From a044d381819da9d36eb72682b9d31fade6cb769d Mon Sep 17 00:00:00 2001
From: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
Date: Wed, 10 Jan 2024 11:12:01 -0800
Subject: [PATCH 001/114] chore: bump prophet to 1.1.5 (#26431)

(cherry picked from commit a1993566c417c7e90db03676ea222571562c70d1)
---
 requirements/base.txt        | 21 ++++-----------------
 requirements/development.txt |  2 +-
 requirements/testing.txt     |  8 +++-----
 setup.py                     | 12 ++++++------
 4 files changed, 14 insertions(+), 29 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index df8f3ea5572fa..2c20094f72aa0 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -72,8 +72,6 @@ colorama==0.4.6
     # via
     #   apache-superset
     #   flask-appbuilder
-convertdate==2.4.0
-    # via holidays
 cron-descriptor==1.2.24
     # via apache-superset
 croniter==1.0.15
@@ -143,16 +141,12 @@ geographiclib==1.52
 geopy==2.2.0
     # via apache-superset
 greenlet==2.0.2
-    # via
-    #   shillelagh
-    #   sqlalchemy
+    # via shillelagh
 gunicorn==21.2.0
     # via apache-superset
 hashids==1.3.1
     # via apache-superset
-hijri-converter==2.3.1
-    # via holidays
-holidays==0.23
+holidays==0.25
     # via apache-superset
 humanize==3.11.0
     # via apache-superset
@@ -161,10 +155,7 @@ idna==3.2
     #   email-validator
     #   requests
 importlib-metadata==6.6.0
-    # via
-    #   apache-superset
-    #   flask
-    #   shillelagh
+    # via apache-superset
 importlib-resources==5.12.0
     # via limits
 isodate==0.6.0
@@ -263,8 +254,6 @@ pyjwt==2.4.0
     #   apache-superset
     #   flask-appbuilder
     #   flask-jwt-extended
-pymeeus==0.5.12
-    # via convertdate
 pynacl==1.5.0
     # via paramiko
 pyparsing==3.0.6
@@ -387,9 +376,7 @@ wtforms-json==0.3.5
 xlsxwriter==3.0.7
     # via apache-superset
 zipp==3.15.0
-    # via
-    #   importlib-metadata
-    #   importlib-resources
+    # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools
diff --git a/requirements/development.txt b/requirements/development.txt
index a73e3a70c5c27..ca80cd60ede93 100644
--- a/requirements/development.txt
+++ b/requirements/development.txt
@@ -72,7 +72,7 @@ pexpect==4.8.0
     # via ipython
 pickleshare==0.7.5
     # via ipython
-pillow==9.5.0
+pillow==10.2.0
     # via apache-superset
 progress==1.6
     # via -r requirements/development.in
diff --git a/requirements/testing.txt b/requirements/testing.txt
index c1f6e55d1293a..3bf3c78d03728 100644
--- a/requirements/testing.txt
+++ b/requirements/testing.txt
@@ -24,6 +24,8 @@ db-dtypes==1.1.1
     # via pandas-gbq
 docker==6.1.1
     # via -r requirements/testing.in
+exceptiongroup==1.1.1
+    # via pytest
 ephem==4.1.4
     # via lunarcalendar
 flask-testing==0.8.1
@@ -83,8 +85,6 @@ jsonschema-spec==0.1.4
     # via openapi-spec-validator
 kiwisolver==1.4.4
     # via matplotlib
-lunarcalendar==0.0.9
-    # via prophet
 matplotlib==3.7.1
     # via prophet
 oauthlib==3.2.2
@@ -101,7 +101,7 @@ pathable==0.4.3
     # via jsonschema-spec
 playwright==1.37.0
     # via apache-superset
-prophet==1.1.1
+prophet==1.1.5
     # via apache-superset
 proto-plus==1.22.2
     # via
@@ -138,8 +138,6 @@ rfc3339-validator==0.1.4
     # via openapi-schema-validator
 rsa==4.9
     # via google-auth
-setuptools-git==1.2
-    # via prophet
 sqlalchemy-bigquery==1.6.1
     # via apache-superset
 statsd==4.0.1
diff --git a/setup.py b/setup.py
index 563cd32342408..993c72784679a 100644
--- a/setup.py
+++ b/setup.py
@@ -95,7 +95,7 @@ def get_git_sha() -> str:
         "geopy",
         "gunicorn>=21.2.0, <22.0; sys_platform != 'win32'",
         "hashids>=1.3.1, <2",
-        "holidays>=0.23, <0.24",
+        "holidays>=0.25, <0.26",
         "humanize",
         "importlib_metadata",
         "isodate",
@@ -188,18 +188,18 @@ def get_git_sha() -> str:
         "postgres": ["psycopg2-binary==2.9.6"],
         "presto": ["pyhive[presto]>=0.6.5"],
         "trino": ["trino>=0.324.0"],
-        "prophet": ["prophet==1.1.1"],
-        "redshift": ["sqlalchemy-redshift>=0.8.1, < 0.9"],
-        "rockset": ["rockset-sqlalchemy>=0.0.1, <1.0.0"],
+        "prophet": ["prophet>=1.1.5, <2"],
+        "redshift": ["sqlalchemy-redshift>=0.8.1, <0.9"],
+        "rockset": ["rockset-sqlalchemy>=0.0.1, <1"],
         "shillelagh": [
             "shillelagh[datasetteapi,gsheetsapi,socrata,weatherapi]>=1.2.10, <2"
         ],
         "snowflake": ["snowflake-sqlalchemy>=1.2.4, <2"],
         "spark": [
             "pyhive[hive]>=0.6.5;python_version<'3.11'",
-            "pyhive[hive_pure_sasl]>=0.7.0",
+            "pyhive[hive_pure_sasl]>=0.7",
             "tableschema",
-            "thrift>=0.14.1, <1.0.0",
+            "thrift>=0.14.1, <1",
         ],
         "teradata": ["teradatasql>=16.20.0.23"],
         "thumbnails": ["Pillow>=10.0.1, <11"],

From 66dd7f5dc551880dc5f8c035c6a12060a0117136 Mon Sep 17 00:00:00 2001
From: Igor Khrol <igor.khrol@automattic.com>
Date: Thu, 11 Jan 2024 02:37:18 +0200
Subject: [PATCH 002/114] fix: Trino - handle table not found in SQLLab
 (#26355)

Co-authored-by: John Bodley <4567245+john-bodley@users.noreply.github.com>
(cherry picked from commit 3daa038f5f6cc02b77bf7a03396fb31261d28dbd)
---
 superset/db_engine_specs/trino.py             | 25 +++++++++++++++++++
 .../unit_tests/db_engine_specs/test_trino.py  | 16 ++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/superset/db_engine_specs/trino.py b/superset/db_engine_specs/trino.py
index 6e56dbfa24d6b..1dc711880d729 100644
--- a/superset/db_engine_specs/trino.py
+++ b/superset/db_engine_specs/trino.py
@@ -26,6 +26,7 @@
 from flask import current_app
 from sqlalchemy.engine.reflection import Inspector
 from sqlalchemy.engine.url import URL
+from sqlalchemy.exc import NoSuchTableError
 from sqlalchemy.orm import Session
 
 from superset.constants import QUERY_CANCEL_KEY, QUERY_EARLY_CANCEL_KEY, USER_AGENT
@@ -395,3 +396,27 @@ def get_columns(
             return base_cols
 
         return [col for base_col in base_cols for col in cls._expand_columns(base_col)]
+
+    @classmethod
+    def get_indexes(
+        cls,
+        database: Database,
+        inspector: Inspector,
+        table_name: str,
+        schema: str | None,
+    ) -> list[dict[str, Any]]:
+        """
+        Get the indexes associated with the specified schema/table.
+
+        Trino dialect raises NoSuchTableError in get_indexes if table is empty.
+
+        :param database: The database to inspect
+        :param inspector: The SQLAlchemy inspector
+        :param table_name: The table to inspect
+        :param schema: The schema to inspect
+        :returns: The indexes
+        """
+        try:
+            return super().get_indexes(database, inspector, table_name, schema)
+        except NoSuchTableError:
+            return []
diff --git a/tests/unit_tests/db_engine_specs/test_trino.py b/tests/unit_tests/db_engine_specs/test_trino.py
index 15e55fc5af62f..fd553b241c8f1 100644
--- a/tests/unit_tests/db_engine_specs/test_trino.py
+++ b/tests/unit_tests/db_engine_specs/test_trino.py
@@ -517,3 +517,19 @@ def test_get_columns_expand_rows(mocker: MockerFixture):
     ]
 
     _assert_columns_equal(actual, expected)
+
+
+def test_get_indexes_no_table():
+    from sqlalchemy.exc import NoSuchTableError
+
+    from superset.db_engine_specs.trino import TrinoEngineSpec
+
+    db_mock = Mock()
+    inspector_mock = Mock()
+    inspector_mock.get_indexes = Mock(
+        side_effect=NoSuchTableError("The specified table does not exist.")
+    )
+    result = TrinoEngineSpec.get_indexes(
+        db_mock, inspector_mock, "test_table", "test_schema"
+    )
+    assert result == []

From 3fe4d68b75ac3715e80e24580b432f8019bb6f42 Mon Sep 17 00:00:00 2001
From: Vitor Avila <96086495+Vitor-Avila@users.noreply.github.com>
Date: Thu, 11 Jan 2024 16:44:12 -0300
Subject: [PATCH 003/114] fix(embedded): Hide dashboard fullscreen option for
 embedded context (#26412)

(cherry picked from commit 494068b6325054be076e994ca06e01efdfe83aec)
---
 .../HeaderActionsDropdown.test.tsx               | 16 ++++++++++++++++
 .../Header/HeaderActionsDropdown/index.jsx       |  4 +++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/HeaderActionsDropdown.test.tsx b/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/HeaderActionsDropdown.test.tsx
index e112e7e5310de..deea296d4c04f 100644
--- a/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/HeaderActionsDropdown.test.tsx
+++ b/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/HeaderActionsDropdown.test.tsx
@@ -92,6 +92,14 @@ const editModeOnWithFilterScopesProps = {
   },
 };
 
+const guestUserProps = {
+  ...createProps(),
+  dashboardInfo: {
+    ...createProps().dashboardInfo,
+    userId: undefined,
+  },
+};
+
 function setup(props: HeaderDropdownProps) {
   return render(
     <div className="dashboard-header">
@@ -134,6 +142,14 @@ test('should render the menu items in edit mode', async () => {
   expect(screen.getByText('Download')).toBeInTheDocument();
 });
 
+test('should render the menu items in Embedded mode', async () => {
+  setup(guestUserProps);
+  expect(screen.getAllByRole('menuitem')).toHaveLength(3);
+  expect(screen.getByText('Refresh dashboard')).toBeInTheDocument();
+  expect(screen.getByText('Download')).toBeInTheDocument();
+  expect(screen.getByText('Set auto-refresh interval')).toBeInTheDocument();
+});
+
 describe('with native filters feature flag disabled', () => {
   beforeAll(() => {
     isFeatureEnabledMock = jest
diff --git a/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/index.jsx b/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/index.jsx
index 4d8bcf4ee0930..b0d3fc251e9d9 100644
--- a/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/index.jsx
+++ b/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/index.jsx
@@ -216,6 +216,8 @@ class HeaderActionsDropdown extends React.PureComponent {
     const emailSubject = `${emailTitle} ${dashboardTitle}`;
     const emailBody = t('Check out this dashboard: ');
 
+    const isEmbedded = !dashboardInfo?.userId;
+
     const url = getDashboardUrl({
       pathname: window.location.pathname,
       filters: getActiveFilters(),
@@ -237,7 +239,7 @@ class HeaderActionsDropdown extends React.PureComponent {
             {t('Refresh dashboard')}
           </Menu.Item>
         )}
-        {!editMode && (
+        {!editMode && !isEmbedded && (
           <Menu.Item
             key={MENU_KEYS.TOGGLE_FULLSCREEN}
             onClick={this.handleMenuClick}

From 36846e9c2b0b91b203e720b32f7fa5ff2052d95e Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Fri, 12 Jan 2024 11:18:39 -0500
Subject: [PATCH 004/114] fix(database): allow filtering by UUID (#26469)

(cherry picked from commit e36c014290abe9583f4134464bc3f8e602c7b846)
---
 superset/databases/api.py              |  1 +
 tests/unit_tests/databases/api_test.py | 40 ++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/superset/databases/api.py b/superset/databases/api.py
index 8de84a16af6dc..62fb72943749f 100644
--- a/superset/databases/api.py
+++ b/superset/databases/api.py
@@ -205,6 +205,7 @@ class DatabaseRestApi(BaseSupersetModelRestApi):
         "changed_by",
         "database_name",
         "expose_in_sqllab",
+        "uuid",
     ]
     search_filters = {"allow_file_upload": [DatabaseUploadEnabledFilter]}
     allowed_rel_fields = {"changed_by", "created_by"}
diff --git a/tests/unit_tests/databases/api_test.py b/tests/unit_tests/databases/api_test.py
index 28ca123ec66a0..cf3e64c306210 100644
--- a/tests/unit_tests/databases/api_test.py
+++ b/tests/unit_tests/databases/api_test.py
@@ -29,6 +29,46 @@
 from sqlalchemy.orm.session import Session
 
 
+def test_filter_by_uuid(
+    session: Session,
+    client: Any,
+    full_api_access: None,
+) -> None:
+    """
+    Test that we can filter databases by UUID.
+
+    Note: this functionality is not used by the Superset UI, but is needed by 3rd
+    party tools that use the Superset API. If this tests breaks, please make sure
+    that the functionality is properly deprecated between major versions with
+    enough warning so that tools can be adapted.
+    """
+    from superset.databases.api import DatabaseRestApi
+    from superset.models.core import Database
+
+    DatabaseRestApi.datamodel.session = session
+
+    # create table for databases
+    Database.metadata.create_all(session.get_bind())  # pylint: disable=no-member
+    session.add(
+        Database(
+            database_name="my_db",
+            sqlalchemy_uri="sqlite://",
+            uuid=UUID("7c1b7880-a59d-47cd-8bf1-f1eb8d2863cb"),
+        )
+    )
+    session.commit()
+
+    response = client.get(
+        "/api/v1/database/?q=(filters:!((col:uuid,opr:eq,value:"
+        "%277c1b7880-a59d-47cd-8bf1-f1eb8d2863cb%27)))"
+    )
+    assert response.status_code == 200
+
+    payload = response.json
+    assert len(payload["result"]) == 1
+    assert payload["result"][0]["uuid"] == "7c1b7880-a59d-47cd-8bf1-f1eb8d2863cb"
+
+
 def test_post_with_uuid(
     session: Session,
     client: Any,

From c2cd05ee4a15ca375ae93290e64ecb7edd5e0673 Mon Sep 17 00:00:00 2001
From: Geido <60598000+geido@users.noreply.github.com>
Date: Tue, 16 Jan 2024 18:29:06 +0100
Subject: [PATCH 005/114] fix: RLS modal styling (#26634)

(cherry picked from commit 820f4b9cf066c28b4fb448bce5025c614a979296)
---
 .../Form/LabeledErrorBoundInput.tsx           |  4 +-
 .../src/components/InfoTooltip/index.tsx      |  2 +-
 .../features/rls/RowLevelSecurityModal.tsx    | 49 ++++++++++++-------
 .../src/pages/ChartList/index.tsx             |  4 +-
 .../src/pages/DatasetList/index.tsx           |  4 +-
 5 files changed, 35 insertions(+), 28 deletions(-)

diff --git a/superset-frontend/src/components/Form/LabeledErrorBoundInput.tsx b/superset-frontend/src/components/Form/LabeledErrorBoundInput.tsx
index 51cf104b271ca..6b0feb7268f7e 100644
--- a/superset-frontend/src/components/Form/LabeledErrorBoundInput.tsx
+++ b/superset-frontend/src/components/Form/LabeledErrorBoundInput.tsx
@@ -116,9 +116,7 @@ const LabeledErrorBoundInput = ({
       <StyledFormLabel htmlFor={id} required={required}>
         {label}
       </StyledFormLabel>
-      {hasTooltip && (
-        <InfoTooltip tooltip={`${tooltipText}`} viewBox="0 -1 24 24" />
-      )}
+      {hasTooltip && <InfoTooltip tooltip={`${tooltipText}`} />}
     </StyledAlignment>
     <FormItem
       css={(theme: SupersetTheme) => alertIconStyles(theme, !!errorMessage)}
diff --git a/superset-frontend/src/components/InfoTooltip/index.tsx b/superset-frontend/src/components/InfoTooltip/index.tsx
index ba08393f18fc8..a3ad7aa21acb3 100644
--- a/superset-frontend/src/components/InfoTooltip/index.tsx
+++ b/superset-frontend/src/components/InfoTooltip/index.tsx
@@ -73,7 +73,7 @@ export default function InfoTooltip({
   trigger = 'hover',
   overlayStyle = defaultOverlayStyle,
   bgColor = defaultColor,
-  viewBox = '0 -2 24 24',
+  viewBox = '0 -1 24 24',
 }: InfoTooltipProps) {
   return (
     <StyledTooltip
diff --git a/superset-frontend/src/features/rls/RowLevelSecurityModal.tsx b/superset-frontend/src/features/rls/RowLevelSecurityModal.tsx
index d14d48d0e51dc..7e4143e5827f6 100644
--- a/superset-frontend/src/features/rls/RowLevelSecurityModal.tsx
+++ b/superset-frontend/src/features/rls/RowLevelSecurityModal.tsx
@@ -31,12 +31,19 @@ import Select from 'src/components/Select/Select';
 import AsyncSelect from 'src/components/Select/AsyncSelect';
 import rison from 'rison';
 import { LabeledErrorBoundInput } from 'src/components/Form';
-import { noBottomMargin } from 'src/features/reports/ReportModal/styles';
 import InfoTooltip from 'src/components/InfoTooltip';
 import { useSingleViewResource } from 'src/views/CRUD/hooks';
 import { FilterOptions } from './constants';
 import { FilterType, RLSObject, RoleObject, TableObject } from './types';
 
