76ad5e1bf7
Three independent bugs let MCP requests presenting Bearer tokens with the sst_ prefix authenticate as MCP_DEV_USERNAME without any validation under streamable-http: 1. _resolve_user_from_api_key read the token from flask.request.headers, but the streamable-http transport never pushes a Flask request context — has_request_context() was always False, so the function returned None before validating, falling through to the dev-user fallback. Now reads the token from FastMCP's per-request AccessToken (which the CompositeTokenVerifier already populated) and fails closed when the key is invalid. 2. CompositeTokenVerifier was only installed when MCP_AUTH_ENABLED=True. With FAB_API_KEY_ENABLED=True alone, no transport-level verifier existed at all. The factory now builds an API-key-only verifier in that case (jwt_verifier=None) that rejects non-API-key Bearer tokens at the transport instead of silently accepting them. 3. The pass-through AccessToken was minted with scopes=[], which would make FastMCP's RequireAuthMiddleware 403 every API-key request when MCP_REQUIRED_SCOPES is non-empty. Pass-through now propagates self.required_scopes. Also addresses Daniel's review comment on superset/security/manager.py: adds "ApiKey" to ADMIN_ONLY_VIEW_MENUS so the FAB ApiKeyApi PVMs are gated to Admin instead of leaking to Alpha and Gamma. Renames the pass-through claim from _api_key_passthrough to the namespaced _superset_mcp_api_key_passthrough (exported as API_KEY_PASSTHROUGH_CLAIM) so a custom claim from an external IdP can't accidentally divert a JWT into the API-key validation path. Tests updated to mock get_access_token instead of app.test_request_context (the simulated Flask context was the reason the prior tests passed while production failed). New tests cover API-key-only verifier mode, scope propagation on pass-through, and the namespaced-claim isolation.
Superset
A modern, enterprise-ready business intelligence web application.
Documentation
- User Guide — For analysts and business users. Explore data, build charts, create dashboards, and connect databases.
- Administrator Guide — Install, configure, and operate Superset. Covers security, scaling, and database drivers.
- Developer Guide — Contribute to Superset or build on its REST API and extension framework.
Why Superset? | Supported Databases | Release Notes | Get Involved | Resources | Organizations Using Superset
Why Superset?
Superset is a modern data exploration and data visualization platform. Superset can replace or augment proprietary business intelligence tools for many teams. Superset integrates well with a variety of data sources.
Superset provides:
- A no-code interface for building charts quickly
- A powerful, web-based SQL Editor for advanced querying
- A lightweight semantic layer for quickly defining custom dimensions and metrics
- Out of the box support for nearly any SQL database or data engine
- A wide array of beautiful visualizations to showcase your data, ranging from simple bar charts to geospatial visualizations
- Lightweight, configurable caching layer to help ease database load
- Highly extensible security roles and authentication options
- An API for programmatic customization
- A cloud-native architecture designed from the ground up for scale
Screenshots & Gifs
Video Overview
Large Gallery of Visualizations
Craft Beautiful, Dynamic Dashboards
No-Code Chart Builder
Powerful SQL Editor
Supported Databases
Superset can query data from any SQL-speaking datastore or data engine (Presto, Trino, Athena, and more) that has a Python DB-API driver and a SQLAlchemy dialect.
Here are some of the major database solutions that are supported:
A more comprehensive list of supported databases along with the configuration instructions can be found here.
Want to add support for your datastore or data engine? Read more here about the technical requirements.
Installation and Configuration
Try out Superset's quickstart guide or learn about the options for production deployments.
Get Involved
- Ask and answer questions on StackOverflow using the apache-superset tag
- Join our community's Slack and please read our Slack Community Guidelines
- Join our dev@superset.apache.org Mailing list. To join, simply send an email to dev-subscribe@superset.apache.org
- If you want to help troubleshoot GitHub Issues involving the numerous database drivers that Superset supports, please consider adding your name and the databases you have access to on the Superset Database Familiarity Rolodex
- Join Superset's Town Hall and Operational Model recurring meetings. Meeting info is available on the Superset Community Calendar
Contributor Guide
Interested in contributing? Check out our Developer Guide to find resources around contributing along with a detailed guide on how to set up a development environment.
Resources
- Superset "In the Wild" - see who's using Superset, and add your organization to the list!
- Feature Flags - the status of Superset's Feature Flags.
- Standard Roles - How RBAC permissions map to roles.
- Superset Wiki - Tons of additional community resources: best practices, community content and other information.
- Superset SIPs - The status of Superset's SIPs (Superset Improvement Proposals) for both consensus and implementation status.
Understanding the Superset Points of View
-
Getting Started with Superset
-
Deploying Superset
-
Recordings of Past Superset Community Events
-
Visualizations
Repo Activity
