Page MenuHomePhabricator

Superset account does not receive sql_lab role despite wmf LDAP membership
Closed, ResolvedPublic

Description

My developer account is in the wmf group, so it should automatically receive the sql_lab role. Previously, it did have the role, but it disappeared some time around the week of 26 March 2024.

Screenshot 2024-03-29 at 20.58.31.png (922×1 px, 102 KB)

@brouberol added the role back manually, but then it disappeared again when I logged out and back in again.

Event Timeline

Stevemunene changed the task status from Open to In Progress.Apr 5 2024, 8:05 AM
Stevemunene assigned this task to brouberol.
Stevemunene updated Other Assignee, added: Stevemunene.

Change #1017487 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] superset: ensure role list returned by OIDC server is a list of strings

https://gerrit.wikimedia.org/r/1017487

We identified the root cause: in the case of users belonging to a single LDAP group (which is the case for Neil), CAS returns a role list as a string, instead of a list containing a single string.

By ensuring that the roles are always a list of string, even in the case of a single role, we then match the expectations of the method in charge of mapping LDAP groups to Superset roles, in terms of argument types, and sql_lab is finally re-assigned to Neil.

This was successfully tested in superset-next.

Change #1017487 merged by Brouberol:

[operations/deployment-charts@master] superset: ensure role list returned by OIDC server is a list of strings

https://gerrit.wikimedia.org/r/1017487

This should be fixed now. Please re-open if you're seeing the same bug reoccur. Thanks for the report!