+const noMargins = css`
+  margin: 0;
+
+  .ant-input {
+    margin: 0;
+  }
+`;
+
 const StyledModal = styled(Modal)`
   max-width: 1200px;
   min-width: min-content;
@@ -59,9 +66,17 @@ const StyledSectionContainer = styled.div`
   padding: ${({ theme }) =>
     `${theme.gridUnit * 3}px ${theme.gridUnit * 4}px ${theme.gridUnit * 2}px`};
 
-  label {
+  label,
+  .control-label {
+    display: inline-block;
     font-size: ${({ theme }) => theme.typography.sizes.s}px;
-    color: ${({ theme }) => theme.colors.grayscale.light1};
+    color: ${({ theme }) => theme.colors.grayscale.base};
+    vertical-align: middle;
+  }
+
+  .info-solid-small {
+    vertical-align: middle;
+    padding-bottom: ${({ theme }) => theme.gridUnit / 2}px;
   }
 `;
 
@@ -69,7 +84,6 @@ const StyledInputContainer = styled.div`
   display: flex;
   flex-direction: column;
   margin: ${({ theme }) => theme.gridUnit}px;
-
   margin-bottom: ${({ theme }) => theme.gridUnit * 4}px;
 
   .input-container {
@@ -79,11 +93,6 @@ const StyledInputContainer = styled.div`
     > div {
       width: 100%;
     }
-
-    label {
-      display: flex;
-      margin-right: ${({ theme }) => theme.gridUnit * 2}px;
-    }
   }
 
   input,
@@ -91,17 +100,19 @@ const StyledInputContainer = styled.div`
     flex: 1 1 auto;
   }
 
-  textarea {
-    height: 100px;
-    resize: none;
-  }
-
   .required {
     margin-left: ${({ theme }) => theme.gridUnit / 2}px;
     color: ${({ theme }) => theme.colors.error.base};
   }
 `;
 
+const StyledTextArea = styled.textarea`
+  height: 100px;
+  resize: none;
+  margin-top: ${({ theme }) => theme.gridUnit}px;
+  border: 1px solid ${({ theme }) => theme.colors.secondary.light3};
+`;
+
 export interface RowLevelSecurityModalProps {
   rule: RLSObject | null;
   addSuccessToast: (msg: string) => void;
@@ -355,9 +366,11 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
                 onChange: ({ target }: { target: HTMLInputElement }) =>
                   onTextChange(target),
               }}
-              css={noBottomMargin}
+              css={noMargins}
               label={t('Rule Name')}
               data-test="rule-name-test"
+              tooltipText={t('The name of the rule must be unique')}
+              hasTooltip
             />
           </StyledInputContainer>
 
@@ -433,7 +446,7 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
                 onChange: ({ target }: { target: HTMLInputElement }) =>
                   onTextChange(target),
               }}
-              css={noBottomMargin}
+              css={noMargins}
               label={t('Group Key')}
               hasTooltip
               tooltipText={t(
@@ -454,7 +467,7 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
                   onChange: ({ target }: { target: HTMLInputElement }) =>
                     onTextChange(target),
                 }}
-                css={noBottomMargin}
+                css={noMargins}
                 label={t('Clause')}
                 hasTooltip
                 tooltipText={t(
@@ -468,7 +481,7 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
           <StyledInputContainer>
             <div className="control-label">{t('Description')}</div>
             <div className="input-container">
-              <textarea
+              <StyledTextArea
                 name="description"
                 value={currentRule ? currentRule.description : ''}
                 onChange={event => onTextChange(event.target)}
diff --git a/superset-frontend/src/pages/ChartList/index.tsx b/superset-frontend/src/pages/ChartList/index.tsx
index cbda387681b23..508019666111c 100644
--- a/superset-frontend/src/pages/ChartList/index.tsx
+++ b/superset-frontend/src/pages/ChartList/index.tsx
@@ -356,9 +356,7 @@ function ChartList(props: ChartListProps) {
               )}
               {sliceName}
             </Link>
-            {description && (
-              <InfoTooltip tooltip={description} viewBox="0 -1 24 24" />
-            )}
+            {description && <InfoTooltip tooltip={description} />}
           </FlexRowContainer>
         ),
         Header: t('Name'),
diff --git a/superset-frontend/src/pages/DatasetList/index.tsx b/superset-frontend/src/pages/DatasetList/index.tsx
index 8a39cb0463e2b..5aef13dbb6101 100644
--- a/superset-frontend/src/pages/DatasetList/index.tsx
+++ b/superset-frontend/src/pages/DatasetList/index.tsx
@@ -349,9 +349,7 @@ const DatasetList: FunctionComponent<DatasetListProps> = ({
                   />
                 )}
                 {titleLink}
-                {description && (
-                  <InfoTooltip tooltip={description} viewBox="0 -1 24 24" />
-                )}
+                {description && <InfoTooltip tooltip={description} />}
               </FlexRowContainer>
             );
           } catch {

From 0c569108da6a48253f1e9f82a223da76cb307009 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Wed, 17 Jan 2024 09:11:15 +0000
Subject: [PATCH 006/114] fix: create virtual dataset validation (#26625)

(cherry picked from commit 8e19f59dd276617822d263c700e49386b92d4a6c)
---
 superset/commands/dataset/create.py           |  13 +-
 superset/commands/dataset/exceptions.py       |   7 +
 superset/security/manager.py                  |  16 +
 .../datasets/commands_tests.py                |  45 ++-
 tests/integration_tests/security_tests.py     | 342 +++++++++---------
 5 files changed, 233 insertions(+), 190 deletions(-)

diff --git a/superset/commands/dataset/create.py b/superset/commands/dataset/create.py
index 1c354e835f8a2..16b87a567a5f0 100644
--- a/superset/commands/dataset/create.py
+++ b/superset/commands/dataset/create.py
@@ -25,13 +25,15 @@
 from superset.commands.dataset.exceptions import (
     DatabaseNotFoundValidationError,
     DatasetCreateFailedError,
+    DatasetDataAccessIsNotAllowed,
     DatasetExistsValidationError,
     DatasetInvalidError,
     TableNotFoundValidationError,
 )
 from superset.daos.dataset import DatasetDAO
 from superset.daos.exceptions import DAOCreateFailedError
-from superset.extensions import db
+from superset.exceptions import SupersetSecurityException
+from superset.extensions import db, security_manager
 
 logger = logging.getLogger(__name__)
 
@@ -82,6 +84,15 @@ def validate(self) -> None:
         ):
             exceptions.append(TableNotFoundValidationError(table_name))
 
+        if sql:
+            try:
+                security_manager.raise_for_access(
+                    database=database,
+                    sql=sql,
+                    schema=schema,
+                )
+            except SupersetSecurityException as ex:
+                exceptions.append(DatasetDataAccessIsNotAllowed(ex.error.message))
         try:
             owners = self.populate_owners(owner_ids)
             self._properties["owners"] = owners
diff --git a/superset/commands/dataset/exceptions.py b/superset/commands/dataset/exceptions.py
index f135294980835..4b8acaca08b8d 100644
--- a/superset/commands/dataset/exceptions.py
+++ b/superset/commands/dataset/exceptions.py
@@ -144,6 +144,13 @@ def __init__(self) -> None:
         super().__init__([_("Owners are invalid")], field_name="owners")
 
 
+class DatasetDataAccessIsNotAllowed(ValidationError):
+    status = 422
+
+    def __init__(self, message: str) -> None:
+        super().__init__([_(message)], field_name="sql")
+
+
 class DatasetNotFoundError(CommandException):
     status = 404
     message = _("Dataset does not exist")
diff --git a/superset/security/manager.py b/superset/security/manager.py
index 5eb1afdda99a2..b8978104d9f54 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -1828,6 +1828,8 @@ def raise_for_access(
         query_context: Optional["QueryContext"] = None,
         table: Optional["Table"] = None,
         viz: Optional["BaseViz"] = None,
+        sql: Optional[str] = None,
+        schema: Optional[str] = None,
     ) -> None:
         """
         Raise an exception if the user cannot access the resource.
@@ -1838,6 +1840,8 @@ def raise_for_access(
         :param query_context: The query context
         :param table: The Superset table (requires database)
         :param viz: The visualization
+        :param sql: The SQL string (requires database)
+        :param schema: Optional schema name
         :raises SupersetSecurityException: If the user cannot access the resource
         """
 
@@ -1846,7 +1850,19 @@ def raise_for_access(
         from superset.connectors.sqla.models import SqlaTable
         from superset.models.dashboard import Dashboard
         from superset.models.slice import Slice
+        from superset.models.sql_lab import Query
         from superset.sql_parse import Table
+        from superset.utils.core import shortid
+
+        if sql and database:
+            query = Query(
+                database=database,
+                sql=sql,
+                schema=schema,
+                client_id=shortid()[:10],
+                user_id=get_user_id(),
+            )
+            self.get_session.expunge(query)
 
         if database and table or query:
             if query:
diff --git a/tests/integration_tests/datasets/commands_tests.py b/tests/integration_tests/datasets/commands_tests.py
index 1ea554a81838f..b45bbdb76d5eb 100644
--- a/tests/integration_tests/datasets/commands_tests.py
+++ b/tests/integration_tests/datasets/commands_tests.py
@@ -38,7 +38,7 @@
 from superset.connectors.sqla.models import SqlaTable
 from superset.models.core import Database
 from superset.models.slice import Slice
-from superset.utils.core import get_example_default_schema
+from superset.utils.core import get_example_default_schema, override_user
 from superset.utils.database import get_example_database
 from tests.integration_tests.base_tests import SupersetTestCase
 from tests.integration_tests.fixtures.birth_names_dashboard import (
@@ -509,6 +509,7 @@ def test_import_v1_dataset_existing_database(self, mock_g):
             "metadata.yaml": yaml.safe_dump(database_metadata_config),
             "databases/imported_database.yaml": yaml.safe_dump(database_config),
         }
+
         command = ImportDatabasesCommand(contents)
         command.run()
 
@@ -558,11 +559,7 @@ def test_get_table_from_database_error(self, get_table_mock):
                 {"table_name": "table", "database": get_example_database().id}
             ).run()
 
-    @patch("superset.security.manager.g")
-    @patch("superset.commands.utils.g")
-    def test_create_dataset_command(self, mock_g, mock_g2):
-        mock_g.user = security_manager.find_user("admin")
-        mock_g2.user = mock_g.user
+    def test_create_dataset_command(self):
         examples_db = get_example_database()
         with examples_db.get_sqla_engine_with_context() as engine:
             engine.execute("DROP TABLE IF EXISTS test_create_dataset_command")
@@ -570,22 +567,38 @@ def test_create_dataset_command(self, mock_g, mock_g2):
                 "CREATE TABLE test_create_dataset_command AS SELECT 2 as col"
             )
 
-        table = CreateDatasetCommand(
-            {"table_name": "test_create_dataset_command", "database": examples_db.id}
-        ).run()
-        fetched_table = (
-            db.session.query(SqlaTable)
-            .filter_by(table_name="test_create_dataset_command")
-            .one()
-        )
-        self.assertEqual(table, fetched_table)
-        self.assertEqual([owner.username for owner in table.owners], ["admin"])
+        with override_user(security_manager.find_user("admin")):
+            table = CreateDatasetCommand(
+                {
+                    "table_name": "test_create_dataset_command",
+                    "database": examples_db.id,
+                }
+            ).run()
+            fetched_table = (
+                db.session.query(SqlaTable)
+                .filter_by(table_name="test_create_dataset_command")
+                .one()
+            )
+            self.assertEqual(table, fetched_table)
+            self.assertEqual([owner.username for owner in table.owners], ["admin"])
 
         db.session.delete(table)
         with examples_db.get_sqla_engine_with_context() as engine:
             engine.execute("DROP TABLE test_create_dataset_command")
         db.session.commit()
 
+    def test_create_dataset_command_not_allowed(self):
+        examples_db = get_example_database()
+        with override_user(security_manager.find_user("gamma")):
+            with self.assertRaises(DatasetInvalidError):
+                _ = CreateDatasetCommand(
+                    {
+                        "sql": "select * from ab_user",
+                        "database": examples_db.id,
+                        "table_name": "exp1",
+                    }
+                ).run()
+
 
 class TestDatasetWarmUpCacheCommand(SupersetTestCase):
     def test_warm_up_cache_command_table_not_found(self):
diff --git a/tests/integration_tests/security_tests.py b/tests/integration_tests/security_tests.py
index 9eaabf3680ec4..90a24cbaff6e6 100644
--- a/tests/integration_tests/security_tests.py
+++ b/tests/integration_tests/security_tests.py
@@ -43,6 +43,7 @@
     DatasourceType,
     backend,
     get_example_default_schema,
+    override_user,
 )
 from superset.utils.database import get_example_database
 from superset.utils.urls import get_url_host
@@ -1192,37 +1193,31 @@ def test_schemas_accessible_by_user_schema_access(self, mock_sm_g, mock_g):
             self.assertEqual(schemas, ["1"])
         delete_schema_perm("[examples].[1]")
 
-    @patch("superset.utils.core.g")
-    @patch("superset.security.manager.g")
-    def test_schemas_accessible_by_user_datasource_access(self, mock_sm_g, mock_g):
+    def test_schemas_accessible_by_user_datasource_access(self):
         # User has schema access to the datasource temp_schema.wb_health_population in examples DB.
-        mock_g.user = mock_sm_g.user = security_manager.find_user("gamma")
+        database = get_example_database()
         with self.client.application.test_request_context():
-            database = get_example_database()
-            schemas = security_manager.get_schemas_accessible_by_user(
-                database, ["temp_schema", "2", "3"]
-            )
-            self.assertEqual(schemas, ["temp_schema"])
+            with override_user(security_manager.find_user("gamma")):
+                schemas = security_manager.get_schemas_accessible_by_user(
+                    database, ["temp_schema", "2", "3"]
+                )
+                self.assertEqual(schemas, ["temp_schema"])
 
-    @patch("superset.utils.core.g")
-    @patch("superset.security.manager.g")
-    def test_schemas_accessible_by_user_datasource_and_schema_access(
-        self, mock_sm_g, mock_g
-    ):
+    def test_schemas_accessible_by_user_datasource_and_schema_access(self):
         # User has schema access to the datasource temp_schema.wb_health_population in examples DB.
         create_schema_perm("[examples].[2]")
-        mock_g.user = mock_sm_g.user = security_manager.find_user("gamma")
         with self.client.application.test_request_context():
             database = get_example_database()
-            schemas = security_manager.get_schemas_accessible_by_user(
-                database, ["temp_schema", "2", "3"]
-            )
-            self.assertEqual(schemas, ["temp_schema", "2"])
-        vm = security_manager.find_permission_view_menu(
-            "schema_access", "[examples].[2]"
-        )
-        self.assertIsNotNone(vm)
-        delete_schema_perm("[examples].[2]")
+            with override_user(security_manager.find_user("gamma")):
+                schemas = security_manager.get_schemas_accessible_by_user(
+                    database, ["temp_schema", "2", "3"]
+                )
+                self.assertEqual(schemas, ["temp_schema", "2"])
+                vm = security_manager.find_permission_view_menu(
+                    "schema_access", "[examples].[2]"
+                )
+                self.assertIsNotNone(vm)
+                delete_schema_perm("[examples].[2]")
 
     @pytest.mark.usefixtures("load_world_bank_dashboard_with_slices")
     def test_gamma_user_schema_access_to_dashboards(self):
@@ -1642,25 +1637,42 @@ def test_raise_for_access_query(self, mock_can_access, mock_is_owner):
         with self.assertRaises(SupersetSecurityException):
             security_manager.raise_for_access(query=query)
 
-    @patch("superset.security.manager.g")
+    def test_raise_for_access_sql_fails(self):
+        with override_user(security_manager.find_user("gamma")):
+            with self.assertRaises(SupersetSecurityException):
+                security_manager.raise_for_access(
+                    database=get_example_database(),
+                    schema="bar",
+                    sql="SELECT * FROM foo",
+                )
+
+    @patch("superset.security.SupersetSecurityManager.is_owner")
+    @patch("superset.security.SupersetSecurityManager.can_access")
+    def test_raise_for_access_sql(self, mock_can_access, mock_is_owner):
+        mock_can_access.return_value = True
+        mock_is_owner.return_value = True
+        with override_user(security_manager.find_user("gamma")):
+            security_manager.raise_for_access(
+                database=get_example_database(), schema="bar", sql="SELECT * FROM foo"
+            )
+
     @patch("superset.security.SupersetSecurityManager.is_owner")
     @patch("superset.security.SupersetSecurityManager.can_access")
     @patch("superset.security.SupersetSecurityManager.can_access_schema")
     def test_raise_for_access_query_context(
-        self, mock_can_access_schema, mock_can_access, mock_is_owner, mock_g
+        self, mock_can_access_schema, mock_can_access, mock_is_owner
     ):
         query_context = Mock(datasource=self.get_datasource_mock(), form_data={})
 
         mock_can_access_schema.return_value = True
         security_manager.raise_for_access(query_context=query_context)
 
