Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF Missing for Cache Warm Up #31283

Closed
3 tasks
hanslemm opened this issue Dec 4, 2024 · 3 comments · Fixed by #31173
Closed
3 tasks

CSRF Missing for Cache Warm Up #31283

hanslemm opened this issue Dec 4, 2024 · 3 comments · Fixed by #31173

Comments

@hanslemm
Copy link
Contributor

hanslemm commented Dec 4, 2024

Bug description

I have a [email protected] running on K8s.

Whenever the Celery task to warm-up the cache of the top 10 dashboards run, I have the following error:

2024-12-04 07:02:46.455 | [2024-12-04 06:02:46,454: ERROR/ForkPoolWorker-4] fetch_url[b5da1f66-912f-4cdf-bffa-be47cef16dbe]: Error warming up cache! |  
-- | -- | --
  |   | 2024-12-04 07:02:46.454 | urllib.error.HTTPError: HTTP Error 400: Bad Request |  
  |   | 2024-12-04 07:02:46.454 | raise HTTPError(req.full_url, code, msg, hdrs, fp) |  
  |   | 2024-12-04 07:02:46.454 | File "/usr/local/lib/python3.10/urllib/request.py", line 643, in http_error_default |  
  |   | 2024-12-04 07:02:46.454 | File "/usr/local/lib/python3.10/urllib/request.py", line 563, in error |  
  |   | 2024-12-04 07:02:46.454 | response = self.parent.error( |  
  |   | 2024-12-04 07:02:46.454 | [2024-12-04 06:02:46,453: ERROR/ForkPoolWorker-1] fetch_url[27de5b0d-8070-4415-a0c6-ee104dce1003]: Error warming up cache! |  
  |   | 2024-12-04 07:02:46.450 | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing. |  
  |   | 2024-12-04 07:02:46.450 | raise CSRFError(reason) |  
  |   | 2024-12-04 07:02:46.450 | File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response |  
  |   | 2024-12-04 07:02:46.450 | self._error_response(e.args[0]) |  
  |   | 2024-12-04 07:02:46.450 | wtforms.validators.ValidationError: The CSRF session token is missing. |  
  |   | 2024-12-04 07:02:46.450 | raise ValidationError("The CSRF session token is missing.") |  
  |   | 2024-12-04 07:02:46.450 | 2024-12-04 06:02:46,449:WARNING:superset.views.error_handling:HTTPException |  
  |   | 2024-12-04 07:02:46.449 | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing. |  
  |   | 2024-12-04 07:02:46.449 | raise CSRFError(reason) |  
  |   | 2024-12-04 07:02:46.449 | File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response |  
  |   | 2024-12-04 07:02:46.449 | self._error_response(e.args[0]) |  
  |   | 2024-12-04 07:02:46.449 | wtforms.validators.ValidationError: The CSRF session token is missing. |  
  |   | 2024-12-04 07:02:46.449 | raise ValidationError("The CSRF session token is missing.")

Before the 4.1.1 update, I still had this issue, but it was a 404 error instead.

I tried to fix this by expanding CSRF exemption list, to no avail:

WTF_CSRF_EXEMPT_LIST = [
    "superset.views.core.log",
    "superset.views.core.explore_json",
    "superset.charts.data.api.data",
    "superset.dashboards.api.cache_dashboard_screenshot",
    "superset.views.core.warm_up_cache",  # Added endpoint
]

Screenshots/recordings

No response

Superset version

4.1.1

Python version

3.10

Node version

I don't know

Browser

Chrome

Additional context

TALISMAN_CONFIG = {
    "content_security_policy": {
        "base-uri": ["'self'"],
        "default-src": ["'self'"],
        "img-src": [
            "'self'",
            "blob:",
            "data:",
            "https://apachesuperset.gateway.scarf.sh",
            "https://static.scarf.sh/",
            "https://avatars.slack-edge.com",  # Uncomment when SLACK_ENABLE_AVATARS is True
        ],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
            "ws://superset-ws:8080/",
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'",
        ],
        "script-src": ["'self'", "'strict-dynamic'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
    "session_cookie_secure": False,
}

FEATURE_FLAGS = {
    "ALERTS_ATTACH_REPORTS": True,
    "ALERT_REPORTS": True,
    "ALERT_REPORTS_TABS": True,
    "ALERT_REPORT_SLACK_V2": True,
    "DASHBOARD_RBAC": True,
    "DASHBOARD_VIRTUALIZATION": True,
    "DRILL_TO_DETAIL": True,
    "DRILL_BY": True,
    "ENABLE_TEMPLATE_PROCESSING": True,
    "ENABLE_EXPLORE_DRAG_AND_DROP": True,
    "ENABLE_DASHBOARD_SCREENSHOT_ENDPOINTS": True,
    "ENABLE_DASHBOARD_DOWNLOAD_WEBDRIVER_SCREENSHOT": True,
    "ENABLE_DND_WITH_CLICK_UX": True,
    "GENERIC_CHART_AXES": True,
    "GLOBAL_ASYNC_QUERIES": True,
    "HORIZONTAL_FILTER_BAR": True,
    "PLAYWRIGHT_REPORTS_AND_THUMBNAILS": True,
    "TAGGING_SYSTEM": True,
    "THUMBNAILS": True,
    "THUMBNAILS_SQLA_LISTENERS": True,
    "SLACK_ENABLE_AVATARS": True,
}

Checklist

  • I have searched Superset docs and Slack and didn't find a solution to my problem.
  • I have searched the GitHub issue tracker and didn't find a similar bug report.
  • I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
@AnTapTanhCode
Copy link

you can try #31173

Copy link

dosubot bot commented Dec 4, 2024

I found a similar discussion regarding CSRF token issues in Superset, which might be relevant to your situation. The discussion titled "[QA][superset & keycloak] flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing](#28250)" addresses a similar error. A suggested solution from a related closed issue was to set TALISMAN_ENABLED to False in the configuration, which resolved the problem for multiple users [1].

Additionally, ensure that the CSRF token is correctly fetched and included in the headers for API requests. In Superset's Celery task for cache warming, the fetch_csrf_token function is used to update the headers with the CSRF token before making the API request [2]. You might want to verify that this process is correctly implemented in your setup.

To continue talking to Dosu, mention @dosu.

@hanslemm
Copy link
Contributor Author

hanslemm commented Dec 4, 2024

Thanks @AnTapTanhCode - true, this #31173 is precisely the solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: New Issues
Development

Successfully merging a pull request may close this issue.

2 participants