/login". Provide the JSON body with following
{
"password": "complex-password",
"provider": "db",
"refresh": true,
"username": "admin"
}
The jwt token will be generated in the response.

[imanju]

Hi pritypriya25 its working for me.it generated jwt token. how can i need to fetch dashboard in superset through /dashboard/ endpoint can you please help me.
Thank you

[pritypriya25]

@imanju you can check superset api . It provides APIs for all kind of operations.
https://superset.apache.org/docs/rest-api
It also has a swagger ui where you can check for all APIs.

[cyanoboy]

The solution to the problem is pretty simple. Just hit post api "api/v1/security/login". Provide the JSON body with following { "password": "complex-password", "provider": "db", "refresh": true, "username": "admin" } The jwt token will be generated in the response.

This can be used with default authentication. But I'm using a custom Security Manager to login and I don't have a password for the superset user (since it uses an external OAuth2 provider). How can I login to the APIs?

[harshgadhia]

I have similar problem like @cyanoboy. I am also using a custom Security Manager(external OAuth2 provider). Couldn't find a way to get the JWT token to query the APIs.

I do see that the request body has a provider field:

{
"password": "complex-password",
"provider": "db",
"refresh": true,
"username": "admin"
}

However, cannot find the right provider to use for the custom Security Manager. What to use when there is no username/password style db authentication.?

Any help is highly appreciated. Thanks in advance!

[dshaqra]

I have the same issue and am wondering if it's just more straight forward to get the token from the oath provider directly and use it within superset. It should work. I"m going to give it a try and see if it works.

[nytai]

I haven't really found a good way to authenticate non password based accounts against the rest api. So far only db and ldap work. What I have resorted to is creating a db based "service account" and using that for api actions

[Synarcs]

@nytai can this db based service account work if use auth_type as AUTH_Oauth. I assume the bearer token will be from the issuer signed rs256 token how can this be used with api in superset

[xneg]

Faced this problem trying to access explore_json with JWT token. This doesn't work cause this endpoint is missing @protected decorator. Want to make a PR to fix it (or receive feedback why I shouldn't do so).

[Mehdi-YC]

hello , i want to integrate superset with an external existing service , but the problem is that users have to login twice (one for the service and one for supsetset ) can i bypass it with the jwt token ?

did anyone face this before ?

[xneg]

@SAVE-POlNT we are doing exact this thing now. But, of course, there are some pitfalls and also it depends on existing service. I don't think this topic matches this issue but you can contact me directly so we could discuss your problem.

[Mehdi-YC]

@xneg i would like to , can yu please leave your discord or your e-mail so i can contact you ?

[Synarcs]

@xneg in Superset all the Api are build on top of Flask App builder BaseApi with all the security decorators borrowed from FAB. We tried to replicate some of the methods with our own FAB security views and security manager, since we are using OAUTH, either we use the global rs256 session token signed from IDP, or integrate vault by adding a custom Decorator to bypass the default FAB security decorators and use this token to authenticate.
@nytai correct me, currently we use hvac integrated with FAB security, however is there any future plan to integrate the same in security manager of Superset, or change the Superset Api implementation in terms of security (flexibility to use custom decorators rather than the FAB one). Open for collaborating if any SIP is there to be done regarding this in the future.

[xneg]

@SAVE-POlNT you can find my email in my profile.

[xneg]

@vedangparasnis yes, I know about FAB but what I mean is that not all enpdoints in Superset have decorator @protected (from FAB) and this is a restriction to complete JWT integration.

[Synarcs]

@xneg , do you think it is a limitation of AUTH_DB type in Superset Security manager, correct me if I wrong, in other type excluding Remote_user the IDP session cookie bypasses these api security using the same global session token.

[xneg]

@vedangparasnis I think we misunderstand each other and sorry for misunderstanding. I was talking about OAuth authentication and using it to access endpoints.

[cdmikechen]

My company use flask-oidc to support oauth/oidc token, maybe we can extend superset api to better support non flask security authentication?
And I suggest we'd better start a new discuss, this issue had been closed, so that many people can not take care of this issue.

[lmingzhi]

Thank to andrewsali commented on 18 Jan 2018, I finally figure out how to access the superset REST API by python code.

import requests
from bs4 import BeautifulSoup

# http://192.168.100.120:8088/swagger/v1
superset_host = '192.168.100.120:8088'
username = 'YOUR_username'
password = 'YOUR_password'

# set up session for auth
s = requests.Session()
login_form = s.post(f"http://{superset_host}/login")
# get Cross-Site Request Forgery protection token
soup = BeautifulSoup(login_form.text, 'html.parser')
csrf_token = soup.find('input',{'id':'csrf_token'})['value']
data = {
    'username': username,
    'password': password,
    'csrf_token':csrf_token
}
# login the given session
s.post(f'http://{superset_host}/login/', data=data)
print(dict(s.cookies))

url = f'http://{superset_host}/api/v1/chart/'
r = s.get(url)
print(r.json())