-        mock_g.user = security_manager.find_user("gamma")
         mock_can_access.return_value = False
         mock_can_access_schema.return_value = False
         mock_is_owner.return_value = False
-
-        with self.assertRaises(SupersetSecurityException):
-            security_manager.raise_for_access(query_context=query_context)
+        with override_user(security_manager.find_user("gamma")):
+            with self.assertRaises(SupersetSecurityException):
+                security_manager.raise_for_access(query_context=query_context)
 
     @patch("superset.security.SupersetSecurityManager.can_access")
     def test_raise_for_access_table(self, mock_can_access):
@@ -1675,30 +1687,27 @@ def test_raise_for_access_table(self, mock_can_access):
         with self.assertRaises(SupersetSecurityException):
             security_manager.raise_for_access(database=database, table=table)
 
-    @patch("superset.security.manager.g")
     @patch("superset.security.SupersetSecurityManager.is_owner")
     @patch("superset.security.SupersetSecurityManager.can_access")
     @patch("superset.security.SupersetSecurityManager.can_access_schema")
     def test_raise_for_access_viz(
-        self, mock_can_access_schema, mock_can_access, mock_is_owner, mock_g
+        self, mock_can_access_schema, mock_can_access, mock_is_owner
     ):
         test_viz = viz.TimeTableViz(self.get_datasource_mock(), form_data={})
 
         mock_can_access_schema.return_value = True
         security_manager.raise_for_access(viz=test_viz)
 
-        mock_g.user = security_manager.find_user("gamma")
         mock_can_access.return_value = False
         mock_can_access_schema.return_value = False
         mock_is_owner.return_value = False
-
-        with self.assertRaises(SupersetSecurityException):
-            security_manager.raise_for_access(viz=test_viz)
+        with override_user(security_manager.find_user("gamma")):
+            with self.assertRaises(SupersetSecurityException):
+                security_manager.raise_for_access(viz=test_viz)
 
     @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
     @pytest.mark.usefixtures("load_world_bank_dashboard_with_slices")
     @with_feature_flags(DASHBOARD_RBAC=True)
-    @patch("superset.security.manager.g")
     @patch("superset.security.SupersetSecurityManager.is_owner")
     @patch("superset.security.SupersetSecurityManager.can_access")
     @patch("superset.security.SupersetSecurityManager.can_access_schema")
@@ -1707,7 +1716,6 @@ def test_raise_for_access_rbac(
         mock_can_access_schema,
         mock_can_access,
         mock_is_owner,
-        mock_g,
     ):
         births = self.get_dash_by_slug("births")
         girls = self.get_slice("Girls", db.session, expunge_from_session=False)
@@ -1731,161 +1739,156 @@ def test_raise_for_access_rbac(
             }
         )
 
-        mock_g.user = security_manager.find_user("gamma")
         mock_is_owner.return_value = False
         mock_can_access.return_value = False
         mock_can_access_schema.return_value = False
+        with override_user(security_manager.find_user("gamma")):
+            for kwarg in ["query_context", "viz"]:
+                births.roles = []
+
+                # No dashboard roles.
+                with self.assertRaises(SupersetSecurityException):
+                    security_manager.raise_for_access(
+                        **{
+                            kwarg: Mock(
+                                datasource=birth_names,
+                                form_data={
+                                    "dashboardId": births.id,
+                                    "slice_id": girls.id,
+                                },
+                            )
+                        }
+                    )
 
-        for kwarg in ["query_context", "viz"]:
-            births.roles = []
-
-            # No dashboard roles.
-            with self.assertRaises(SupersetSecurityException):
-                security_manager.raise_for_access(
-                    **{
-                        kwarg: Mock(
-                            datasource=birth_names,
-                            form_data={
-                                "dashboardId": births.id,
-                                "slice_id": girls.id,
-                            },
-                        )
-                    }
-                )
+                births.roles = [self.get_role("Gamma")]
+
+                # Undefined dashboard.
+                with self.assertRaises(SupersetSecurityException):
+                    security_manager.raise_for_access(
+                        **{
+                            kwarg: Mock(
+                                datasource=birth_names,
+                                form_data={},
+                            )
+                        }
+                    )
 
-            births.roles = [self.get_role("Gamma")]
+                # Undefined dashboard chart.
+                with self.assertRaises(SupersetSecurityException):
+                    security_manager.raise_for_access(
+                        **{
+                            kwarg: Mock(
+                                datasource=birth_names,
+                                form_data={"dashboardId": births.id},
+                            )
+                        }
+                    )
 
-            # Undefined dashboard.
-            with self.assertRaises(SupersetSecurityException):
-                security_manager.raise_for_access(
-                    **{
-                        kwarg: Mock(
-                            datasource=birth_names,
-                            form_data={},
-                        )
-                    }
-                )
+                # Ill-defined dashboard chart.
+                with self.assertRaises(SupersetSecurityException):
+                    security_manager.raise_for_access(
+                        **{
+                            kwarg: Mock(
+                                datasource=birth_names,
+                                form_data={
+                                    "dashboardId": births.id,
+                                    "slice_id": treemap.id,
+                                },
+                            )
+                        }
+                    )
 
-            # Undefined dashboard chart.
-            with self.assertRaises(SupersetSecurityException):
-                security_manager.raise_for_access(
-                    **{
-                        kwarg: Mock(
-                            datasource=birth_names,
-                            form_data={"dashboardId": births.id},
-                        )
-                    }
-                )
+                # Dashboard chart not associated with said datasource.
+                with self.assertRaises(SupersetSecurityException):
+                    security_manager.raise_for_access(
+                        **{
+                            kwarg: Mock(
+                                datasource=birth_names,
+                                form_data={
+                                    "dashboardId": world_health.id,
+                                    "slice_id": treemap.id,
+                                },
+                            )
+                        }
+                    )
 
-            # Ill-defined dashboard chart.
-            with self.assertRaises(SupersetSecurityException):
+                # Dashboard chart associated with said datasource.
                 security_manager.raise_for_access(
                     **{
                         kwarg: Mock(
                             datasource=birth_names,
                             form_data={
                                 "dashboardId": births.id,
-                                "slice_id": treemap.id,
-                            },
-                        )
-                    }
-                )
-
-            # Dashboard chart not associated with said datasource.
-            with self.assertRaises(SupersetSecurityException):
-                security_manager.raise_for_access(
-                    **{
-                        kwarg: Mock(
-                            datasource=birth_names,
-                            form_data={
-                                "dashboardId": world_health.id,
-                                "slice_id": treemap.id,
+                                "slice_id": girls.id,
                             },
                         )
                     }
                 )
 
-            # Dashboard chart associated with said datasource.
-            security_manager.raise_for_access(
-                **{
-                    kwarg: Mock(
-                        datasource=birth_names,
-                        form_data={
-                            "dashboardId": births.id,
-                            "slice_id": girls.id,
-                        },
+                # Ill-defined native filter.
+                with self.assertRaises(SupersetSecurityException):
+                    security_manager.raise_for_access(
+                        **{
+                            kwarg: Mock(
+                                datasource=birth_names,
+                                form_data={
+                                    "dashboardId": births.id,
+                                    "type": "NATIVE_FILTER",
+                                },
+                            )
+                        }
                     )
-                }
-            )
 
-            # Ill-defined native filter.
-            with self.assertRaises(SupersetSecurityException):
-                security_manager.raise_for_access(
-                    **{
-                        kwarg: Mock(
-                            datasource=birth_names,
-                            form_data={
-                                "dashboardId": births.id,
-                                "type": "NATIVE_FILTER",
-                            },
-                        )
-                    }
-                )
+                # Native filter not associated with said datasource.
+                with self.assertRaises(SupersetSecurityException):
+                    security_manager.raise_for_access(
+                        **{
+                            kwarg: Mock(
+                                datasource=birth_names,
+                                form_data={
+                                    "dashboardId": births.id,
+                                    "native_filter_id": "NATIVE_FILTER-IJKLMNOP",
+                                    "type": "NATIVE_FILTER",
+                                },
+                            )
+                        }
+                    )
 
-            # Native filter not associated with said datasource.
-            with self.assertRaises(SupersetSecurityException):
+                # Native filter associated with said datasource.
                 security_manager.raise_for_access(
                     **{
                         kwarg: Mock(
                             datasource=birth_names,
                             form_data={
                                 "dashboardId": births.id,
-                                "native_filter_id": "NATIVE_FILTER-IJKLMNOP",
+                                "native_filter_id": "NATIVE_FILTER-ABCDEFGH",
                                 "type": "NATIVE_FILTER",
                             },
                         )
                     }
                 )
 
-            # Native filter associated with said datasource.
-            security_manager.raise_for_access(
-                **{
-                    kwarg: Mock(
-                        datasource=birth_names,
-                        form_data={
-                            "dashboardId": births.id,
-                            "native_filter_id": "NATIVE_FILTER-ABCDEFGH",
-                            "type": "NATIVE_FILTER",
-                        },
-                    )
-                }
-            )
-
-        db.session.expunge_all()
+            db.session.expunge_all()
 
-    @patch("superset.security.manager.g")
-    def test_get_user_roles(self, mock_g):
+    def test_get_user_roles(self):
         admin = security_manager.find_user("admin")
-        mock_g.user = admin
-        roles = security_manager.get_user_roles()
-        self.assertEqual(admin.roles, roles)
+        with override_user(admin):
+            roles = security_manager.get_user_roles()
+            self.assertEqual(admin.roles, roles)
 
-    @patch("superset.security.manager.g")
-    def test_get_anonymous_roles(self, mock_g):
-        mock_g.user = security_manager.get_anonymous_user()
-        roles = security_manager.get_user_roles()
-        self.assertEqual([security_manager.get_public_role()], roles)
+    def test_get_anonymous_roles(self):
+        with override_user(security_manager.get_anonymous_user()):
+            roles = security_manager.get_user_roles()
+            self.assertEqual([security_manager.get_public_role()], roles)
 
 
 class TestDatasources(SupersetTestCase):
-    @patch("superset.security.manager.g")
     @patch("superset.security.SupersetSecurityManager.can_access_database")
     @patch("superset.security.SupersetSecurityManager.get_session")
     def test_get_user_datasources_admin(
-        self, mock_get_session, mock_can_access_database, mock_g
+        self, mock_get_session, mock_can_access_database
     ):
         Datasource = namedtuple("Datasource", ["database", "schema", "name"])
-        mock_g.user = security_manager.find_user("admin")
         mock_can_access_database.return_value = True
         mock_get_session.query.return_value.filter.return_value.all.return_value = []
 
@@ -1897,23 +1900,20 @@ def test_get_user_datasources_admin(
                 Datasource("database1", "schema1", "table2"),
                 Datasource("database2", None, "table1"),
             ]
+            with override_user(security_manager.find_user("admin")):
+                datasources = security_manager.get_user_datasources()
+                assert sorted(datasources) == [
+                    Datasource("database1", "schema1", "table1"),
+                    Datasource("database1", "schema1", "table2"),
+                    Datasource("database2", None, "table1"),
+                ]
 
-            datasources = security_manager.get_user_datasources()
-
-        assert sorted(datasources) == [
-            Datasource("database1", "schema1", "table1"),
-            Datasource("database1", "schema1", "table2"),
-            Datasource("database2", None, "table1"),
-        ]
-
-    @patch("superset.security.manager.g")
     @patch("superset.security.SupersetSecurityManager.can_access_database")
     @patch("superset.security.SupersetSecurityManager.get_session")
     def test_get_user_datasources_gamma(
-        self, mock_get_session, mock_can_access_database, mock_g
+        self, mock_get_session, mock_can_access_database
     ):
         Datasource = namedtuple("Datasource", ["database", "schema", "name"])
-        mock_g.user = security_manager.find_user("gamma")
         mock_can_access_database.return_value = False
         mock_get_session.query.return_value.filter.return_value.all.return_value = []
 
@@ -1925,19 +1925,16 @@ def test_get_user_datasources_gamma(
                 Datasource("database1", "schema1", "table2"),
                 Datasource("database2", None, "table1"),
             ]
+            with override_user(security_manager.find_user("gamma")):
+                datasources = security_manager.get_user_datasources()
+                assert datasources == []
 
-            datasources = security_manager.get_user_datasources()
-
-        assert datasources == []
-
-    @patch("superset.security.manager.g")
     @patch("superset.security.SupersetSecurityManager.can_access_database")
     @patch("superset.security.SupersetSecurityManager.get_session")
     def test_get_user_datasources_gamma_with_schema(
-        self, mock_get_session, mock_can_access_database, mock_g
+        self, mock_get_session, mock_can_access_database
     ):
         Datasource = namedtuple("Datasource", ["database", "schema", "name"])
-        mock_g.user = security_manager.find_user("gamma")
         mock_can_access_database.return_value = False
 
         mock_get_session.query.return_value.filter.return_value.all.return_value = [
@@ -1953,13 +1950,12 @@ def test_get_user_datasources_gamma_with_schema(
                 Datasource("database1", "schema1", "table2"),
                 Datasource("database2", None, "table1"),
             ]
-
-            datasources = security_manager.get_user_datasources()
-
-        assert sorted(datasources) == [
-            Datasource("database1", "schema1", "table1"),
-            Datasource("database1", "schema1", "table2"),
-        ]
+            with override_user(security_manager.find_user("gamma")):
+                datasources = security_manager.get_user_datasources()
+                assert sorted(datasources) == [
+                    Datasource("database1", "schema1", "table1"),
+                    Datasource("database1", "schema1", "table2"),
+                ]
 
 
 class FakeRequest:

From ecd0eba2d36f0d12933bab82e7ba6ab714a4260e Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Wed, 17 Jan 2024 12:49:28 +0000
Subject: [PATCH 007/114] fix: unnecessary logic on CI ephemeral (#26644)

(cherry picked from commit 6a4043d0f0f58e99f3361c3603c77677fc2f72e9)
---
 .github/workflows/docker-ephemeral-env.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/docker-ephemeral-env.yml b/.github/workflows/docker-ephemeral-env.yml
index bc877ae9ae737..41f50acb82d38 100644
--- a/.github/workflows/docker-ephemeral-env.yml
+++ b/.github/workflows/docker-ephemeral-env.yml
@@ -18,8 +18,6 @@ jobs:
         shell: bash
         run: |
           if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' &&
-            secrets.AWS_ACCESS_KEY_ID != '' &&
-            secrets.AWS_SECRET_ACCESS_KEY != '' &&
             secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
             echo "has secrets!"

From 1b41307b9a027113c899c9cd6dbbe510c55ffb42 Mon Sep 17 00:00:00 2001
From: Igor Khrol <igor.khrol@automattic.com>
Date: Wed, 17 Jan 2024 19:48:50 +0200
Subject: [PATCH 008/114] fix: Avoid 500 if end users write bad SQL (#26638)

(cherry picked from commit 80a6e25a98fe05f31a3c265d461c0825fa7d0aef)
---
 superset/db_engine_specs/exceptions.py        |  2 +-
 superset/db_engine_specs/trino.py             | 26 +++++++++++++++++--
 .../unit_tests/db_engine_specs/test_trino.py  | 19 ++++++++++++++
 3 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/superset/db_engine_specs/exceptions.py b/superset/db_engine_specs/exceptions.py
index 56e354d62a574..93a6b99271d03 100644
--- a/superset/db_engine_specs/exceptions.py
+++ b/superset/db_engine_specs/exceptions.py
@@ -38,4 +38,4 @@ class SupersetDBAPIOperationalError(SupersetDBAPIError):
 
 
 class SupersetDBAPIProgrammingError(SupersetDBAPIError):
-    pass
+    status = 400
diff --git a/superset/db_engine_specs/trino.py b/superset/db_engine_specs/trino.py
index 1dc711880d729..ccbb73a81c67d 100644
--- a/superset/db_engine_specs/trino.py
+++ b/superset/db_engine_specs/trino.py
@@ -32,7 +32,12 @@
 from superset.constants import QUERY_CANCEL_KEY, QUERY_EARLY_CANCEL_KEY, USER_AGENT
 from superset.databases.utils import make_url_safe
 from superset.db_engine_specs.base import BaseEngineSpec
-from superset.db_engine_specs.exceptions import SupersetDBAPIConnectionError
+from superset.db_engine_specs.exceptions import (
+    SupersetDBAPIConnectionError,
+    SupersetDBAPIDatabaseError,
+    SupersetDBAPIOperationalError,
+    SupersetDBAPIProgrammingError,
+)
 from superset.db_engine_specs.presto import PrestoBaseEngineSpec
 from superset.models.sql_lab import Query
 from superset.superset_typing import ResultSetColumnType
@@ -330,11 +335,28 @@ def update_params_from_encrypted_extra(
     def get_dbapi_exception_mapping(cls) -> dict[type[Exception], type[Exception]]:
         # pylint: disable=import-outside-toplevel
         from requests import exceptions as requests_exceptions
+        from trino import exceptions as trino_exceptions
 
-        return {
+        static_mapping: dict[type[Exception], type[Exception]] = {
             requests_exceptions.ConnectionError: SupersetDBAPIConnectionError,
         }
 
