Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix to Werkzeug ProxyFix; expose ProxyFix configuration items #8117

Merged
merged 7 commits into from
Sep 4, 2019
Merged

Fix to Werkzeug ProxyFix; expose ProxyFix configuration items #8117

merged 7 commits into from
Sep 4, 2019

Conversation

ericandrewmeadows
Copy link
Contributor

@ericandrewmeadows ericandrewmeadows commented Aug 27, 2019
edited
Loading

CATEGORY

Choose one

  • Bug Fix
  • Enhancement (new features, refinement)
  • Refactor
  • Add tests
  • Build / Development Environment
  • Documentation

SUMMARY

Custom Security Manager appeared to be broken when behind an AWS ALB, but when I dug further, the Werkzeug version was bumped. This caused an invalid configuration for the proxy in that the host was not passed on. Because of this, along with the change of the library path, and the inclusion of the additional library bump in accordance with apache/airflow#5571, I have validated that the regression that prevented CSM from working in v0.33.0rc1 -> v0.34.0rc [1 & 2] has been resolved.

TEST PLAN

I deployed internally the fix, and validated that the port is not being returned in the header for the destination after hitting the root IP of the Superset instance.

ADDITIONAL INFORMATION

REVIEWERS

ericandrewmeadows
ericandrewmeadows commented Aug 27, 2019
View reviewed changes
superset/config.py Outdated
@@ -111,6 +111,13 @@

# Extract and use X-Forwarded-For/X-Forwarded-Proto headers?
ENABLE_PROXY_FIX = False
PROXY_FIX_CONFIG = {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was validated to fix the issue with CSM, when ENABLE_PROXY_FIX is set to True.

@ericandrewmeadows ericandrewmeadows changed the title Fix to werkzeug proxy; expose additional configuration items Fix to Werkzeug ProxyFix; expose ProxyFix configuration items Aug 27, 2019
@dpgaspar
Copy link
Member

dpgaspar commented Aug 27, 2019
edited
Loading

black config.py

FYI Airflow followup fix on: apache/airflow#5563
Docs: https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/?highlight=proxyfix#werkzeug.middleware.proxy_fix.ProxyFix

@villebro
Copy link
Member

Thanks for putting in the work to fix this @ericandrewmeadows . Once this gets merged I think we can start picking cherries for a 0.34.1.

@ericandrewmeadows
Copy link
Contributor Author

👍 - fair to enforce all on since the side effect is minimal.

An aside: why don't we force line length to 79 max? I know it's an outdated standard set by punch cards...but most linters complain.

@ericandrewmeadows
Copy link
Contributor Author

@villebro - you're welcome. I just happened to come across the Airflow item after I solved it. I updated the docs - thanks again!

@ericandrewmeadows
Copy link
Contributor Author

@dpgaspar / @villebro - what's the process for merging this?

@villebro
Copy link
Member

LGTM, but I don't feel comfortable merging before @dpgaspar approves this, as he is more knowledgeable on this topic than I am.

@ericandrewmeadows
Copy link
Contributor Author

I figured - yeah - it may have just slipped under his radar.

@villebro villebro added the v0.34 label Aug 31, 2019
@ericandrewmeadows
Copy link
Contributor Author

@dpgaspar - can this be merged?

@mistercrunch
Copy link
Member

Few notes:

  • do we know how this maps to previous default settings from the previous implementation?
  • can we add an entry in UPDATING.md to tell people "Changes around a new version of ProxyFix in Werkzeuf, if you use config ENABLE_PROXY_FIX = True, you'll want to review the newly introduced PROXY_FIX_CONFIG config key and make sure it's set as expected for your environment"

@ericandrewmeadows
Copy link
Contributor Author

  1. I first fixed my instance, then @dpgaspar pointed out the defaults from Airflow so I followed that convention. For me, I use the following settings:
ENABLE_PROXY_FIX = True
PROXY_FIX_CONFIG = {
    "x_for": 1,
    "x_proto": 0,
    "x_host": 1,
    "x_port": 0,
    "x_prefix": 0,
}
  1. I'll add that to UPDATING.md

mistercrunch
mistercrunch requested changes Sep 3, 2019
View reviewed changes
Copy link
Member

@mistercrunch mistercrunch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise LGTM

Untitled.ipynb Outdated Show resolved Hide resolved
@codecov-io
Copy link

codecov-io commented Sep 3, 2019
edited
Loading

Codecov Report

Merging #8117 into master will increase coverage by 0.13%.
The diff coverage is 33.33%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #8117      +/-   ##
=========================================
+ Coverage   66.06%   66.2%   +0.13%     
=========================================
  Files         479     479              
  Lines       22930   22930              
  Branches     2524    2524              
=========================================
+ Hits        15148   15180      +32     
+ Misses       7648    7616      -32     
  Partials      134     134
Impacted Files Coverage Δ
superset/__init__.py 75% <0%> (-0.79%) ⬇️
superset/config.py 88.7% <100%> (+0.06%) ⬆️
superset/assets/src/chart/chartAction.js 49.63% <0%> (ø) ⬆️
superset/sql_lab.py 77.51% <0%> (+0.04%) ⬆️
superset/views/core.py 71.53% <0%> (+0.27%) ⬆️
superset/models/core.py 81.76% <0%> (+0.64%) ⬆️
superset/db_engine_specs/mysql.py 92.15% <0%> (+49.01%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ee24539...cc556e6. Read the comment docs.

ericandrewmeadows
ericandrewmeadows commented Sep 4, 2019
View reviewed changes
Copy link
Contributor Author

@ericandrewmeadows ericandrewmeadows left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mistercrunch - Should be good to be merged.

@mistercrunch mistercrunch merged commit ae0dc30 into apache:master Sep 4, 2019
@maltoze maltoze mentioned this pull request Nov 22, 2019
Closed
3 tasks
@oofnikj oofnikj mentioned this pull request Sep 9, 2021
Closed
This was referenced May 12, 2023
Closed
Merged
@mistercrunch mistercrunch added 🍒 0.34.1 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.35.0 labels Feb 28, 2024
cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
@villebro
Fix to Werkzeug ProxyFix; expose ProxyFix configuration items (apache…
3209943 
…#8117)

* Fix to werkzeug proxy; expose additional configuration items

* Forced to all x-forwarded configurations ON; black done

* added comments related to x_port after testing

* Updated UPDATING.md

* Removed accidental notebook; added *.ipynb to gitignore

* Delete Untitled-checkpoint.ipynb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mistercrunch mistercrunch mistercrunch approved these changes

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/S v0.34 🍒 0.34.1 🚢 0.35.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Investigate broken Custom Security Manager CUSTOM_SECURITY_MANAGER not working in 0.34.0rc1
5 participants
@ericandrewmeadows @dpgaspar @villebro @mistercrunch @codecov-io