From dc136e8898a86c1d23bbbd7c8d3bfbb9dca42d07 Mon Sep 17 00:00:00 2001
From: Joe Li <joe@preset.io>
Date: Fri, 8 May 2026 15:02:32 -0700
Subject: [PATCH] feat(docker-light): enable embedded-dashboard support in
 local stack

Three additions to the lightweight local config so the embedded-dashboard
flow works against docker-compose-light without manually patching state:

- Read SUPERSET_FEATURE_<NAME> env vars into FEATURE_FLAGS so a docker
  .env-local can toggle features without editing tracked config.
- Disable Talisman so /embedded/<uuid> doesn't serve X-Frame-Options:
  SAMEORIGIN, which otherwise blocks cross-origin iframe embedding.
- Mirror Public to Gamma via PUBLIC_ROLE_LIKE so guest tokens can hit
  /api/v1/me/roles/ (CI does this implicitly via load_test_users; the
  light stack does not).

Required for the chromium-embedded Playwright project to run locally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../superset_config_docker_light.py           | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/docker/pythonpath_dev/superset_config_docker_light.py b/docker/pythonpath_dev/superset_config_docker_light.py
index 1f053c2ce36..0db91465770 100644
--- a/docker/pythonpath_dev/superset_config_docker_light.py
+++ b/docker/pythonpath_dev/superset_config_docker_light.py
@@ -36,3 +36,31 @@ THUMBNAIL_CACHE_CONFIG = CACHE_CONFIG
 
 # Disable Celery entirely for lightweight mode
 CELERY_CONFIG = None  # type: ignore[assignment,misc]
+
+# Honor SUPERSET_FEATURE_<NAME> env vars on top of any flags inherited from
+# superset_config. Lets local dev/e2e enable features (e.g. EMBEDDED_SUPERSET)
+# without editing shipped config files.
+import os  # noqa: E402
+
+FEATURE_FLAGS = {
+    **FEATURE_FLAGS,  # noqa: F405
+    **{
+        name[len("SUPERSET_FEATURE_") :]: value.strip().lower() == "true"
+        for name, value in os.environ.items()
+        if name.startswith("SUPERSET_FEATURE_")
+    },
+}
+
+# Disable Talisman so /embedded/<uuid> doesn't return X-Frame-Options:SAMEORIGIN.
+# Without this, browsers refuse to render Superset inside an iframe from a
+# different origin (i.e. the embedded SDK use case). Production/CI configures
+# Talisman with explicit `frame-ancestors`; for the lightweight local stack we
+# just turn it off.
+TALISMAN_ENABLED = False
+
+# Guest tokens (used by the embedded SDK) inherit the "Public" role's perms.
+# Out of the box Public has zero perms, so embedded dashboards immediately fail
+# their first call (`/api/v1/me/roles/`) with 403. Mirror Public to Gamma —
+# the standard read-only viewer role — so the embedded flow can authenticate
+# and load dashboard data in local dev.
+PUBLIC_ROLE_LIKE = "Gamma"