+        class _CustomMapping(dict[type[Exception], type[Exception]]):
+            def get(  # type: ignore[override]
+                self, item: type[Exception], default: type[Exception] | None = None
+            ) -> type[Exception] | None:
+                if static := static_mapping.get(item):
+                    return static
+                if issubclass(item, trino_exceptions.InternalError):
+                    return SupersetDBAPIDatabaseError
+                if issubclass(item, trino_exceptions.OperationalError):
+                    return SupersetDBAPIOperationalError
+                if issubclass(item, trino_exceptions.ProgrammingError):
+                    return SupersetDBAPIProgrammingError
+                return default
+
+        return _CustomMapping()
+
     @classmethod
     def _expand_columns(cls, col: ResultSetColumnType) -> list[ResultSetColumnType]:
         """
diff --git a/tests/unit_tests/db_engine_specs/test_trino.py b/tests/unit_tests/db_engine_specs/test_trino.py
index fd553b241c8f1..751ffbcfbc5cd 100644
--- a/tests/unit_tests/db_engine_specs/test_trino.py
+++ b/tests/unit_tests/db_engine_specs/test_trino.py
@@ -24,11 +24,19 @@
 import pandas as pd
 import pytest
 from pytest_mock import MockerFixture
+from requests.exceptions import ConnectionError as RequestsConnectionError
 from sqlalchemy import types
+from trino.exceptions import TrinoExternalError, TrinoInternalError, TrinoUserError
 from trino.sqlalchemy import datatype
 
 import superset.config
 from superset.constants import QUERY_CANCEL_KEY, QUERY_EARLY_CANCEL_KEY, USER_AGENT
+from superset.db_engine_specs.exceptions import (
+    SupersetDBAPIConnectionError,
+    SupersetDBAPIDatabaseError,
+    SupersetDBAPIOperationalError,
+    SupersetDBAPIProgrammingError,
+)
 from superset.superset_typing import ResultSetColumnType, SQLAColumnType
 from superset.utils.core import GenericDataType
 from tests.unit_tests.db_engine_specs.utils import (
@@ -533,3 +541,14 @@ def test_get_indexes_no_table():
         db_mock, inspector_mock, "test_table", "test_schema"
     )
     assert result == []
+
+
+def test_get_dbapi_exception_mapping():
+    from superset.db_engine_specs.trino import TrinoEngineSpec
+
+    mapping = TrinoEngineSpec.get_dbapi_exception_mapping()
+    assert mapping.get(TrinoUserError) == SupersetDBAPIProgrammingError
+    assert mapping.get(TrinoInternalError) == SupersetDBAPIDatabaseError
+    assert mapping.get(TrinoExternalError) == SupersetDBAPIOperationalError
+    assert mapping.get(RequestsConnectionError) == SupersetDBAPIConnectionError
+    assert mapping.get(Exception) is None

From 8fa8ae68b2f225fd4283b6d09febde759641e113 Mon Sep 17 00:00:00 2001
From: Linghao Wang <1055905911@qq.com>
Date: Thu, 18 Jan 2024 23:38:43 +0800
Subject: [PATCH 009/114] fix(translation): correct translation errors for
 Chinese(zh) (#26645)

Signed-off-by: Waterkin <1055905911@qq.com>
(cherry picked from commit 8539dfd0baa9edbe1563fae8f36c4e57845d7269)
---
 superset/translations/zh/LC_MESSAGES/messages.po | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/superset/translations/zh/LC_MESSAGES/messages.po b/superset/translations/zh/LC_MESSAGES/messages.po
index 791ea2c4db7be..4997d7ab97163 100644
--- a/superset/translations/zh/LC_MESSAGES/messages.po
+++ b/superset/translations/zh/LC_MESSAGES/messages.po
@@ -19232,7 +19232,7 @@ msgstr "时间序列的列"
 #: superset-frontend/src/dashboard/components/gridComponents/Tab.jsx:210
 #, fuzzy
 msgid "edit mode"
-msgstr "光模式"
+msgstr "编辑模式"
 
 #: superset-frontend/plugins/plugin-chart-table/src/DataTable/components/SelectPageSize.tsx:58
 #, fuzzy
@@ -19311,7 +19311,7 @@ msgstr ""
 msgid ""
 "filter_box will be deprecated in a future version of Superset. Please "
 "replace filter_box by dashboard filter components."
-msgstr "'filter_box将在Superset的未来版本中弃用。"
+msgstr "filter_box将在Superset的未来版本中弃用。"
 
 #: superset-frontend/plugins/legacy-preset-chart-nvd3/src/NVD3Controls.tsx:219
 #: superset-frontend/plugins/plugin-chart-echarts/src/BoxPlot/controlPanel.ts:119
@@ -19322,7 +19322,7 @@ msgstr "在"
 
 #: superset-frontend/src/features/databases/DatabaseModal/SqlAlchemyForm.tsx:100
 msgid "for more information on how to structure your URI."
-msgstr " 来查询有关如何构造URI的更多信息。"
+msgstr "来查询有关如何构造URI的更多信息。"
 
 #: superset-frontend/packages/superset-ui-chart-controls/src/components/ColumnTypeLabel/ColumnTypeLabel.tsx:57
 msgid "function type icon"
@@ -19339,7 +19339,7 @@ msgstr "热力图"
 
 #: superset-frontend/plugins/legacy-plugin-chart-heatmap/src/controlPanel.tsx:184
 msgid "heatmap: values are normalized across the entire heatmap"
-msgstr ""
+msgstr "热力图：其中所有数值都经过了归一化"
 
 #: superset-frontend/src/components/EmptyState/index.tsx:231
 #: superset-frontend/src/components/ImportModal/ErrorAlert.tsx:60
@@ -19384,7 +19384,7 @@ msgstr "应该为数字"
 #: superset-frontend/packages/superset-ui-core/src/validator/legacyValidateInteger.ts:31
 #: superset-frontend/packages/superset-ui-core/src/validator/validateInteger.ts:32
 msgid "is expected to be an integer"
-msgstr "应该为为整数"
+msgstr "应该为整数"
 
 #: superset-frontend/src/profile/components/UserInfo.tsx:64
 msgid "joined"
@@ -19477,7 +19477,7 @@ msgstr "最大值"
 #: superset-frontend/src/explore/controlPanels/sections.tsx:255
 #, fuzzy
 msgid "mean"
-msgstr "主域"
+msgstr "平均值"
 
 #: superset-frontend/plugins/legacy-plugin-chart-partition/src/controlPanel.tsx:376
 #: superset-frontend/plugins/legacy-plugin-chart-rose/src/controlPanel.tsx:258
@@ -19485,7 +19485,7 @@ msgstr "主域"
 #: superset-frontend/plugins/legacy-preset-chart-nvd3/src/NVD3Controls.tsx:530
 #: superset-frontend/src/explore/controlPanels/sections.tsx:254
 msgid "median"
-msgstr ""
+msgstr "中位数"
 
 #: superset-frontend/plugins/plugin-chart-pivot-table/src/PivotTableChart.tsx:62
 #: superset-frontend/src/explore/components/controls/FixedOrMetricControl/index.jsx:136
@@ -19499,7 +19499,7 @@ msgstr "指标"
 #: superset-frontend/src/filters/components/Range/buildQuery.ts:58
 #, fuzzy
 msgid "min"
-msgstr "在"
+msgstr "分钟"
 
 #: superset-frontend/src/components/CronPicker/CronPicker.tsx:41
 msgid "minute"

From 224c3a1b3d883d0db6d87978ef40d6d79487ed2a Mon Sep 17 00:00:00 2001
From: Pieter Ennes <pieter@ennes.nl>
Date: Sat, 20 Jan 2024 00:00:43 +0100
Subject: [PATCH 010/114] fix: Catch ImportErrors for Google SDKs (#25550)

(cherry picked from commit effd73f2cc5bd4afbc830ae98feca568c773e4a5)
---
 superset/db_engine_specs/bigquery.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/superset/db_engine_specs/bigquery.py b/superset/db_engine_specs/bigquery.py
index f3b9c486e98e5..8e7ed0bf7d061 100644
--- a/superset/db_engine_specs/bigquery.py
+++ b/superset/db_engine_specs/bigquery.py
@@ -52,7 +52,7 @@
     from google.oauth2 import service_account
 
     dependencies_installed = True
-except ModuleNotFoundError:
+except ImportError:
     dependencies_installed = False
 
 try:

From 24567a57a59f6a33cdd00f38f2918d09eeb2b383 Mon Sep 17 00:00:00 2001
From: Evan Rusackas <evan@preset.io>
Date: Mon, 22 Jan 2024 12:36:43 -0700
Subject: [PATCH 011/114] fix: do not use lodash/memoize (#26709)

(cherry picked from commit ef4878b845ea2d3de3c0ad83a4ebfc220d8f14f4)
---
 superset-frontend/src/utils/getControlsForVizType.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/superset-frontend/src/utils/getControlsForVizType.js b/superset-frontend/src/utils/getControlsForVizType.js
index ae48b8b0d8c0c..8771d91dc7bc4 100644
--- a/superset-frontend/src/utils/getControlsForVizType.js
+++ b/superset-frontend/src/utils/getControlsForVizType.js
@@ -17,12 +17,12 @@
  * under the License.
  */
 
-import memoize from 'lodash/memoize';
+import memoizeOne from 'memoize-one';
 import { isControlPanelSectionConfig } from '@superset-ui/chart-controls';
 import { getChartControlPanelRegistry } from '@superset-ui/core';
 import { controls } from '../explore/controls';
 
-const memoizedControls = memoize((vizType, controlPanel) => {
+const memoizedControls = memoizeOne((vizType, controlPanel) => {
   const controlsMap = {};
   (controlPanel?.controlPanelSections || [])
     .filter(isControlPanelSectionConfig)

From 51ca5fa049fb524d757655c850fe35ce5c1f1934 Mon Sep 17 00:00:00 2001
From: Vitor Avila <96086495+Vitor-Avila@users.noreply.github.com>
Date: Mon, 22 Jan 2024 16:37:03 -0300
Subject: [PATCH 012/114] fix(legacy-charts): Show Time Grain control for
 legacy charts (#26705)

(cherry picked from commit 3ed70d8f53c229682027df3efa7815ca12bd1328)
---
 .../src/shared-controls/sharedControls.tsx                      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/superset-frontend/packages/superset-ui-chart-controls/src/shared-controls/sharedControls.tsx b/superset-frontend/packages/superset-ui-chart-controls/src/shared-controls/sharedControls.tsx
index 341aaa0729f08..4396f4f2e9495 100644
--- a/superset-frontend/packages/superset-ui-chart-controls/src/shared-controls/sharedControls.tsx
+++ b/superset-frontend/packages/superset-ui-chart-controls/src/shared-controls/sharedControls.tsx
@@ -207,7 +207,7 @@ const time_grain_sqla: SharedControlConfig<'SelectControl'> = {
     choices: (datasource as Dataset)?.time_grain_sqla || [],
   }),
   visibility: ({ controls }) => {
-    if (!hasGenericChartAxes) {
+    if (!hasGenericChartAxes || !controls?.x_axis) {
       return true;
     }
 

From 1273f72f94928e6c5b04663cb9055c9507bd002f Mon Sep 17 00:00:00 2001
From: Vitor Avila <96086495+Vitor-Avila@users.noreply.github.com>
Date: Mon, 22 Jan 2024 19:05:58 -0300
Subject: [PATCH 013/114] fix(db2): Improving support for ibm db2 connections
 (#26744)

(cherry picked from commit 5eb4e82d278b29f074d0530a473c54215446fbab)
---
 setup.py                                     |  2 +-
 superset/db_engine_specs/db2.py              | 55 ++++++++++++++
 tests/unit_tests/db_engine_specs/test_db2.py | 75 ++++++++++++++++++++
 3 files changed, 131 insertions(+), 1 deletion(-)
 create mode 100644 tests/unit_tests/db_engine_specs/test_db2.py

diff --git a/setup.py b/setup.py
index 993c72784679a..913cfc5c35893 100644
--- a/setup.py
+++ b/setup.py
@@ -151,7 +151,7 @@ def get_git_sha() -> str:
             "databricks-sql-connector>=2.0.2, <3",
             "sqlalchemy-databricks>=0.2.0",
         ],
-        "db2": ["ibm-db-sa>=0.3.5, <0.4"],
+        "db2": ["ibm-db-sa>0.3.8, <=0.4.0"],
         "dremio": ["sqlalchemy-dremio>=1.1.5, <1.3"],
         "drill": ["sqlalchemy-drill==0.1.dev"],
         "druid": ["pydruid>=0.6.5,<0.7"],
diff --git a/superset/db_engine_specs/db2.py b/superset/db_engine_specs/db2.py
index 5f54613a4b533..db2e500b53d8f 100644
--- a/superset/db_engine_specs/db2.py
+++ b/superset/db_engine_specs/db2.py
@@ -14,9 +14,16 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
+import logging
+from typing import Optional, Union
+
+from sqlalchemy.engine.reflection import Inspector
+
 from superset.constants import TimeGrain
 from superset.db_engine_specs.base import BaseEngineSpec, LimitMethod
 
+logger = logging.getLogger(__name__)
+
 
 class Db2EngineSpec(BaseEngineSpec):
     engine = "db2"
@@ -26,6 +33,8 @@ class Db2EngineSpec(BaseEngineSpec):
     force_column_alias_quotes = True
     max_column_name_length = 30
 
+    supports_dynamic_schema = True
+
     _time_grain_expressions = {
         None: "{col}",
         TimeGrain.SECOND: "CAST({col} as TIMESTAMP) - MICROSECOND({col}) MICROSECONDS",
@@ -52,3 +61,49 @@ class Db2EngineSpec(BaseEngineSpec):
     @classmethod
     def epoch_to_dttm(cls) -> str:
         return "(TIMESTAMP('1970-01-01', '00:00:00') + {col} SECONDS)"
+
+    @classmethod
+    def get_table_comment(
+        cls, inspector: Inspector, table_name: str, schema: Union[str, None]
+    ) -> Optional[str]:
+        """
+        Get comment of table from a given schema
+
+        Ibm Db2 return comments as tuples, so we need to get the first element
+
+        :param inspector: SqlAlchemy Inspector instance
+        :param table_name: Table name
+        :param schema: Schema name. If omitted, uses default schema for database
+        :return: comment of table
+        """
+        comment = None
+        try:
+            table_comment = inspector.get_table_comment(table_name, schema)
+            comment = table_comment.get("text")
+            return comment[0]
+        except IndexError:
+            return comment
+        except Exception as ex:  # pylint: disable=broad-except
+            logger.error("Unexpected error while fetching table comment", exc_info=True)
+            logger.exception(ex)
+            return comment
+
+    @classmethod
+    def get_prequeries(
+        cls,
+        catalog: Union[str, None] = None,
+        schema: Union[str, None] = None,
+    ) -> list[str]:
+        """
+        Set the search path to the specified schema.
+
+        This is important for two reasons: in SQL Lab it will allow queries to run in
+        the schema selected in the dropdown, resolving unqualified table names to the
+        expected schema.
+
+        But more importantly, in SQL Lab this is used to check if the user has access to
+        any tables with unqualified names. If the schema is not set by SQL Lab it could
+        be anything, and we would have to block users from running any queries
+        referencing tables without an explicit schema.
+        """
+        return [f'set current_schema "{schema}"'] if schema else []
diff --git a/tests/unit_tests/db_engine_specs/test_db2.py b/tests/unit_tests/db_engine_specs/test_db2.py
new file mode 100644
index 0000000000000..d7dd19ad5923c
--- /dev/null
+++ b/tests/unit_tests/db_engine_specs/test_db2.py
@@ -0,0 +1,75 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import pytest
+from pytest_mock import MockerFixture
+
+
+def test_epoch_to_dttm() -> None:
+    """
+    Test the `epoch_to_dttm` method.
+    """
+    from superset.db_engine_specs.db2 import Db2EngineSpec
+
+    assert (
+        Db2EngineSpec.epoch_to_dttm().format(col="epoch_dttm")
+        == "(TIMESTAMP('1970-01-01', '00:00:00') + epoch_dttm SECONDS)"
+    )
+
+
+def test_get_table_comment(mocker: MockerFixture):
+    """
+    Test the `get_table_comment` method.
+    """
+    from superset.db_engine_specs.db2 import Db2EngineSpec
+
+    mock_inspector = mocker.MagicMock()
+    mock_inspector.get_table_comment.return_value = {
+        "text": ("This is a table comment",)
+    }
+
+    assert (
+        Db2EngineSpec.get_table_comment(mock_inspector, "my_table", "my_schema")
+        == "This is a table comment"
+    )
+
+
+def test_get_table_comment_empty(mocker: MockerFixture):
+    """
+    Test the `get_table_comment` method
+    when no comment is returned.
+    """
+    from superset.db_engine_specs.db2 import Db2EngineSpec
+
+    mock_inspector = mocker.MagicMock()
+    mock_inspector.get_table_comment.return_value = {}
+
+    assert (
+        Db2EngineSpec.get_table_comment(mock_inspector, "my_table", "my_schema") == None
+    )
+
+
+def test_get_prequeries() -> None:
+    """
+    Test the ``get_prequeries`` method.
+    """
+    from superset.db_engine_specs.db2 import Db2EngineSpec
+
+    assert Db2EngineSpec.get_prequeries() == []
+    assert Db2EngineSpec.get_prequeries(schema="my_schema") == [
+        'set current_schema "my_schema"'
+    ]

From 519f7704ef43cb4a72119920b3a59d66d413b164 Mon Sep 17 00:00:00 2001
From: Vitor Avila <96086495+Vitor-Avila@users.noreply.github.com>
Date: Wed, 24 Jan 2024 00:26:53 -0300
Subject: [PATCH 014/114] fix(BigQuery): Support special characters in
 column/metric names used in ORDER BY (#26461)

