Superset reset user's role to default value after logged out when using SSO

[EuphoriaCelestial]

Bug description

Hi, I have a local instance of Superset on my machine, and it has a bug that user's role will be reset to 4 (Gamma) after logged out. I have tried edit the user's role directly in the table ab_user_role inside Postgres DB and editing in UI, my Superset instance are integrating with Keycloak for SSO
Any idea what is the cause of this bug and how to fix it? And what is the correct way to promote an user to Admin role?

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

I don't know

Browser

Chrome

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

The issue of a user's role resetting to Gamma after logging out when using SSO with Superset and Keycloak is likely due to the default role assignment settings in Superset. When a user logs in via SSO, their role is determined by the AUTH_USER_REGISTRATION_ROLE setting or the AUTH_ROLES_MAPPING if group-to-role mapping is configured.

To fix this bug and correctly promote a user to the Admin role, you should ensure that the AUTH_ROLES_MAPPING is correctly set up to map the appropriate OAuth groups to the desired Superset roles. Here is how you can configure it:

1. Set up Role Mapping:

   Ensure that your superset_config.py includes the correct mapping of OAuth groups to Superset roles. For example:

   AUTH_ROLES_MAPPING = {
       "superset_users": ["Gamma", "Alpha"],
       "superset_admins": ["Admin"],
   }

   This configuration maps the OAuth group superset_admins to the Superset role Admin.

2. Enable Role Syncing:

   To ensure that roles are synced at each login, set AUTH_ROLES_SYNC_AT_LOGIN to True:

   AUTH_ROLES_SYNC_AT_LOGIN = True

3. Check User Registration Role:

   Ensure that the AUTH_USER_REGISTRATION_ROLE is set to a role that makes sense for new users who do not belong to any mapped group:

   AUTH_USER_REGISTRATION_ROLE = "Public"

By configuring these settings, you can ensure that users are assigned the correct roles based on their OAuth group membership, and that these roles are maintained across sessions ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[hainenber]

chào bạn, have you followed Dosu bot's recommendation and if that's the case, how goes it?

[sfirke]

Yes I think Dosu is on the right track, kind of. I would put it like this: if your user roles are changing after logging out, when using SSO, and you don't want that, then set AUTH_ROLES_SYNC_AT_LOGIN = False in your config.

I use SSO groups to populate user roles upon first registration but I have some overwrites and so I have this set to False in my org's config.

If that's not a satisfactory resolution, please reply with more info and we can look at reopening this. I'll close for now since I believe this is resolved.