feat(auth): integrate Keycloak authentication with SLO and configurable user roles #31821
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
![korbit-ai[bot]](https://avatars.githubusercontent.com/in/322216?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review by Korbit AI
Korbit automatically attempts to detect when you fix issues in new commits.
| Category | Issue | Fix Detected |
|---|---|---|
 |
Hardcoded secret and encryption keys found. ▹ view | |
 |
Non-configurable OIDC Client Secrets Path ▹ view |
Files scanned
| File Path | Reviewed |
|---|---|
| docker/pythonpath_dev/superset_config.py | ✅ |
| docker/pythonpath_dev/keycloak_security_manager.py | ✅ |
Explore our documentation to understand the languages and file types we support and the files we ignore.
Need a new review? Comment
/korbit-reviewon this PR and I'll review your latest changes.Korbit Guide: Usage and Customization
Interacting with Korbit
- You can manually ask Korbit to review your PR using the
/korbit-reviewcommand in a comment at the root of your PR.- You can ask Korbit to generate a new PR description using the
/korbit-generate-pr-descriptioncommand in any comment on your PR.- Too many Korbit comments? I can resolve all my comment threads if you use the
/korbit-resolvecommand in any comment on your PR.- Chat with Korbit on issues we post by tagging @korbit-ai in your reply.
- Help train Korbit to improve your reviews by giving a 👍 or 👎 on the comments Korbit posts.
Customizing Korbit
- Check out our docs on how you can make Korbit work best for you and your team.
- Customize Korbit for your organization through the Korbit Console.
Current Korbit Configuration
General Settings
Setting Value Review Schedule Automatic excluding drafts Max Issue Count 10 Automatic PR Descriptions ❌ Issue Categories
Category Enabled Naming ✅ Database Operations ✅ Documentation ✅ Logging ✅ Error Handling ✅ Systems and Environment ✅ Objects and Data Structures ✅ Readability and Maintainability ✅ Asynchronous Processing ✅ Design Patterns ✅ Third-Party Libraries ✅ Performance ✅ Security ✅ Functionality ✅ Feedback and Support
Note
Korbit Pro is free for open source projects 🎉
Looking to add Korbit to your team? Get started with a free 2 week trial here
| SECRET_KEY = os.getenv("SECRET_KEY", "your-constant-secret-key") | ||
| ENCRYPTION_KEY = os.getenv("ENCRYPTION_KEY", "your-constant-encryption-key") |
There was a problem hiding this comment.
Hardcoded secret and encryption keys found. 
Tell me more
Security Issue: Hardcoded Secret Key and Encryption Key
The SECRET_KEY and ENCRYPTION_KEY are hardcoded with default values in the superset_config.py file. Hardcoding sensitive information like secret keys is a security risk because if the codebase is compromised, an attacker can easily obtain these keys and use them for malicious purposes.
To resolve this issue, remove the hardcoded default values and ensure the secret key and encryption key are loaded from environment variables or a secure secrets management system at runtime. Do not commit the actual key values in the codebase.
Chat with Korbit by mentioning @korbit-ai, and give a 👍 or 👎 to help Korbit improve your reviews.
| # Keycloak (OpenID Connect) authentication config and other settings... | ||
| # ------------------------------------------------------------------------------ | ||
| AUTH_TYPE = AUTH_OID | ||
| OIDC_CLIENT_SECRETS = "/app/docker/pythonpath_dev/client_secret.json" |
There was a problem hiding this comment.
Non-configurable OIDC Client Secrets Path 
Tell me more
What is the issue?
Hardcoded path to client secrets file could cause authentication failures if the file location changes or in different environments.
Why this matters
A non-configurable secrets file location reduces deployment flexibility and could break authentication if the file is stored elsewhere.
Suggested change ∙ Feature Preview
Make the client secrets path configurable via environment variable:
OIDC_CLIENT_SECRETS = os.getenv("OIDC_CLIENT_SECRETS", "/app/docker/pythonpath_dev/client_secret.json")Chat with Korbit by mentioning @korbit-ai, and give a 👍 or 👎 to help Korbit improve your reviews.
SUMMARY
This PR integrates Keycloak authentication into Superset. The changes include:
docker/pythonpath_dev/(i.e.superset_config.pyandkeycloak_security_manager.py) to support Keycloak integration.AUTH_USER_REGISTRATION_ROLE. This allows production settings (e.g., settingAUTH_USER_REGISTRATION_ROLE=Admin) to be used without changing code.docker-compose.yml,docker-compose-non-dev.yml, anddocker-compose-image-tag.yml) and the.envfile to properly reflect the changes for production deployment.BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A (no UI changes)
TESTING INSTRUCTIONS
pre-commit run --all-fileslocally to ensure no linting or type-check errors occur.docker-compose -f docker-compose-image-tag.yml up -d.AUTH_USER_REGISTRATION_ROLEenvironment variable.ADDITIONAL INFORMATION