(cherry picked from commit 4592dd13fa7fdae6d8d8c153f42d47447f5319ef)
---
 superset/models/helpers.py                                | 4 +++-
 tests/integration_tests/db_engine_specs/bigquery_tests.py | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/superset/models/helpers.py b/superset/models/helpers.py
index 3e88bec44f9a3..7bfbbddfd336e 100644
--- a/superset/models/helpers.py
+++ b/superset/models/helpers.py
@@ -1974,7 +1974,9 @@ def get_sqla_query(  # pylint: disable=too-many-arguments,too-many-locals,too-ma
                 and db_engine_spec.allows_hidden_cc_in_orderby
                 and col.name in [select_col.name for select_col in select_exprs]
             ):
-                col = literal_column(col.name)
+                with self.database.get_sqla_engine_with_context() as engine:
+                    quote = engine.dialect.identifier_preparer.quote
+                    col = literal_column(quote(col.name))
             direction = sa.asc if ascending else sa.desc
             qry = qry.order_by(direction(col))
 
diff --git a/tests/integration_tests/db_engine_specs/bigquery_tests.py b/tests/integration_tests/db_engine_specs/bigquery_tests.py
index c4f04584fa2bb..3523e71b0b022 100644
--- a/tests/integration_tests/db_engine_specs/bigquery_tests.py
+++ b/tests/integration_tests/db_engine_specs/bigquery_tests.py
@@ -381,4 +381,4 @@ def test_calculated_column_in_order_by(self):
             "orderby": [["gender_cc", True]],
         }
         sql = table.get_query_str(query_obj)
-        assert "ORDER BY gender_cc ASC" in sql
+        assert "ORDER BY `gender_cc` ASC" in sql

From 33d8f72f91b28028e7555a8179f51143d7d6f374 Mon Sep 17 00:00:00 2001
From: John Bodley <4567245+john-bodley@users.noreply.github.com>
Date: Thu, 25 Jan 2024 13:17:10 +1300
Subject: [PATCH 015/114] fix(logging): Filter out undefined columns (#26314)

(cherry picked from commit 01fdfbee0952d88b31910237e6e8a0c652dd65b2)
---
 .../src/dashboard/components/gridComponents/Chart.jsx         | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/superset-frontend/src/dashboard/components/gridComponents/Chart.jsx b/superset-frontend/src/dashboard/components/gridComponents/Chart.jsx
index a99061c7071c6..f76f29724dd84 100644
--- a/superset-frontend/src/dashboard/components/gridComponents/Chart.jsx
+++ b/superset-frontend/src/dashboard/components/gridComponents/Chart.jsx
@@ -274,7 +274,9 @@ class Chart extends React.Component {
   changeFilter(newSelectedValues = {}) {
     this.props.logEvent(LOG_ACTIONS_CHANGE_DASHBOARD_FILTER, {
       id: this.props.chart.id,
-      columns: Object.keys(newSelectedValues),
+      columns: Object.keys(newSelectedValues).filter(
+        key => newSelectedValues[key] !== null,
+      ),
     });
     this.props.changeFilter(this.props.chart.id, newSelectedValues);
   }

From 72ad551d1e7b78f650461d6bf84c04da755b00fd Mon Sep 17 00:00:00 2001
From: Maxime Beauchemin <maximebeauchemin@gmail.com>
Date: Fri, 19 Jan 2024 15:13:18 -0800
Subject: [PATCH 016/114] fix(import): only import FORMULA annotations (#26652)

---
 superset/cli/importexport.py                  |  3 +-
 superset/commands/chart/importers/v1/utils.py | 18 ++++++++++
 .../charts/commands_tests.py                  |  1 +
 tests/integration_tests/cli_tests.py          | 12 ++++---
 .../fixtures/importexport.py                  | 35 +++++++++++++++++++
 .../commands/importers/v1/import_test.py      | 19 ++++++++++
 6 files changed, 83 insertions(+), 5 deletions(-)

diff --git a/superset/cli/importexport.py b/superset/cli/importexport.py
index 0d76e535e814b..5b19cc9ffc0d4 100755
--- a/superset/cli/importexport.py
+++ b/superset/cli/importexport.py
@@ -133,12 +133,13 @@ def export_datasources(datasource_file: Optional[str] = None) -> None:
     @click.option(
         "--path",
         "-p",
+        required=True,
         help="Path to a single ZIP file",
     )
     @click.option(
         "--username",
         "-u",
-        default=None,
+        required=True,
         help="Specify the user name to assign dashboards to",
     )
     def import_dashboards(path: str, username: Optional[str]) -> None:
diff --git a/superset/commands/chart/importers/v1/utils.py b/superset/commands/chart/importers/v1/utils.py
index d27b631f97fde..f905f8cc3ad4f 100644
--- a/superset/commands/chart/importers/v1/utils.py
+++ b/superset/commands/chart/importers/v1/utils.py
@@ -28,6 +28,22 @@
 from superset.migrations.shared.migrate_viz import processors
 from superset.migrations.shared.migrate_viz.base import MigrateViz
 from superset.models.slice import Slice
+from superset.utils.core import AnnotationType
+
+
+def filter_chart_annotations(chart_config: dict[str, Any]) -> None:
+    """
+    Mutating the chart's config params to keep only the annotations of
+    type FORMULA.
+    TODO:
+      handle annotation dependencies on either other charts or
+      annotation layers objects.
+    """
+    params = chart_config.get("params", {})
+    als = params.get("annotation_layers", [])
+    params["annotation_layers"] = [
+        al for al in als if al.get("annotationType") == AnnotationType.FORMULA
+    ]
 
 
 def import_chart(
@@ -47,6 +63,8 @@ def import_chart(
             "Chart doesn't exist and user doesn't have permission to create charts"
         )
 
+    filter_chart_annotations(config)
+
     # TODO (betodealmeida): move this logic to import_from_dict
     config["params"] = json.dumps(config["params"])
 
diff --git a/tests/integration_tests/charts/commands_tests.py b/tests/integration_tests/charts/commands_tests.py
index 87c7823ae5ab8..b6adf197f5751 100644
--- a/tests/integration_tests/charts/commands_tests.py
+++ b/tests/integration_tests/charts/commands_tests.py
@@ -190,6 +190,7 @@ def test_import_v1_chart(self, sm_g, utils_g):
         )
         dataset = chart.datasource
         assert json.loads(chart.params) == {
+            "annotation_layers": [],
             "color_picker": {"a": 1, "b": 135, "g": 122, "r": 0},
             "datasource": dataset.uid,
             "js_columns": ["color"],
diff --git a/tests/integration_tests/cli_tests.py b/tests/integration_tests/cli_tests.py
index 55557ab32deac..487e0183693e7 100644
--- a/tests/integration_tests/cli_tests.py
+++ b/tests/integration_tests/cli_tests.py
@@ -235,7 +235,8 @@ def test_import_dashboards_versioned_export(import_dashboards_command, app_conte
 
     runner = app.test_cli_runner()
     response = runner.invoke(
-        superset.cli.importexport.import_dashboards, ("-p", "dashboards.json")
+        superset.cli.importexport.import_dashboards,
+        ("-p", "dashboards.json", "-u", "admin"),
     )
 
     assert response.exit_code == 0
@@ -249,7 +250,8 @@ def test_import_dashboards_versioned_export(import_dashboards_command, app_conte
 
     runner = app.test_cli_runner()
     response = runner.invoke(
-        superset.cli.importexport.import_dashboards, ("-p", "dashboards.zip")
+        superset.cli.importexport.import_dashboards,
+        ("-p", "dashboards.zip", "-u", "admin"),
     )
 
     assert response.exit_code == 0
@@ -283,7 +285,8 @@ def test_failing_import_dashboards_versioned_export(
 
     runner = app.test_cli_runner()
     response = runner.invoke(
-        superset.cli.importexport.import_dashboards, ("-p", "dashboards.json")
+        superset.cli.importexport.import_dashboards,
+        ("-p", "dashboards.json", "-u", "admin"),
     )
 
     assert_cli_fails_properly(response, caplog)
@@ -295,7 +298,8 @@ def test_failing_import_dashboards_versioned_export(
 
     runner = app.test_cli_runner()
     response = runner.invoke(
-        superset.cli.importexport.import_dashboards, ("-p", "dashboards.zip")
+        superset.cli.importexport.import_dashboards,
+        ("-p", "dashboards.zip", "-u", "admin"),
     )
 
     assert_cli_fails_properly(response, caplog)
diff --git a/tests/integration_tests/fixtures/importexport.py b/tests/integration_tests/fixtures/importexport.py
index 8fa61539dcc4b..5096c272335bc 100644
--- a/tests/integration_tests/fixtures/importexport.py
+++ b/tests/integration_tests/fixtures/importexport.py
@@ -14,6 +14,7 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
+from copy import deepcopy
 from typing import Any
 
 # example V0 import/export format
@@ -575,6 +576,40 @@
     "version": "1.0.0",
     "dataset_uuid": "10808100-158b-42c4-842e-f32b99d88dfb",
 }
+chart_config_with_mixed_annotations: dict[str, Any] = deepcopy(chart_config)
+chart_config_with_mixed_annotations["params"]["annotation_layers"] = [
+    {
+        "name": "Formula test layer",
+        "annotationType": "FORMULA",
+        "color": None,
+        "descriptionColumns": [],
+        "hideLine": False,
+        "opacity": "",
+        "overrides": {"time_range": None},
+        "show": True,
+        "showLabel": False,
+        "showMarkers": False,
+        "style": "solid",
+        "value": "100000",
+        "width": 1,
+    },
+    {
+        "name": "Native layer to be removed on import",
+        "annotationType": "EVENT",
+        "sourceType": "NATIVE",
+        "color": None,
+        "opacity": "",
+        "style": "solid",
+        "width": 1,
+        "showMarkers": False,
+        "hideLine": False,
+        "value": 2,
+        "overrides": {"time_range": None},
+        "show": True,
+        "showLabel": False,
+        "descriptionColumns": [],
+    },
+]
 
 dashboard_config: dict[str, Any] = {
     "dashboard_title": "Test dash",
diff --git a/tests/unit_tests/charts/commands/importers/v1/import_test.py b/tests/unit_tests/charts/commands/importers/v1/import_test.py
index f0d142644df25..903b7468baf21 100644
--- a/tests/unit_tests/charts/commands/importers/v1/import_test.py
+++ b/tests/unit_tests/charts/commands/importers/v1/import_test.py
@@ -108,3 +108,22 @@ def test_import_chart_without_permission(
         str(excinfo.value)
         == "Chart doesn't exist and user doesn't have permission to create charts"
     )
+
+
+def test_filter_chart_annotations(mocker: MockFixture, session: Session) -> None:
+    """
+    Test importing a chart.
+    """
+    from superset import security_manager
+    from superset.commands.chart.importers.v1.utils import filter_chart_annotations
+    from tests.integration_tests.fixtures.importexport import (
+        chart_config_with_mixed_annotations,
+    )
+
+    config = copy.deepcopy(chart_config_with_mixed_annotations)
+    filter_chart_annotations(config)
+    params = config["params"]
+    annotation_layers = params["annotation_layers"]
+
+    assert len(annotation_layers) == 1
+    assert all([al["annotationType"] == "FORMULA" for al in annotation_layers])

From debe7811d066aed55fce45316abd69a102f0f765 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Wed, 24 Jan 2024 21:36:18 +0000
Subject: [PATCH 017/114] fix: helm chart comment on SECRET_KEY (#26674)

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
---
 helm/superset/Chart.yaml  |   2 +-
 helm/superset/README.md   | 500 +++++++++++++++++++-------------------
 helm/superset/values.yaml |   4 +-
 3 files changed, 253 insertions(+), 253 deletions(-)

diff --git a/helm/superset/Chart.yaml b/helm/superset/Chart.yaml
index cbca942569349..34c987e6c886a 100644
--- a/helm/superset/Chart.yaml
+++ b/helm/superset/Chart.yaml
@@ -29,7 +29,7 @@ maintainers:
   - name: craig-rueda
     email: craig@craigrueda.com
     url: https://github.com/craig-rueda
-version: 0.11.2
+version: 0.12.1
 dependencies:
   - name: postgresql
     version: 12.1.6
diff --git a/helm/superset/README.md b/helm/superset/README.md
index 1eaf4928c158a..a92af456960e7 100644
--- a/helm/superset/README.md
+++ b/helm/superset/README.md
@@ -23,7 +23,7 @@ NOTE: This file is generated by helm-docs: https://github.com/norwoodj/helm-docs
 
 # superset
 
-![Version: 0.11.2](https://img.shields.io/badge/Version-0.11.2-informational?style=flat-square)
+![Version: 0.12.1](https://img.shields.io/badge/Version-0.12.1-informational?style=flat-square)
 
 Apache Superset is a modern, enterprise-ready business intelligence web application
 
@@ -31,7 +31,7 @@ Apache Superset is a modern, enterprise-ready business intelligence web applicat
 
 ## Source Code
 
-* <https://github.com/apache/superset>
+- <https://github.com/apache/superset>
 
 ## TL;DR
 
@@ -48,254 +48,254 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 
 ## Requirements
 
-| Repository | Name | Version |
-|------------|------|---------|
-| https://charts.bitnami.com/bitnami | postgresql | 12.1.6 |
-| https://charts.bitnami.com/bitnami | redis | 17.9.4 |
+| Repository                         | Name       | Version |
+| ---------------------------------- | ---------- | ------- |
+| https://charts.bitnami.com/bitnami | postgresql | 12.1.6  |
+| https://charts.bitnami.com/bitnami | redis      | 17.9.4  |
 
