Can we change the default algorithm of superset from HS256 to RS256? #29785

anuragsingh-prospera · 2024-07-31T09:44:25Z

anuragsingh-prospera
Jul 31, 2024

Hello everyone,

I have successfully integrated Superset with AWS Cognito and I'm able to sign in the users that were created in Cognito. Now, I'm trying to generate a guest token for that user through Superset's API endpoint for guest tokens.

I use the access token generated by Cognito for that user and pass it in the header of the request to generate a guest token. However, I was encountering an "algo not allowed" error since Cognito tokens are encrypted using RS256 tokens and Superset only accepts HS256.

To resolve this, I added the following line in the superset_config.py script:

JWT_DECODE_ALGORITHM=["RS256"]
This resolved the algorithm error, but now I’m getting an internal server error. When I checked the Docker logs, it mentioned that PEM is not loading so I extracted the public key of Cognito and assigned it:

JWT_PUBLIC_KEY= os.getenv("PUBLIC_KEY")
I am still facing the same error. Has anyone encountered this issue before or have any suggestions on how to resolve it? Any help would be greatly appreciated.

Thank you!

@dosu · 2024-07-31T09:51:42Z

dosubot[bot]
bot Jul 31, 2024

To change the default algorithm of Superset from HS256 to RS256 and resolve the internal server error related to the PEM not loading when integrating with AWS Cognito, you need to update the jwtAlgorithms and jwtSecret fields in the docker/superset-websocket/config.json file.

Here is the updated configuration:

{
  "port": 8080,
  "logLevel": "info",
  "logToFile": false,
  "logFilename": "app.log",
  "statsd": {
    "host": "127.0.0.1",
    "port": 8125,
    "globalTags": []
  },
  "redis": {
    "port": 6379,
    "host": "127.0.0.1",
    "password": "",
    "db": 0,
    "ssl": false
  },
  "redisStreamPrefix": "async-events-",
  "jwtAlgorithms": ["RS256"],
  "jwtSecret": "-----BEGIN PUBLIC KEY-----\nYOUR-PEM-KEY-HERE\n-----END PUBLIC KEY-----",
  "jwtCookieName": "async-token"
}

Make sure to replace YOUR-PEM-KEY-HERE with the actual PEM key provided by AWS Cognito. This should resolve the internal server error related to the PEM not loading ^[1].

Additionally, ensure that you have set the DATABASE_OAUTH2_JWT_ALGORITHM to "RS256" in your superset_config.py file:

DATABASE_OAUTH2_JWT_ALGORITHM = "RS256"

This ensures that the JWT algorithm used for authentication is correctly configured across the necessary components ^[2].

To continue talking to Dosu, mention @dosu.

5 replies

anuragsingh-prospera Jul 31, 2024
Author

@dosu this is the error I am getting after making those changes

ERROR:superset.views.base:Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming
superset_app          | Traceback (most recent call last):
superset_app          |   File "/usr/local/lib/python3.10/site-packages/jwt/algorithms.py", line 257, in prepare_key
superset_app          |     key = load_pem_private_key(key, password=None)
superset_app          |   File "/usr/local/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 494, in _handle_key_loading_error
superset_app          |     raise ValueError(
superset_app          | ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])

dosubot[bot] bot Jul 31, 2024

The error you're encountering indicates that the PEM file might be incorrectly formatted or not properly loaded. Here are steps to ensure the PEM file is correctly formatted and accessible:

Ensure Correct PEM Format: Verify that your PEM file is correctly formatted. It should look like this:
```
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----
```
Load PEM Key Correctly: Ensure that the PEM key is loaded correctly in your superset_config.py. Here is an example of how to load the PEM key from an environment variable:
```
import os

JWT_PUBLIC_KEY = os.getenv("PUBLIC_KEY")
```

Example of Using the PEM Key: Here is an example of how you might use the PEM key in your integration:

import jwt

# Your PEM certificate
ssl_certificate = os.getenv("PUBLIC_KEY")

# Example of verifying a JWT token using the certificate
def verify_jwt(token):
    try:
        decoded = jwt.decode(token, ssl_certificate, algorithms=['RS256'], audience='your_audience')
        return decoded
    except jwt.ExpiredSignatureError:
        print("Token has expired")
    except jwt.InvalidTokenError:
        print("Invalid token")

# Example usage
token = "your_jwt_token_here"
decoded_token = verify_jwt(token)
print(decoded_token)

Check Environment Variable: Ensure that the environment variable PUBLIC_KEY is correctly set and accessible within your Docker container. You can set it in your docker-compose.yml or Dockerfile:

version: '3.1'

services:
  superset:
    image: apache/superset
    environment:
      - PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\nYOUR-PEM-KEY-HERE\n-----END PUBLIC KEY-----"

By ensuring the PEM file is correctly formatted and properly loaded, you should be able to resolve the PEM file loading error ^[1].

