Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix to Werkzeug ProxyFix; expose ProxyFix configuration items #8117

Merged

Conversation

ericandrewmeadows
Copy link

@ericandrewmeadows ericandrewmeadows commented Aug 27, 2019

CATEGORY

Choose one

  • Bug Fix
  • Enhancement (new features, refinement)
  • Refactor
  • Add tests
  • Build / Development Environment
  • Documentation

SUMMARY

Custom Security Manager appeared to be broken when behind an AWS ALB, but when I dug further, the Werkzeug version was bumped. This caused an invalid configuration for the proxy in that the host was not passed on. Because of this, along with the change of the library path, and the inclusion of the additional library bump in accordance with apache/airflow#5571, I have validated that the regression that prevented CSM from working in v0.33.0rc1 -> v0.34.0rc [1 & 2] has been resolved.

TEST PLAN

I deployed internally the fix, and validated that the port is not being returned in the header for the destination after hitting the root IP of the Superset instance.

ADDITIONAL INFORMATION

REVIEWERS

@@ -111,6 +111,13 @@

# Extract and use X-Forwarded-For/X-Forwarded-Proto headers?
ENABLE_PROXY_FIX = False
PROXY_FIX_CONFIG = {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was validated to fix the issue with CSM, when ENABLE_PROXY_FIX is set to True.

@ericandrewmeadows ericandrewmeadows changed the title Fix to werkzeug proxy; expose additional configuration items Fix to Werkzeug ProxyFix; expose ProxyFix configuration items Aug 27, 2019
@dpgaspar
Copy link
Member

dpgaspar commented Aug 27, 2019

@villebro
Copy link
Member

Thanks for putting in the work to fix this @ericandrewmeadows . Once this gets merged I think we can start picking cherries for a 0.34.1.

@ericandrewmeadows
Copy link
Author

👍 - fair to enforce all on since the side effect is minimal.

An aside: why don't we force line length to 79 max? I know it's an outdated standard set by punch cards...but most linters complain.

@ericandrewmeadows
Copy link
Author

@villebro - you're welcome. I just happened to come across the Airflow item after I solved it. I updated the docs - thanks again!

@ericandrewmeadows
Copy link
Author

@dpgaspar / @villebro - what's the process for merging this?

@villebro
Copy link
Member

LGTM, but I don't feel comfortable merging before @dpgaspar approves this, as he is more knowledgeable on this topic than I am.

@ericandrewmeadows
Copy link
Author

I figured - yeah - it may have just slipped under his radar.

@villebro villebro added the v0.34 label Aug 31, 2019
@ericandrewmeadows
Copy link
Author

@dpgaspar - can this be merged?

@mistercrunch
Copy link
Member

Few notes:

  • do we know how this maps to previous default settings from the previous implementation?
  • can we add an entry in UPDATING.md to tell people "Changes around a new version of ProxyFix in Werkzeuf, if you use config ENABLE_PROXY_FIX = True, you'll want to review the newly introduced PROXY_FIX_CONFIG config key and make sure it's set as expected for your environment"

@ericandrewmeadows
Copy link
Author

  1. I first fixed my instance, then @dpgaspar pointed out the defaults from Airflow so I followed that convention. For me, I use the following settings:
ENABLE_PROXY_FIX = True
PROXY_FIX_CONFIG = {
    "x_for": 1,
    "x_proto": 0,
    "x_host": 1,
    "x_port": 0,
    "x_prefix": 0,
}
  1. I'll add that to UPDATING.md

Copy link
Member

@mistercrunch mistercrunch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise LGTM

Untitled.ipynb Outdated Show resolved Hide resolved
@codecov-io
Copy link

codecov-io commented Sep 3, 2019

Codecov Report

Merging #8117 into master will increase coverage by 0.13%.
The diff coverage is 33.33%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #8117      +/-   ##
=========================================
+ Coverage   66.06%   66.2%   +0.13%     
=========================================
  Files         479     479              
  Lines       22930   22930              
  Branches     2524    2524              
=========================================
+ Hits        15148   15180      +32     
+ Misses       7648    7616      -32     
  Partials      134     134
Impacted Files Coverage Δ
superset/__init__.py 75% <0%> (-0.79%) ⬇️
superset/config.py 88.7% <100%> (+0.06%) ⬆️
superset/assets/src/chart/chartAction.js 49.63% <0%> (ø) ⬆️
superset/sql_lab.py 77.51% <0%> (+0.04%) ⬆️
superset/views/core.py 71.53% <0%> (+0.27%) ⬆️
superset/models/core.py 81.76% <0%> (+0.64%) ⬆️
superset/db_engine_specs/mysql.py 92.15% <0%> (+49.01%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ee24539...cc556e6. Read the comment docs.

Copy link
Author

@ericandrewmeadows ericandrewmeadows left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mistercrunch - Should be good to be merged.

@mistercrunch mistercrunch added 🍒 0.34.1 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.35.0 labels Feb 28, 2024
cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
…#8117)

* Fix to werkzeug proxy; expose additional configuration items

* Forced to all x-forwarded configurations ON; black done

* added comments related to x_port after testing

* Updated UPDATING.md

* Removed accidental notebook; added *.ipynb to gitignore

* Delete Untitled-checkpoint.ipynb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/S v0.34 🍒 0.34.1 🚢 0.35.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Investigate broken Custom Security Manager CUSTOM_SECURITY_MANAGER not working in 0.34.0rc1
5 participants