#version: superset, 0.13.5-1 configOverrides: secret: | SECRET_KEY = 'qXsytMNKfyjK' my_override: | FEATURE_FLAGS = { "ENABLE_TEMPLATE_REMOVE_FILTERS" : True, "ENABLE_TEMPLATE_PROCESSING": True, "DASHBOARD_NATIVE_FILTERS" : True, "DASHBOARD_NATIVE_FILTERS_SET": True } enable_oauth: | from flask_appbuilder.security.manager import (AUTH_DB, AUTH_OAUTH) from superset.security import SupersetSecurityManager from flask import request import requests import logging class CustomSsoSecurityManager(SupersetSecurityManager): def oauth_user_info(self, provider, response=None): me = self.appbuilder.sm.oauth_remotes[provider].get("openid-connect/userinfo") me.raise_for_status() data = me.json() logging.debug("User info from Keycloak: %s", data) role = [] username = data.get("preferred_username", "") host = request.host dip_api_url = "http://dip-api.platform.svc.cluster.local:8087" url = f"{dip_api_url}/gwapi/v1/projectusers/{username}" request_data = {"url": f"https://{host}"} response = requests.post(url, json=request_data, headers={"Content-Type": "application/json"}, verify=False) if response.status_code == 200: logging.info(f"API 요청 성공: {response.status_code}, {response.text}") role.append(response.json().get("roleName","")) else: logging.info(f"API 요청 실패: {response.status_code}, {response.text}") role.append("") return { "username": data.get("preferred_username", ""), "first_name": data.get("given_name", ""), "last_name": data.get("family_name", ""), "email": data.get("email", ""), "role_keys": role, } AUTH_TYPE = AUTH_OAUTH AUTH_USER_REGISTRATION = True AUTH_USER_REGISTRATION_ROLE = "Public" AUTH_ROLES_SYNC_AT_LOGIN = True CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager OAUTH_PROVIDERS = [ { "name": "keycloak", "icon": "fa-key", "token_key": "access_token", "remote_app": { "client_id": "service-demo01-super9", "client_secret": "cb5ddcf2-63ab-4eaa-a2d5-dd3796f6d46c", "client_kwargs": { "scope": "openid email profile", 'verify': False }, 'server_metadata_url': 'https://keycloak.gke.paasup.io/realms/paasup/.well-known/openid-configuration', 'api_base_url': 'https://keycloak.gke.paasup.io/realms/paasup/protocol/' } } ] AUTH_ROLES_MAPPING = { 'root': ['Admin'], 'admin': ['Admin'], 'manager': ['Admin'], 'member': ['Alpha'], } bootstrapScript: | #!/bin/bash pip install sqlalchemy-drill psycopg2-binary Authlib image: repository: apachesuperset.docker.scarf.sh/apache/superset tag: ~ pullPolicy: IfNotPresent resources: {} nodeSelector: {} tolerations: [] ingress: enabled: true annotations: cert-manager.io/cluster-issuer: "root-ca-issuer" cert-manager.io/duration: 8760h cert-manager.io/renew-before: 720h konghq.com/plugins: oidc-plugin, keycloak-authz-plugin path: / pathType: ImplementationSpecific hosts: - "demo01-super9.gke.paasup.io" tls: - hosts: - "demo01-super9.gke.paasup.io" secretName: "demo01-super9-tls-secret" supersetNode: replicas: enabled: true replicaCount: 1 connections: redis_host: "demo01-super9-redis-headless" redis_port: "6379" redis_user: "" redis_cache_db: "1" redis_celery_db: "0" redis_ssl: enabled: false ssl_cert_reqs: CERT_NONE db_host: "demo01-super9-postgresql" db_port: "5432" db_user: superset db_pass: "Gb58gQx8Nhw8" db_name: superset resources: {} supersetWorker: replicas: enabled: true replicaCount: 1 resources: {} supersetCeleryBeat: enabled: false resources: {} supersetCeleryFlower: enabled: false replicaCount: 1 resources: {} postgresql: enabled: true auth: username: superset password: "" database: superset existingSecret: "demo01-super9-infisicalsecret" image: registry: docker.io primary: resources: limits: {} requests: memory: 256Mi cpu: 250m persistence: enabled: true storageClass: "" size: 8Gi redis: enabled: true architecture: standalone auth: enabled: false existingSecret: "" existingSecretPasswordKey: "" image: registry: docker.io master: resources: limits: {} requests: {} persistence: enabled: true storageClass: "" size: 8Gi