 ## Values
 
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| affinity | object | `{}` |  |
-| bootstrapScript | string | see `values.yaml` | Install additional packages and do any other bootstrap configuration in this script For production clusters it's recommended to build own image with this step done in CI |
-| configFromSecret | string | `"{{ template \"superset.fullname\" . }}-config"` | The name of the secret which we will use to generate a superset_config.py file Note: this secret must have the key superset_config.py in it and can include other files as well |
-| configMountPath | string | `"/app/pythonpath"` |  |
-| configOverrides | object | `{}` | A dictionary of overrides to append at the end of superset_config.py - the name does not matter WARNING: the order is not guaranteed Files can be passed as helm --set-file configOverrides.my-override=my-file.py |
-| configOverridesFiles | object | `{}` | Same as above but the values are files |
-| envFromSecret | string | `"{{ template \"superset.fullname\" . }}-env"` | The name of the secret which we will use to populate env vars in deployed pods This can be useful for secret keys, etc. |
-| envFromSecrets | list | `[]` | This can be a list of templated strings |
-| extraConfigMountPath | string | `"/app/configs"` |  |
-| extraConfigs | object | `{}` | Extra files to mount on `/app/pythonpath` |
-| extraEnv | object | `{}` | Extra environment variables that will be passed into pods |
-| extraEnvRaw | list | `[]` | Extra environment variables in RAW format that will be passed into pods |
-| extraSecretEnv | object | `{}` | Extra environment variables to pass as secrets |
-| extraSecrets | object | `{}` | Extra files to mount on `/app/pythonpath` as secrets |
-| extraVolumeMounts | list | `[]` |  |
-| extraVolumes | list | `[]` |  |
-| fullnameOverride | string | `nil` | Provide a name to override the full names of resources |
-| hostAliases | list | `[]` | Custom hostAliases for all superset pods # https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.repository | string | `"apachesuperset.docker.scarf.sh/apache/superset"` |  |
-| image.tag | string | `""` |  |
-| imagePullSecrets | list | `[]` |  |
-| ingress.annotations | object | `{}` |  |
-| ingress.enabled | bool | `false` |  |
-| ingress.extraHostsRaw | list | `[]` |  |
-| ingress.hosts[0] | string | `"chart-example.local"` |  |
-| ingress.ingressClassName | string | `nil` |  |
-| ingress.path | string | `"/"` |  |
-| ingress.pathType | string | `"ImplementationSpecific"` |  |
-| ingress.tls | list | `[]` |  |
-| init.adminUser.email | string | `"admin@superset.com"` |  |
-| init.adminUser.firstname | string | `"Superset"` |  |
-| init.adminUser.lastname | string | `"Admin"` |  |
-| init.adminUser.password | string | `"admin"` |  |
-| init.adminUser.username | string | `"admin"` |  |
-| init.affinity | object | `{}` |  |
-| init.command | list | a `superset_init.sh` command | Command |
-| init.containerSecurityContext | object | `{}` |  |
-| init.createAdmin | bool | `true` |  |
-| init.enabled | bool | `true` |  |
-| init.extraContainers | list | `[]` | Launch additional containers into init job pod |
-| init.initContainers | list | a container waiting for postgres | List of initContainers |
-| init.initscript | string | a script to create admin user and initialize roles | A Superset init script |
-| init.jobAnnotations."helm.sh/hook" | string | `"post-install,post-upgrade"` |  |
-| init.jobAnnotations."helm.sh/hook-delete-policy" | string | `"before-hook-creation"` |  |
-| init.loadExamples | bool | `false` |  |
-| init.podAnnotations | object | `{}` |  |
-| init.podSecurityContext | object | `{}` |  |
-| init.resources | object | `{}` |  |
-| init.tolerations | list | `[]` |  |
-| init.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to init job |
-| initImage.pullPolicy | string | `"IfNotPresent"` |  |
-| initImage.repository | string | `"apache/superset"` |  |
-| initImage.tag | string | `"dockerize"` |  |
-| nameOverride | string | `nil` | Provide a name to override the name of the chart |
-| nodeSelector | object | `{}` |  |
-| postgresql | object | see `values.yaml` | Configuration values for the postgresql dependency. ref: https://github.com/bitnami/charts/tree/main/bitnami/postgresql |
-| redis | object | see `values.yaml` | Configuration values for the Redis dependency. ref: https://github.com/bitnami/charts/blob/master/bitnami/redis More documentation can be found here: https://artifacthub.io/packages/helm/bitnami/redis |
-| resources | object | `{}` |  |
-| runAsUser | int | `0` | User ID directive. This user must have enough permissions to run the bootstrap script Running containers as root is not recommended in production. Change this to another UID - e.g. 1000 to be more secure |
-| service.annotations | object | `{}` |  |
-| service.loadBalancerIP | string | `nil` |  |
-| service.nodePort.http | int | `"nil"` |  |
-| service.port | int | `8088` |  |
-| service.type | string | `"ClusterIP"` |  |
-| serviceAccount.annotations | object | `{}` |  |
-| serviceAccount.create | bool | `false` | Create custom service account for Superset. If create: true and serviceAccountName is not provided, `superset.fullname` will be used. |
-| serviceAccountName | string | `nil` | Specify service account name to be used |
-| supersetCeleryBeat.affinity | object | `{}` | Affinity to be added to supersetCeleryBeat deployment |
-| supersetCeleryBeat.command | list | a `celery beat` command | Command |
-| supersetCeleryBeat.containerSecurityContext | object | `{}` |  |
-| supersetCeleryBeat.deploymentAnnotations | object | `{}` | Annotations to be added to supersetCeleryBeat deployment |
-| supersetCeleryBeat.enabled | bool | `false` | This is only required if you intend to use alerts and reports |
-| supersetCeleryBeat.extraContainers | list | `[]` | Launch additional containers into supersetCeleryBeat pods |
-| supersetCeleryBeat.forceReload | bool | `false` | If true, forces deployment to reload on each upgrade |
-| supersetCeleryBeat.initContainers | list | a container waiting for postgres | List of init containers |
-| supersetCeleryBeat.podAnnotations | object | `{}` | Annotations to be added to supersetCeleryBeat pods |
-| supersetCeleryBeat.podLabels | object | `{}` | Labels to be added to supersetCeleryBeat pods |
-| supersetCeleryBeat.podSecurityContext | object | `{}` |  |
-| supersetCeleryBeat.resources | object | `{}` | Resource settings for the CeleryBeat pods - these settings overwrite might existing values from the global resources object defined above. |
-| supersetCeleryBeat.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetCeleryBeat deployments |
-| supersetCeleryFlower.affinity | object | `{}` | Affinity to be added to supersetCeleryFlower deployment |
-| supersetCeleryFlower.command | list | a `celery flower` command | Command |
-| supersetCeleryFlower.containerSecurityContext | object | `{}` |  |
-| supersetCeleryFlower.deploymentAnnotations | object | `{}` | Annotations to be added to supersetCeleryFlower deployment |
-| supersetCeleryFlower.enabled | bool | `false` | Enables a Celery flower deployment (management UI to monitor celery jobs) WARNING: on superset 1.x, this requires a Superset image that has `flower<1.0.0` installed (which is NOT the case of the default images) flower>=1.0.0 requires Celery 5+ which Superset 1.5 does not support |
-| supersetCeleryFlower.extraContainers | list | `[]` | Launch additional containers into supersetCeleryFlower pods |
-| supersetCeleryFlower.initContainers | list | a container waiting for postgres and redis | List of init containers |
-| supersetCeleryFlower.livenessProbe.failureThreshold | int | `3` |  |
-| supersetCeleryFlower.livenessProbe.httpGet.path | string | `"/api/workers"` |  |
-| supersetCeleryFlower.livenessProbe.httpGet.port | string | `"flower"` |  |
-| supersetCeleryFlower.livenessProbe.initialDelaySeconds | int | `5` |  |
-| supersetCeleryFlower.livenessProbe.periodSeconds | int | `5` |  |
-| supersetCeleryFlower.livenessProbe.successThreshold | int | `1` |  |
-| supersetCeleryFlower.livenessProbe.timeoutSeconds | int | `1` |  |
-| supersetCeleryFlower.podAnnotations | object | `{}` | Annotations to be added to supersetCeleryFlower pods |
-| supersetCeleryFlower.podLabels | object | `{}` | Labels to be added to supersetCeleryFlower pods |
-| supersetCeleryFlower.podSecurityContext | object | `{}` |  |
-| supersetCeleryFlower.readinessProbe.failureThreshold | int | `3` |  |
-| supersetCeleryFlower.readinessProbe.httpGet.path | string | `"/api/workers"` |  |
-| supersetCeleryFlower.readinessProbe.httpGet.port | string | `"flower"` |  |
-| supersetCeleryFlower.readinessProbe.initialDelaySeconds | int | `5` |  |
-| supersetCeleryFlower.readinessProbe.periodSeconds | int | `5` |  |
-| supersetCeleryFlower.readinessProbe.successThreshold | int | `1` |  |
-| supersetCeleryFlower.readinessProbe.timeoutSeconds | int | `1` |  |
-| supersetCeleryFlower.replicaCount | int | `1` |  |
-| supersetCeleryFlower.resources | object | `{}` | Resource settings for the CeleryBeat pods - these settings overwrite might existing values from the global resources object defined above. |
-| supersetCeleryFlower.service.annotations | object | `{}` |  |
-| supersetCeleryFlower.service.loadBalancerIP | string | `nil` |  |
-| supersetCeleryFlower.service.nodePort.http | int | `"nil"` |  |
-| supersetCeleryFlower.service.port | int | `5555` |  |
-| supersetCeleryFlower.service.type | string | `"ClusterIP"` |  |
-| supersetCeleryFlower.startupProbe.failureThreshold | int | `60` |  |
-| supersetCeleryFlower.startupProbe.httpGet.path | string | `"/api/workers"` |  |
-| supersetCeleryFlower.startupProbe.httpGet.port | string | `"flower"` |  |
-| supersetCeleryFlower.startupProbe.initialDelaySeconds | int | `5` |  |
-| supersetCeleryFlower.startupProbe.periodSeconds | int | `5` |  |
-| supersetCeleryFlower.startupProbe.successThreshold | int | `1` |  |
-| supersetCeleryFlower.startupProbe.timeoutSeconds | int | `1` |  |
-| supersetCeleryFlower.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetCeleryFlower deployments |
-| supersetNode.affinity | object | `{}` | Affinity to be added to supersetNode deployment |
-| supersetNode.autoscaling.enabled | bool | `false` |  |
-| supersetNode.autoscaling.maxReplicas | int | `100` |  |
-| supersetNode.autoscaling.minReplicas | int | `1` |  |
-| supersetNode.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
-| supersetNode.command | list | See `values.yaml` | Startup command |
-| supersetNode.connections.db_host | string | `"{{ .Release.Name }}-postgresql"` |  |
-| supersetNode.connections.db_name | string | `"superset"` |  |
-| supersetNode.connections.db_pass | string | `"superset"` |  |
-| supersetNode.connections.db_port | string | `"5432"` |  |
-| supersetNode.connections.db_user | string | `"superset"` |  |
-| supersetNode.connections.redis_host | string | `"{{ .Release.Name }}-redis-headless"` | Change in case of bringing your own redis and then also set redis.enabled:false |
-| supersetNode.connections.redis_port | string | `"6379"` |  |
-| supersetNode.containerSecurityContext | object | `{}` |  |
-| supersetNode.deploymentAnnotations | object | `{}` | Annotations to be added to supersetNode deployment |
-| supersetNode.deploymentLabels | object | `{}` | Labels to be added to supersetNode deployment |
-| supersetNode.env | object | `{}` |  |
-| supersetNode.extraContainers | list | `[]` | Launch additional containers into supersetNode pod |
-| supersetNode.forceReload | bool | `false` | If true, forces deployment to reload on each upgrade |
-| supersetNode.initContainers | list | a container waiting for postgres | Init containers |
-| supersetNode.livenessProbe.failureThreshold | int | `3` |  |
-| supersetNode.livenessProbe.httpGet.path | string | `"/health"` |  |
-| supersetNode.livenessProbe.httpGet.port | string | `"http"` |  |
-| supersetNode.livenessProbe.initialDelaySeconds | int | `15` |  |
-| supersetNode.livenessProbe.periodSeconds | int | `15` |  |
-| supersetNode.livenessProbe.successThreshold | int | `1` |  |
-| supersetNode.livenessProbe.timeoutSeconds | int | `1` |  |
-| supersetNode.podAnnotations | object | `{}` | Annotations to be added to supersetNode pods |
-| supersetNode.podLabels | object | `{}` | Labels to be added to supersetNode pods |
-| supersetNode.podSecurityContext | object | `{}` |  |
-| supersetNode.readinessProbe.failureThreshold | int | `3` |  |
-| supersetNode.readinessProbe.httpGet.path | string | `"/health"` |  |
-| supersetNode.readinessProbe.httpGet.port | string | `"http"` |  |
-| supersetNode.readinessProbe.initialDelaySeconds | int | `15` |  |
-| supersetNode.readinessProbe.periodSeconds | int | `15` |  |
-| supersetNode.readinessProbe.successThreshold | int | `1` |  |
-| supersetNode.readinessProbe.timeoutSeconds | int | `1` |  |
-| supersetNode.replicaCount | int | `1` |  |
-| supersetNode.resources | object | `{}` | Resource settings for the supersetNode pods - these settings overwrite might existing values from the global resources object defined above. |
-| supersetNode.startupProbe.failureThreshold | int | `60` |  |
-| supersetNode.startupProbe.httpGet.path | string | `"/health"` |  |
-| supersetNode.startupProbe.httpGet.port | string | `"http"` |  |
-| supersetNode.startupProbe.initialDelaySeconds | int | `15` |  |
-| supersetNode.startupProbe.periodSeconds | int | `5` |  |
-| supersetNode.startupProbe.successThreshold | int | `1` |  |
-| supersetNode.startupProbe.timeoutSeconds | int | `1` |  |
-| supersetNode.strategy | object | `{}` |  |
-| supersetNode.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetNode deployments |
-| supersetWebsockets.affinity | object | `{}` | Affinity to be added to supersetWebsockets deployment |
-| supersetWebsockets.command | list | `[]` |  |
-| supersetWebsockets.config | object | see `values.yaml` | The config.json to pass to the server, see https://github.com/apache/superset/tree/master/superset-websocket Note that the configuration can also read from environment variables (which will have priority), see https://github.com/apache/superset/blob/master/superset-websocket/src/config.ts for a list of supported variables |
-| supersetWebsockets.containerSecurityContext | object | `{}` |  |
-| supersetWebsockets.deploymentAnnotations | object | `{}` |  |
-| supersetWebsockets.enabled | bool | `false` | This is only required if you intend to use `GLOBAL_ASYNC_QUERIES` in `ws` mode see https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries |
-| supersetWebsockets.extraContainers | list | `[]` | Launch additional containers into supersetWebsockets pods |
-| supersetWebsockets.image.pullPolicy | string | `"IfNotPresent"` |  |
-| supersetWebsockets.image.repository | string | `"oneacrefund/superset-websocket"` | There is no official image (yet), this one is community-supported |
-| supersetWebsockets.image.tag | string | `"latest"` |  |
-| supersetWebsockets.ingress.path | string | `"/ws"` |  |
-| supersetWebsockets.ingress.pathType | string | `"Prefix"` |  |
-| supersetWebsockets.livenessProbe.failureThreshold | int | `3` |  |
-| supersetWebsockets.livenessProbe.httpGet.path | string | `"/health"` |  |
-| supersetWebsockets.livenessProbe.httpGet.port | string | `"ws"` |  |
-| supersetWebsockets.livenessProbe.initialDelaySeconds | int | `5` |  |
-| supersetWebsockets.livenessProbe.periodSeconds | int | `5` |  |
-| supersetWebsockets.livenessProbe.successThreshold | int | `1` |  |
-| supersetWebsockets.livenessProbe.timeoutSeconds | int | `1` |  |
-| supersetWebsockets.podAnnotations | object | `{}` |  |
-| supersetWebsockets.podLabels | object | `{}` |  |
-| supersetWebsockets.podSecurityContext | object | `{}` |  |
-| supersetWebsockets.readinessProbe.failureThreshold | int | `3` |  |
-| supersetWebsockets.readinessProbe.httpGet.path | string | `"/health"` |  |
-| supersetWebsockets.readinessProbe.httpGet.port | string | `"ws"` |  |
-| supersetWebsockets.readinessProbe.initialDelaySeconds | int | `5` |  |
-| supersetWebsockets.readinessProbe.periodSeconds | int | `5` |  |
-| supersetWebsockets.readinessProbe.successThreshold | int | `1` |  |
-| supersetWebsockets.readinessProbe.timeoutSeconds | int | `1` |  |
-| supersetWebsockets.replicaCount | int | `1` |  |
-| supersetWebsockets.resources | object | `{}` |  |
-| supersetWebsockets.service.annotations | object | `{}` |  |
-| supersetWebsockets.service.loadBalancerIP | string | `nil` |  |
-| supersetWebsockets.service.nodePort.http | int | `"nil"` |  |
-| supersetWebsockets.service.port | int | `8080` |  |
-| supersetWebsockets.service.type | string | `"ClusterIP"` |  |
-| supersetWebsockets.startupProbe.failureThreshold | int | `60` |  |
-| supersetWebsockets.startupProbe.httpGet.path | string | `"/health"` |  |
-| supersetWebsockets.startupProbe.httpGet.port | string | `"ws"` |  |
-| supersetWebsockets.startupProbe.initialDelaySeconds | int | `5` |  |
-| supersetWebsockets.startupProbe.periodSeconds | int | `5` |  |
-| supersetWebsockets.startupProbe.successThreshold | int | `1` |  |
-| supersetWebsockets.startupProbe.timeoutSeconds | int | `1` |  |
-| supersetWebsockets.strategy | object | `{}` |  |
-| supersetWebsockets.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetWebsockets deployments |
-| supersetWorker.affinity | object | `{}` | Affinity to be added to supersetWorker deployment |
-| supersetWorker.autoscaling.enabled | bool | `false` |  |
-| supersetWorker.autoscaling.maxReplicas | int | `100` |  |
-| supersetWorker.autoscaling.minReplicas | int | `1` |  |
-| supersetWorker.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
-| supersetWorker.command | list | a `celery worker` command | Worker startup command |
-| supersetWorker.containerSecurityContext | object | `{}` |  |
-| supersetWorker.deploymentAnnotations | object | `{}` | Annotations to be added to supersetWorker deployment |
-| supersetWorker.deploymentLabels | object | `{}` | Labels to be added to supersetWorker deployment |
-| supersetWorker.extraContainers | list | `[]` | Launch additional containers into supersetWorker pod |
-| supersetWorker.forceReload | bool | `false` | If true, forces deployment to reload on each upgrade |
-| supersetWorker.initContainers | list | a container waiting for postgres and redis | Init container |
-| supersetWorker.livenessProbe.exec.command | list | a `celery inspect ping` command | Liveness probe command |
-| supersetWorker.livenessProbe.failureThreshold | int | `3` |  |
-| supersetWorker.livenessProbe.initialDelaySeconds | int | `120` |  |
-| supersetWorker.livenessProbe.periodSeconds | int | `60` |  |
-| supersetWorker.livenessProbe.successThreshold | int | `1` |  |
-| supersetWorker.livenessProbe.timeoutSeconds | int | `60` |  |
-| supersetWorker.podAnnotations | object | `{}` | Annotations to be added to supersetWorker pods |
-| supersetWorker.podLabels | object | `{}` | Labels to be added to supersetWorker pods |
-| supersetWorker.podSecurityContext | object | `{}` |  |
-| supersetWorker.readinessProbe | object | `{}` | No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic) |
-| supersetWorker.replicaCount | int | `1` |  |
-| supersetWorker.resources | object | `{}` | Resource settings for the supersetWorker pods - these settings overwrite might existing values from the global resources object defined above. |
-| supersetWorker.startupProbe | object | `{}` | No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic) |
-| supersetWorker.strategy | object | `{}` |  |
-| supersetWorker.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetWorker deployments |
-| tolerations | list | `[]` |  |
-| topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to all deployments |
+| Key                                                       | Type   | Default                                            | Description                                                                                                                                                                                                                                                                                                                         |
+| --------------------------------------------------------- | ------ | -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| affinity                                                  | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| bootstrapScript                                           | string | see `values.yaml`                                  | Install additional packages and do any other bootstrap configuration in this script For production clusters it's recommended to build own image with this step done in CI                                                                                                                                                           |
+| configFromSecret                                          | string | `"{{ template \"superset.fullname\" . }}-config"`  | The name of the secret which we will use to generate a superset_config.py file Note: this secret must have the key superset_config.py in it and can include other files as well                                                                                                                                                     |
+| configMountPath                                           | string | `"/app/pythonpath"`                                |                                                                                                                                                                                                                                                                                                                                     |
+| configOverrides                                           | object | `{}`                                               | A dictionary of overrides to append at the end of superset_config.py - the name does not matter WARNING: the order is not guaranteed Files can be passed as helm --set-file configOverrides.my-override=my-file.py                                                                                                                  |
+| configOverridesFiles                                      | object | `{}`                                               | Same as above but the values are files                                                                                                                                                                                                                                                                                              |
+| envFromSecret                                             | string | `"{{ template \"superset.fullname\" . }}-env"`     | The name of the secret which we will use to populate env vars in deployed pods This can be useful for secret keys, etc.                                                                                                                                                                                                             |
+| envFromSecrets                                            | list   | `[]`                                               | This can be a list of templated strings                                                                                                                                                                                                                                                                                             |
+| extraConfigMountPath                                      | string | `"/app/configs"`                                   |                                                                                                                                                                                                                                                                                                                                     |
+| extraConfigs                                              | object | `{}`                                               | Extra files to mount on `/app/pythonpath`                                                                                                                                                                                                                                                                                           |
+| extraEnv                                                  | object | `{}`                                               | Extra environment variables that will be passed into pods                                                                                                                                                                                                                                                                           |
+| extraEnvRaw                                               | list   | `[]`                                               | Extra environment variables in RAW format that will be passed into pods                                                                                                                                                                                                                                                             |
+| extraSecretEnv                                            | object | `{}`                                               | Extra environment variables to pass as secrets                                                                                                                                                                                                                                                                                      |
+| extraSecrets                                              | object | `{}`                                               | Extra files to mount on `/app/pythonpath` as secrets                                                                                                                                                                                                                                                                                |
+| extraVolumeMounts                                         | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| extraVolumes                                              | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| fullnameOverride                                          | string | `nil`                                              | Provide a name to override the full names of resources                                                                                                                                                                                                                                                                              |
+| hostAliases                                               | list   | `[]`                                               | Custom hostAliases for all superset pods # https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/                                                                                                                                                                                                                  |
+| image.pullPolicy                                          | string | `"IfNotPresent"`                                   |                                                                                                                                                                                                                                                                                                                                     |
+| image.repository                                          | string | `"apachesuperset.docker.scarf.sh/apache/superset"` |                                                                                                                                                                                                                                                                                                                                     |
+| image.tag                                                 | string | `""`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| imagePullSecrets                                          | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| ingress.annotations                                       | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| ingress.enabled                                           | bool   | `false`                                            |                                                                                                                                                                                                                                                                                                                                     |
+| ingress.extraHostsRaw                                     | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| ingress.hosts[0]                                          | string | `"chart-example.local"`                            |                                                                                                                                                                                                                                                                                                                                     |
+| ingress.ingressClassName                                  | string | `nil`                                              |                                                                                                                                                                                                                                                                                                                                     |
+| ingress.path                                              | string | `"/"`                                              |                                                                                                                                                                                                                                                                                                                                     |
+| ingress.pathType                                          | string | `"ImplementationSpecific"`                         |                                                                                                                                                                                                                                                                                                                                     |
+| ingress.tls                                               | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| init.adminUser.email                                      | string | `"admin@superset.com"`                             |                                                                                                                                                                                                                                                                                                                                     |
+| init.adminUser.firstname                                  | string | `"Superset"`                                       |                                                                                                                                                                                                                                                                                                                                     |
+| init.adminUser.lastname                                   | string | `"Admin"`                                          |                                                                                                                                                                                                                                                                                                                                     |
+| init.adminUser.password                                   | string | `"admin"`                                          |                                                                                                                                                                                                                                                                                                                                     |
+| init.adminUser.username                                   | string | `"admin"`                                          |                                                                                                                                                                                                                                                                                                                                     |
+| init.affinity                                             | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| init.command                                              | list   | a `superset_init.sh` command                       | Command                                                                                                                                                                                                                                                                                                                             |
+| init.containerSecurityContext                             | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| init.createAdmin                                          | bool   | `true`                                             |                                                                                                                                                                                                                                                                                                                                     |
+| init.enabled                                              | bool   | `true`                                             |                                                                                                                                                                                                                                                                                                                                     |
+| init.extraContainers                                      | list   | `[]`                                               | Launch additional containers into init job pod                                                                                                                                                                                                                                                                                      |
+| init.initContainers                                       | list   | a container waiting for postgres                   | List of initContainers                                                                                                                                                                                                                                                                                                              |
+| init.initscript                                           | string | a script to create admin user and initialize roles | A Superset init script                                                                                                                                                                                                                                                                                                              |
+| init.jobAnnotations."helm.sh/hook"                        | string | `"post-install,post-upgrade"`                      |                                                                                                                                                                                                                                                                                                                                     |
+| init.jobAnnotations."helm.sh/hook-delete-policy"          | string | `"before-hook-creation"`                           |                                                                                                                                                                                                                                                                                                                                     |
+| init.loadExamples                                         | bool   | `false`                                            |                                                                                                                                                                                                                                                                                                                                     |
+| init.podAnnotations                                       | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| init.podSecurityContext                                   | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| init.resources                                            | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| init.tolerations                                          | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| init.topologySpreadConstraints                            | list   | `[]`                                               | TopologySpreadConstrains to be added to init job                                                                                                                                                                                                                                                                                    |
+| initImage.pullPolicy                                      | string | `"IfNotPresent"`                                   |                                                                                                                                                                                                                                                                                                                                     |
+| initImage.repository                                      | string | `"apache/superset"`                                |                                                                                                                                                                                                                                                                                                                                     |
+| initImage.tag                                             | string | `"dockerize"`                                      |                                                                                                                                                                                                                                                                                                                                     |
+| nameOverride                                              | string | `nil`                                              | Provide a name to override the name of the chart                                                                                                                                                                                                                                                                                    |
+| nodeSelector                                              | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| postgresql                                                | object | see `values.yaml`                                  | Configuration values for the postgresql dependency. ref: https://github.com/bitnami/charts/tree/main/bitnami/postgresql                                                                                                                                                                                                             |
+| redis                                                     | object | see `values.yaml`                                  | Configuration values for the Redis dependency. ref: https://github.com/bitnami/charts/blob/master/bitnami/redis More documentation can be found here: https://artifacthub.io/packages/helm/bitnami/redis                                                                                                                            |
