docs: fix for domain sharding results in failed requests with "Missing Authorization Header"

[ved-kashyap-samsung]

SUMMARY

Fixes #23295

Same issue discussion on domain sharding feature implementation PR - #5039

After enabling the domain sharding as follows

ENABLE_CORS = True
CORS_OPTIONS = {
  'supports_credentials': True,
  'allow_headers': '*',
  'resources': '*',
  'origins': ['https://dashboards.mydomain.com','https://dashboards1.mydomain.com','https://dashboards2.mydomain.com','https://dashboards3.mydomain.com']
}
SUPERSET_WEBSERVER_DOMAINS=['dashboards.mydomain.com','dashboards1.mydomain.com','dashboards2.mydomain.com','dashboards3.mydomain.com']

All 4 webserver domains are set via DNS A record to the same IP address.

When navigating to a dashboard, I can see in the Edge devtools, that the /api/v1/chart/data requests are sent to all webserver domains. However, they all fail with "401" (unauthenticated). I can also see, that some of the requests have a response set to {"msg":"Missing Authorization Header"}.

EXPECTED RESULT

Domain sharding uses the 4 configured webserver domains for requesting data - and uses the session cookie of original domain for authentication.

ACTUAL RESULT

The authentication of the non-original webserver domains does not work and the requests are not authenticated.

TESTING INSTRUCTIONS

Please verify changes from my fork.
After setting the SESSION_COOKIE_DOMAIN to main domain in superset_config.py authrization should work on all the domain shards.

ADDITIONAL INFORMATION

• Has associated issue: Fixes Domain sharding results in failed requests with "Missing Authorization Header" #23295
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[ved-kashyap-samsung]

@graceguo-supercat @michellethomas @john-bodley @timifasubaa @kristw @williaster Please check this issue of Missing Authorization Header in domain sharding and its fix. I have tested in my local setup , it is working as expected. Please approve so that people can get insights on this kind of issue.

[ved-kashyap-samsung]

ROOT CAUSE ANALYSIS - Actually session in superset is managed using cookies. So, session cookie must be sent automatically in any API request through request headers. Also, cookies are automatically sent to subdomains on a domain(TLD). So, following are two solutions. You can choose either.

1. set SESSION_COOKIE_DOMAIN = 'mydomain.com' in superset_config.py
   This should take care of setting cookie in every request header and hence authorization will be done.

2. Other solution is to create domain shards which should be subdomains of main domain like below.
   SUPERSET_WEBSERVER_DOMAINS=['dashboards.mydomain.com','1.dashboards.mydomain.com','2.dashboards.mydomain.com','3.dashboards.mydomain.com']

Note: Please delete all the session cookies for your superset top level domain and subdomains intially so that previously session cookies don't change the desired behaviour.

[ved-kashyap-samsung]

@graceguo-supercat @michellethomas @john-bodley @timifasubaa @kristw @williaster Please check this issue of Missing Authorization Header in domain sharding and its fix. I have tested in my local setup , it is working as expected. Please approve so that people can get insights on this kind of issue.

Can anyone please review this.

[ved-kashyap-samsung]

@rusackas Can you please review this PR.

[ved-kashyap-samsung]

@rusackas All checks have passed for this PR. Can you please review again.

[ved-kashyap-samsung]

@rusackas All checks have passed for this PR. Can you please review again.

@rusackas For reminder as I see no updates on this PR for long time. Can you please check once.
@graceguo-supercat @michellethomas @john-bodley @timifasubaa @kristw @williaster

[john-bodley]

@ved-kashyap-samsung apologies for missing the previous pings. Thanks for improving the documentation. I've made a couple of suggestions based on how we (Airbnb) have it configured.

[ved-kashyap-samsung]

@ved-kashyap-samsung apologies for missing the previous pings. Thanks for improving the documentation. I've made a couple of suggestions based on how we (Airbnb) have it configured.

No problem and thanks for your valubale suggestions. I have incorporated suggested changes and looking forward for this PR to be merged. Thanks again!