mirror of
https://github.com/apache/superset.git
synced 2026-05-21 15:55:10 +00:00
7ad0b5e3f8
Two fixes for MCP API key authentication: 1. superset init now creates ApiKey FAB permissions (can_list, can_create, can_get, can_delete) when FAB_API_KEY_ENABLED=True. Previously, because Superset uses AppBuilder(update_perms=False), FAB skipped permission creation during blueprint registration and superset init never picked them up, causing 403 errors on /api/v1/security/api_keys/. 2. CompositeTokenVerifier allows API key tokens (e.g. sst_...) to coexist with JWT auth on the MCP transport layer. Previously, when MCP_AUTH_ENABLED=True, the JWTVerifier rejected all non-JWT Bearer tokens at the transport layer before they could reach the Flask-level _resolve_user_from_api_key() handler. The composite verifier detects API key prefixes and passes them through with a marker claim, letting the existing auth priority chain handle validation.