+| resources                                                 | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| runAsUser                                                 | int    | `0`                                                | User ID directive. This user must have enough permissions to run the bootstrap script Running containers as root is not recommended in production. Change this to another UID - e.g. 1000 to be more secure                                                                                                                         |
+| service.annotations                                       | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| service.loadBalancerIP                                    | string | `nil`                                              |                                                                                                                                                                                                                                                                                                                                     |
+| service.nodePort.http                                     | int    | `"nil"`                                            |                                                                                                                                                                                                                                                                                                                                     |
+| service.port                                              | int    | `8088`                                             |                                                                                                                                                                                                                                                                                                                                     |
+| service.type                                              | string | `"ClusterIP"`                                      |                                                                                                                                                                                                                                                                                                                                     |
+| serviceAccount.annotations                                | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| serviceAccount.create                                     | bool   | `false`                                            | Create custom service account for Superset. If create: true and serviceAccountName is not provided, `superset.fullname` will be used.                                                                                                                                                                                               |
+| serviceAccountName                                        | string | `nil`                                              | Specify service account name to be used                                                                                                                                                                                                                                                                                             |
+| supersetCeleryBeat.affinity                               | object | `{}`                                               | Affinity to be added to supersetCeleryBeat deployment                                                                                                                                                                                                                                                                               |
+| supersetCeleryBeat.command                                | list   | a `celery beat` command                            | Command                                                                                                                                                                                                                                                                                                                             |
+| supersetCeleryBeat.containerSecurityContext               | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryBeat.deploymentAnnotations                  | object | `{}`                                               | Annotations to be added to supersetCeleryBeat deployment                                                                                                                                                                                                                                                                            |
+| supersetCeleryBeat.enabled                                | bool   | `false`                                            | This is only required if you intend to use alerts and reports                                                                                                                                                                                                                                                                       |
+| supersetCeleryBeat.extraContainers                        | list   | `[]`                                               | Launch additional containers into supersetCeleryBeat pods                                                                                                                                                                                                                                                                           |
+| supersetCeleryBeat.forceReload                            | bool   | `false`                                            | If true, forces deployment to reload on each upgrade                                                                                                                                                                                                                                                                                |
+| supersetCeleryBeat.initContainers                         | list   | a container waiting for postgres                   | List of init containers                                                                                                                                                                                                                                                                                                             |
+| supersetCeleryBeat.podAnnotations                         | object | `{}`                                               | Annotations to be added to supersetCeleryBeat pods                                                                                                                                                                                                                                                                                  |
+| supersetCeleryBeat.podLabels                              | object | `{}`                                               | Labels to be added to supersetCeleryBeat pods                                                                                                                                                                                                                                                                                       |
+| supersetCeleryBeat.podSecurityContext                     | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryBeat.resources                              | object | `{}`                                               | Resource settings for the CeleryBeat pods - these settings overwrite might existing values from the global resources object defined above.                                                                                                                                                                                          |
+| supersetCeleryBeat.topologySpreadConstraints              | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetCeleryBeat deployments                                                                                                                                                                                                                                                              |
+| supersetCeleryFlower.affinity                             | object | `{}`                                               | Affinity to be added to supersetCeleryFlower deployment                                                                                                                                                                                                                                                                             |
+| supersetCeleryFlower.command                              | list   | a `celery flower` command                          | Command                                                                                                                                                                                                                                                                                                                             |
+| supersetCeleryFlower.containerSecurityContext             | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.deploymentAnnotations                | object | `{}`                                               | Annotations to be added to supersetCeleryFlower deployment                                                                                                                                                                                                                                                                          |
+| supersetCeleryFlower.enabled                              | bool   | `false`                                            | Enables a Celery flower deployment (management UI to monitor celery jobs) WARNING: on superset 1.x, this requires a Superset image that has `flower<1.0.0` installed (which is NOT the case of the default images) flower>=1.0.0 requires Celery 5+ which Superset 1.5 does not support                                             |
+| supersetCeleryFlower.extraContainers                      | list   | `[]`                                               | Launch additional containers into supersetCeleryFlower pods                                                                                                                                                                                                                                                                         |
+| supersetCeleryFlower.initContainers                       | list   | a container waiting for postgres and redis         | List of init containers                                                                                                                                                                                                                                                                                                             |
+| supersetCeleryFlower.livenessProbe.failureThreshold       | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.livenessProbe.httpGet.path           | string | `"/api/workers"`                                   |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.livenessProbe.httpGet.port           | string | `"flower"`                                         |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.livenessProbe.initialDelaySeconds    | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.livenessProbe.periodSeconds          | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.livenessProbe.successThreshold       | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.livenessProbe.timeoutSeconds         | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.podAnnotations                       | object | `{}`                                               | Annotations to be added to supersetCeleryFlower pods                                                                                                                                                                                                                                                                                |
+| supersetCeleryFlower.podLabels                            | object | `{}`                                               | Labels to be added to supersetCeleryFlower pods                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.podSecurityContext                   | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.readinessProbe.failureThreshold      | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.readinessProbe.httpGet.path          | string | `"/api/workers"`                                   |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.readinessProbe.httpGet.port          | string | `"flower"`                                         |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.readinessProbe.initialDelaySeconds   | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.readinessProbe.periodSeconds         | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.readinessProbe.successThreshold      | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.readinessProbe.timeoutSeconds        | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.replicaCount                         | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.resources                            | object | `{}`                                               | Resource settings for the CeleryBeat pods - these settings overwrite might existing values from the global resources object defined above.                                                                                                                                                                                          |
+| supersetCeleryFlower.service.annotations                  | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.service.loadBalancerIP               | string | `nil`                                              |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.service.nodePort.http                | int    | `"nil"`                                            |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.service.port                         | int    | `5555`                                             |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.service.type                         | string | `"ClusterIP"`                                      |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.startupProbe.failureThreshold        | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.startupProbe.httpGet.path            | string | `"/api/workers"`                                   |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.startupProbe.httpGet.port            | string | `"flower"`                                         |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.startupProbe.initialDelaySeconds     | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.startupProbe.periodSeconds           | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.startupProbe.successThreshold        | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.startupProbe.timeoutSeconds          | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetCeleryFlower.topologySpreadConstraints            | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetCeleryFlower deployments                                                                                                                                                                                                                                                            |
+| supersetNode.affinity                                     | object | `{}`                                               | Affinity to be added to supersetNode deployment                                                                                                                                                                                                                                                                                     |
+| supersetNode.autoscaling.enabled                          | bool   | `false`                                            |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.autoscaling.maxReplicas                      | int    | `100`                                              |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.autoscaling.minReplicas                      | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.autoscaling.targetCPUUtilizationPercentage   | int    | `80`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.command                                      | list   | See `values.yaml`                                  | Startup command                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.connections.db_host                          | string | `"{{ .Release.Name }}-postgresql"`                 |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.connections.db_name                          | string | `"superset"`                                       |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.connections.db_pass                          | string | `"superset"`                                       |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.connections.db_port                          | string | `"5432"`                                           |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.connections.db_user                          | string | `"superset"`                                       |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.connections.redis_host                       | string | `"{{ .Release.Name }}-redis-headless"`             | Change in case of bringing your own redis and then also set redis.enabled:false                                                                                                                                                                                                                                                     |
+| supersetNode.connections.redis_port                       | string | `"6379"`                                           |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.containerSecurityContext                     | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.deploymentAnnotations                        | object | `{}`                                               | Annotations to be added to supersetNode deployment                                                                                                                                                                                                                                                                                  |
+| supersetNode.deploymentLabels                             | object | `{}`                                               | Labels to be added to supersetNode deployment                                                                                                                                                                                                                                                                                       |
+| supersetNode.env                                          | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.extraContainers                              | list   | `[]`                                               | Launch additional containers into supersetNode pod                                                                                                                                                                                                                                                                                  |
+| supersetNode.forceReload                                  | bool   | `false`                                            | If true, forces deployment to reload on each upgrade                                                                                                                                                                                                                                                                                |
+| supersetNode.initContainers                               | list   | a container waiting for postgres                   | Init containers                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.livenessProbe.failureThreshold               | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.livenessProbe.httpGet.path                   | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.livenessProbe.httpGet.port                   | string | `"http"`                                           |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.livenessProbe.initialDelaySeconds            | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.livenessProbe.periodSeconds                  | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.livenessProbe.successThreshold               | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.livenessProbe.timeoutSeconds                 | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.podAnnotations                               | object | `{}`                                               | Annotations to be added to supersetNode pods                                                                                                                                                                                                                                                                                        |
+| supersetNode.podLabels                                    | object | `{}`                                               | Labels to be added to supersetNode pods                                                                                                                                                                                                                                                                                             |
+| supersetNode.podSecurityContext                           | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.readinessProbe.failureThreshold              | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.readinessProbe.httpGet.path                  | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.readinessProbe.httpGet.port                  | string | `"http"`                                           |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.readinessProbe.initialDelaySeconds           | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.readinessProbe.periodSeconds                 | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.readinessProbe.successThreshold              | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.readinessProbe.timeoutSeconds                | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.replicaCount                                 | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.resources                                    | object | `{}`                                               | Resource settings for the supersetNode pods - these settings overwrite might existing values from the global resources object defined above.                                                                                                                                                                                        |
+| supersetNode.startupProbe.failureThreshold                | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.startupProbe.httpGet.path                    | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.startupProbe.httpGet.port                    | string | `"http"`                                           |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.startupProbe.initialDelaySeconds             | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.startupProbe.periodSeconds                   | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.startupProbe.successThreshold                | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.startupProbe.timeoutSeconds                  | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.strategy                                     | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetNode.topologySpreadConstraints                    | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetNode deployments                                                                                                                                                                                                                                                                    |
+| supersetWebsockets.affinity                               | object | `{}`                                               | Affinity to be added to supersetWebsockets deployment                                                                                                                                                                                                                                                                               |
+| supersetWebsockets.command                                | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.config                                 | object | see `values.yaml`                                  | The config.json to pass to the server, see https://github.com/apache/superset/tree/master/superset-websocket Note that the configuration can also read from environment variables (which will have priority), see https://github.com/apache/superset/blob/master/superset-websocket/src/config.ts for a list of supported variables |
+| supersetWebsockets.containerSecurityContext               | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.deploymentAnnotations                  | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.enabled                                | bool   | `false`                                            | This is only required if you intend to use `GLOBAL_ASYNC_QUERIES` in `ws` mode see https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries                                                                                                                                                               |
+| supersetWebsockets.extraContainers                        | list   | `[]`                                               | Launch additional containers into supersetWebsockets pods                                                                                                                                                                                                                                                                           |
+| supersetWebsockets.image.pullPolicy                       | string | `"IfNotPresent"`                                   |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.image.repository                       | string | `"oneacrefund/superset-websocket"`                 | There is no official image (yet), this one is community-supported                                                                                                                                                                                                                                                                   |
+| supersetWebsockets.image.tag                              | string | `"latest"`                                         |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.ingress.path                           | string | `"/ws"`                                            |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.ingress.pathType                       | string | `"Prefix"`                                         |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.livenessProbe.failureThreshold         | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.livenessProbe.httpGet.path             | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.livenessProbe.httpGet.port             | string | `"ws"`                                             |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.livenessProbe.initialDelaySeconds      | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.livenessProbe.periodSeconds            | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.livenessProbe.successThreshold         | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.livenessProbe.timeoutSeconds           | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.podAnnotations                         | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.podLabels                              | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.podSecurityContext                     | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.readinessProbe.failureThreshold        | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.readinessProbe.httpGet.path            | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.readinessProbe.httpGet.port            | string | `"ws"`                                             |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.readinessProbe.initialDelaySeconds     | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.readinessProbe.periodSeconds           | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.readinessProbe.successThreshold        | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.readinessProbe.timeoutSeconds          | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.replicaCount                           | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.resources                              | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.service.annotations                    | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.service.loadBalancerIP                 | string | `nil`                                              |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.service.nodePort.http                  | int    | `"nil"`                                            |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.service.port                           | int    | `8080`                                             |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.service.type                           | string | `"ClusterIP"`                                      |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.startupProbe.failureThreshold          | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.startupProbe.httpGet.path              | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.startupProbe.httpGet.port              | string | `"ws"`                                             |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.startupProbe.initialDelaySeconds       | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.startupProbe.periodSeconds             | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.startupProbe.successThreshold          | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.startupProbe.timeoutSeconds            | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.strategy                               | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWebsockets.topologySpreadConstraints              | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetWebsockets deployments                                                                                                                                                                                                                                                              |
+| supersetWorker.affinity                                   | object | `{}`                                               | Affinity to be added to supersetWorker deployment                                                                                                                                                                                                                                                                                   |
+| supersetWorker.autoscaling.enabled                        | bool   | `false`                                            |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.autoscaling.maxReplicas                    | int    | `100`                                              |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.autoscaling.minReplicas                    | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.autoscaling.targetCPUUtilizationPercentage | int    | `80`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.command                                    | list   | a `celery worker` command                          | Worker startup command                                                                                                                                                                                                                                                                                                              |
+| supersetWorker.containerSecurityContext                   | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.deploymentAnnotations                      | object | `{}`                                               | Annotations to be added to supersetWorker deployment                                                                                                                                                                                                                                                                                |
+| supersetWorker.deploymentLabels                           | object | `{}`                                               | Labels to be added to supersetWorker deployment                                                                                                                                                                                                                                                                                     |
+| supersetWorker.extraContainers                            | list   | `[]`                                               | Launch additional containers into supersetWorker pod                                                                                                                                                                                                                                                                                |
+| supersetWorker.forceReload                                | bool   | `false`                                            | If true, forces deployment to reload on each upgrade                                                                                                                                                                                                                                                                                |
+| supersetWorker.initContainers                             | list   | a container waiting for postgres and redis         | Init container                                                                                                                                                                                                                                                                                                                      |
+| supersetWorker.livenessProbe.exec.command                 | list   | a `celery inspect ping` command                    | Liveness probe command                                                                                                                                                                                                                                                                                                              |
+| supersetWorker.livenessProbe.failureThreshold             | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.livenessProbe.initialDelaySeconds          | int    | `120`                                              |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.livenessProbe.periodSeconds                | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.livenessProbe.successThreshold             | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.livenessProbe.timeoutSeconds               | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.podAnnotations                             | object | `{}`                                               | Annotations to be added to supersetWorker pods                                                                                                                                                                                                                                                                                      |
+| supersetWorker.podLabels                                  | object | `{}`                                               | Labels to be added to supersetWorker pods                                                                                                                                                                                                                                                                                           |
+| supersetWorker.podSecurityContext                         | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.readinessProbe                             | object | `{}`                                               | No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic)                                                                                                                                                                                                                 |
+| supersetWorker.replicaCount                               | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.resources                                  | object | `{}`                                               | Resource settings for the supersetWorker pods - these settings overwrite might existing values from the global resources object defined above.                                                                                                                                                                                      |
+| supersetWorker.startupProbe                               | object | `{}`                                               | No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic)                                                                                                                                                                                                                 |
+| supersetWorker.strategy                                   | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| supersetWorker.topologySpreadConstraints                  | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetWorker deployments                                                                                                                                                                                                                                                                  |
+| tolerations                                               | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
+| topologySpreadConstraints                                 | list   | `[]`                                               | TopologySpreadConstrains to be added to all deployments                                                                                                                                                                                                                                                                             |
diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml
index 26d454742055c..15c5f7e214df4 100644
--- a/helm/superset/values.yaml
+++ b/helm/superset/values.yaml
@@ -165,8 +165,8 @@ configOverrides: {}
   #   # The default user self registration role
   #   AUTH_USER_REGISTRATION_ROLE = "Admin"
   # secret: |
-  #   # Generate your own secret key for encryption. Use openssl rand -base64 42 to generate a good key
-  #   SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
+  #   # Generate your own secret key for encryption. Use `openssl rand -base64 42` to generate a good key
+  #   SECRET_KEY = 'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
 