To continue talking to Dosu, mention @dosu.

anuragsingh-prospera Jul 31, 2024
Author

@Docu

this is the error I am getting after making the above mentioned changes

{
    "errors": [
        {
            "message": "Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming",
            "error_type": "GENERIC_BACKEND_ERROR",
            "level": "error",
            "extra": {
                "issue_codes": [
                    {
                        "code": 1011,
                        "message": "Issue 1011 - Superset encountered an unexpected error."
                    }
                ]
            }
        }
    ]
}

dosubot[bot] bot Jul 31, 2024

The "MalformedFraming" error indicates that the PEM file might be incorrectly formatted or not properly loaded. Here are steps to ensure the PEM file is correctly formatted and accessible:

Ensure Correct PEM Format: Verify that your PEM file is correctly formatted. It should look like this:
```
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----
```
Load PEM Key Correctly: Ensure that the PEM key is loaded correctly in your superset_config.py. Here is an example of how to load the PEM key from an environment variable:
```
import os

JWT_PUBLIC_KEY = os.getenv("PUBLIC_KEY")
```

Example of Using the PEM Key: Here is an example of how you might use the PEM key in your integration:

import jwt

# Your PEM certificate
ssl_certificate = os.getenv("PUBLIC_KEY")

# Example of verifying a JWT token using the certificate
def verify_jwt(token):
    try:
        decoded = jwt.decode(token, ssl_certificate, algorithms=['RS256'], audience='your_audience')
        return decoded
    except jwt.ExpiredSignatureError:
        print("Token has expired")
    except jwt.InvalidTokenError:
        print("Invalid token")

# Example usage
token = "your_jwt_token_here"
decoded_token = verify_jwt(token)
print(decoded_token)

Check Environment Variable: Ensure that the environment variable PUBLIC_KEY is correctly set and accessible within your Docker container. You can set it in your docker-compose.yml or Dockerfile:

version: '3.1'

services:
  superset:
    image: apache/superset
    environment:
      - PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\nYOUR-PEM-KEY-HERE\n-----END PUBLIC KEY-----"

By ensuring the PEM file is correctly formatted and properly loaded, you should be able to resolve the PEM file loading error ^[1].

To continue talking to Dosu, mention @dosu.

Charan-Kumar-Netala Sep 16, 2024

@dosu,
how to configure the PEM file in superset? As the APIs are not working with Cognito access token.
I see that superset has configured JWT for HS256 Algorithm, but to modify it to RS256 Algorithm, what exactly needs to be done?
Where and how to use and which PEM file to use?
I'm using Cognito SSO for superset.

Using postman, it gives 500 Internal Server Error, and message "Unable to load PEM file."

"errors": [ { "message": "Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming", "error_type": "GENERIC_BACKEND_ERROR", "level": "error", "extra": { "issue_codes": [ { "code": 1011, "message": "Issue 1011 - Superset encountered an unexpected error." } ] } } ] }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can we change the default algorithm of superset from HS256 to RS256? #29785

{{title}}

Replies: 1 comment 5 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Can we change the default algorithm of superset from HS256 to RS256? #29785

anuragsingh-prospera Jul 31, 2024

Replies: 1 comment · 5 replies

dosubot[bot] bot Jul 31, 2024

anuragsingh-prospera Jul 31, 2024 Author

dosubot[bot] bot Jul 31, 2024

anuragsingh-prospera Jul 31, 2024 Author

dosubot[bot] bot Jul 31, 2024

Charan-Kumar-Netala Sep 16, 2024

anuragsingh-prospera
Jul 31, 2024

Replies: 1 comment 5 replies

dosubot[bot]
bot Jul 31, 2024

anuragsingh-prospera Jul 31, 2024
Author

anuragsingh-prospera Jul 31, 2024
Author