 # -- Same as above but the values are files
 configOverridesFiles: {}

From 2f9572c367d936144752f583889b16d522d86254 Mon Sep 17 00:00:00 2001
From: Denis Krivenko <dnskrv88@gmail.com>
Date: Sun, 21 Jan 2024 18:43:17 +0100
Subject: [PATCH 018/114] feat(helm): Upgrade default Superset version to 3.1.0
 (#26707)

---
 helm/superset/Chart.yaml |   2 +-
 helm/superset/README.md  | 498 +++++++++++++++++++--------------------
 2 files changed, 250 insertions(+), 250 deletions(-)

diff --git a/helm/superset/Chart.yaml b/helm/superset/Chart.yaml
index 34c987e6c886a..25ff660e38fc2 100644
--- a/helm/superset/Chart.yaml
+++ b/helm/superset/Chart.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 #
 apiVersion: v2
-appVersion: "3.0.1"
+appVersion: "3.1.0"
 description: Apache Superset is a modern, enterprise-ready business intelligence web application
 name: superset
 icon: https://artifacthub.io/image/68c1d717-0e97-491f-b046-754e46f46922@2x
diff --git a/helm/superset/README.md b/helm/superset/README.md
index a92af456960e7..27c1232440296 100644
--- a/helm/superset/README.md
+++ b/helm/superset/README.md
@@ -31,7 +31,7 @@ Apache Superset is a modern, enterprise-ready business intelligence web applicat
 
 ## Source Code
 
-- <https://github.com/apache/superset>
+* <https://github.com/apache/superset>
 
 ## TL;DR
 
@@ -48,254 +48,254 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 
 ## Requirements
 
-| Repository                         | Name       | Version |
-| ---------------------------------- | ---------- | ------- |
-| https://charts.bitnami.com/bitnami | postgresql | 12.1.6  |
-| https://charts.bitnami.com/bitnami | redis      | 17.9.4  |
+| Repository | Name | Version |
+|------------|------|---------|
+| https://charts.bitnami.com/bitnami | postgresql | 12.1.6 |
+| https://charts.bitnami.com/bitnami | redis | 17.9.4 |
 
 ## Values
 
-| Key                                                       | Type   | Default                                            | Description                                                                                                                                                                                                                                                                                                                         |
-| --------------------------------------------------------- | ------ | -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| affinity                                                  | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| bootstrapScript                                           | string | see `values.yaml`                                  | Install additional packages and do any other bootstrap configuration in this script For production clusters it's recommended to build own image with this step done in CI                                                                                                                                                           |
-| configFromSecret                                          | string | `"{{ template \"superset.fullname\" . }}-config"`  | The name of the secret which we will use to generate a superset_config.py file Note: this secret must have the key superset_config.py in it and can include other files as well                                                                                                                                                     |
-| configMountPath                                           | string | `"/app/pythonpath"`                                |                                                                                                                                                                                                                                                                                                                                     |
-| configOverrides                                           | object | `{}`                                               | A dictionary of overrides to append at the end of superset_config.py - the name does not matter WARNING: the order is not guaranteed Files can be passed as helm --set-file configOverrides.my-override=my-file.py                                                                                                                  |
-| configOverridesFiles                                      | object | `{}`                                               | Same as above but the values are files                                                                                                                                                                                                                                                                                              |
-| envFromSecret                                             | string | `"{{ template \"superset.fullname\" . }}-env"`     | The name of the secret which we will use to populate env vars in deployed pods This can be useful for secret keys, etc.                                                                                                                                                                                                             |
-| envFromSecrets                                            | list   | `[]`                                               | This can be a list of templated strings                                                                                                                                                                                                                                                                                             |
-| extraConfigMountPath                                      | string | `"/app/configs"`                                   |                                                                                                                                                                                                                                                                                                                                     |
-| extraConfigs                                              | object | `{}`                                               | Extra files to mount on `/app/pythonpath`                                                                                                                                                                                                                                                                                           |
-| extraEnv                                                  | object | `{}`                                               | Extra environment variables that will be passed into pods                                                                                                                                                                                                                                                                           |
-| extraEnvRaw                                               | list   | `[]`                                               | Extra environment variables in RAW format that will be passed into pods                                                                                                                                                                                                                                                             |
-| extraSecretEnv                                            | object | `{}`                                               | Extra environment variables to pass as secrets                                                                                                                                                                                                                                                                                      |
-| extraSecrets                                              | object | `{}`                                               | Extra files to mount on `/app/pythonpath` as secrets                                                                                                                                                                                                                                                                                |
-| extraVolumeMounts                                         | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| extraVolumes                                              | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| fullnameOverride                                          | string | `nil`                                              | Provide a name to override the full names of resources                                                                                                                                                                                                                                                                              |
-| hostAliases                                               | list   | `[]`                                               | Custom hostAliases for all superset pods # https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/                                                                                                                                                                                                                  |
-| image.pullPolicy                                          | string | `"IfNotPresent"`                                   |                                                                                                                                                                                                                                                                                                                                     |
-| image.repository                                          | string | `"apachesuperset.docker.scarf.sh/apache/superset"` |                                                                                                                                                                                                                                                                                                                                     |
-| image.tag                                                 | string | `""`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| imagePullSecrets                                          | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| ingress.annotations                                       | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| ingress.enabled                                           | bool   | `false`                                            |                                                                                                                                                                                                                                                                                                                                     |
-| ingress.extraHostsRaw                                     | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| ingress.hosts[0]                                          | string | `"chart-example.local"`                            |                                                                                                                                                                                                                                                                                                                                     |
-| ingress.ingressClassName                                  | string | `nil`                                              |                                                                                                                                                                                                                                                                                                                                     |
-| ingress.path                                              | string | `"/"`                                              |                                                                                                                                                                                                                                                                                                                                     |
-| ingress.pathType                                          | string | `"ImplementationSpecific"`                         |                                                                                                                                                                                                                                                                                                                                     |
-| ingress.tls                                               | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| init.adminUser.email                                      | string | `"admin@superset.com"`                             |                                                                                                                                                                                                                                                                                                                                     |
-| init.adminUser.firstname                                  | string | `"Superset"`                                       |                                                                                                                                                                                                                                                                                                                                     |
-| init.adminUser.lastname                                   | string | `"Admin"`                                          |                                                                                                                                                                                                                                                                                                                                     |
-| init.adminUser.password                                   | string | `"admin"`                                          |                                                                                                                                                                                                                                                                                                                                     |
-| init.adminUser.username                                   | string | `"admin"`                                          |                                                                                                                                                                                                                                                                                                                                     |
-| init.affinity                                             | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| init.command                                              | list   | a `superset_init.sh` command                       | Command                                                                                                                                                                                                                                                                                                                             |
-| init.containerSecurityContext                             | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| init.createAdmin                                          | bool   | `true`                                             |                                                                                                                                                                                                                                                                                                                                     |
-| init.enabled                                              | bool   | `true`                                             |                                                                                                                                                                                                                                                                                                                                     |
-| init.extraContainers                                      | list   | `[]`                                               | Launch additional containers into init job pod                                                                                                                                                                                                                                                                                      |
-| init.initContainers                                       | list   | a container waiting for postgres                   | List of initContainers                                                                                                                                                                                                                                                                                                              |
-| init.initscript                                           | string | a script to create admin user and initialize roles | A Superset init script                                                                                                                                                                                                                                                                                                              |
-| init.jobAnnotations."helm.sh/hook"                        | string | `"post-install,post-upgrade"`                      |                                                                                                                                                                                                                                                                                                                                     |
-| init.jobAnnotations."helm.sh/hook-delete-policy"          | string | `"before-hook-creation"`                           |                                                                                                                                                                                                                                                                                                                                     |
-| init.loadExamples                                         | bool   | `false`                                            |                                                                                                                                                                                                                                                                                                                                     |
-| init.podAnnotations                                       | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| init.podSecurityContext                                   | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| init.resources                                            | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| init.tolerations                                          | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| init.topologySpreadConstraints                            | list   | `[]`                                               | TopologySpreadConstrains to be added to init job                                                                                                                                                                                                                                                                                    |
-| initImage.pullPolicy                                      | string | `"IfNotPresent"`                                   |                                                                                                                                                                                                                                                                                                                                     |
-| initImage.repository                                      | string | `"apache/superset"`                                |                                                                                                                                                                                                                                                                                                                                     |
-| initImage.tag                                             | string | `"dockerize"`                                      |                                                                                                                                                                                                                                                                                                                                     |
-| nameOverride                                              | string | `nil`                                              | Provide a name to override the name of the chart                                                                                                                                                                                                                                                                                    |
-| nodeSelector                                              | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| postgresql                                                | object | see `values.yaml`                                  | Configuration values for the postgresql dependency. ref: https://github.com/bitnami/charts/tree/main/bitnami/postgresql                                                                                                                                                                                                             |
-| redis                                                     | object | see `values.yaml`                                  | Configuration values for the Redis dependency. ref: https://github.com/bitnami/charts/blob/master/bitnami/redis More documentation can be found here: https://artifacthub.io/packages/helm/bitnami/redis                                                                                                                            |
-| resources                                                 | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| runAsUser                                                 | int    | `0`                                                | User ID directive. This user must have enough permissions to run the bootstrap script Running containers as root is not recommended in production. Change this to another UID - e.g. 1000 to be more secure                                                                                                                         |
-| service.annotations                                       | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| service.loadBalancerIP                                    | string | `nil`                                              |                                                                                                                                                                                                                                                                                                                                     |
-| service.nodePort.http                                     | int    | `"nil"`                                            |                                                                                                                                                                                                                                                                                                                                     |
-| service.port                                              | int    | `8088`                                             |                                                                                                                                                                                                                                                                                                                                     |
-| service.type                                              | string | `"ClusterIP"`                                      |                                                                                                                                                                                                                                                                                                                                     |
-| serviceAccount.annotations                                | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| serviceAccount.create                                     | bool   | `false`                                            | Create custom service account for Superset. If create: true and serviceAccountName is not provided, `superset.fullname` will be used.                                                                                                                                                                                               |
-| serviceAccountName                                        | string | `nil`                                              | Specify service account name to be used                                                                                                                                                                                                                                                                                             |
-| supersetCeleryBeat.affinity                               | object | `{}`                                               | Affinity to be added to supersetCeleryBeat deployment                                                                                                                                                                                                                                                                               |
-| supersetCeleryBeat.command                                | list   | a `celery beat` command                            | Command                                                                                                                                                                                                                                                                                                                             |
-| supersetCeleryBeat.containerSecurityContext               | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryBeat.deploymentAnnotations                  | object | `{}`                                               | Annotations to be added to supersetCeleryBeat deployment                                                                                                                                                                                                                                                                            |
-| supersetCeleryBeat.enabled                                | bool   | `false`                                            | This is only required if you intend to use alerts and reports                                                                                                                                                                                                                                                                       |
-| supersetCeleryBeat.extraContainers                        | list   | `[]`                                               | Launch additional containers into supersetCeleryBeat pods                                                                                                                                                                                                                                                                           |
-| supersetCeleryBeat.forceReload                            | bool   | `false`                                            | If true, forces deployment to reload on each upgrade                                                                                                                                                                                                                                                                                |
-| supersetCeleryBeat.initContainers                         | list   | a container waiting for postgres                   | List of init containers                                                                                                                                                                                                                                                                                                             |
-| supersetCeleryBeat.podAnnotations                         | object | `{}`                                               | Annotations to be added to supersetCeleryBeat pods                                                                                                                                                                                                                                                                                  |
-| supersetCeleryBeat.podLabels                              | object | `{}`                                               | Labels to be added to supersetCeleryBeat pods                                                                                                                                                                                                                                                                                       |
-| supersetCeleryBeat.podSecurityContext                     | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryBeat.resources                              | object | `{}`                                               | Resource settings for the CeleryBeat pods - these settings overwrite might existing values from the global resources object defined above.                                                                                                                                                                                          |
-| supersetCeleryBeat.topologySpreadConstraints              | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetCeleryBeat deployments                                                                                                                                                                                                                                                              |
-| supersetCeleryFlower.affinity                             | object | `{}`                                               | Affinity to be added to supersetCeleryFlower deployment                                                                                                                                                                                                                                                                             |
-| supersetCeleryFlower.command                              | list   | a `celery flower` command                          | Command                                                                                                                                                                                                                                                                                                                             |
-| supersetCeleryFlower.containerSecurityContext             | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.deploymentAnnotations                | object | `{}`                                               | Annotations to be added to supersetCeleryFlower deployment                                                                                                                                                                                                                                                                          |
-| supersetCeleryFlower.enabled                              | bool   | `false`                                            | Enables a Celery flower deployment (management UI to monitor celery jobs) WARNING: on superset 1.x, this requires a Superset image that has `flower<1.0.0` installed (which is NOT the case of the default images) flower>=1.0.0 requires Celery 5+ which Superset 1.5 does not support                                             |
-| supersetCeleryFlower.extraContainers                      | list   | `[]`                                               | Launch additional containers into supersetCeleryFlower pods                                                                                                                                                                                                                                                                         |
-| supersetCeleryFlower.initContainers                       | list   | a container waiting for postgres and redis         | List of init containers                                                                                                                                                                                                                                                                                                             |
-| supersetCeleryFlower.livenessProbe.failureThreshold       | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.livenessProbe.httpGet.path           | string | `"/api/workers"`                                   |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.livenessProbe.httpGet.port           | string | `"flower"`                                         |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.livenessProbe.initialDelaySeconds    | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.livenessProbe.periodSeconds          | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.livenessProbe.successThreshold       | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.livenessProbe.timeoutSeconds         | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.podAnnotations                       | object | `{}`                                               | Annotations to be added to supersetCeleryFlower pods                                                                                                                                                                                                                                                                                |
-| supersetCeleryFlower.podLabels                            | object | `{}`                                               | Labels to be added to supersetCeleryFlower pods                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.podSecurityContext                   | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.readinessProbe.failureThreshold      | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.readinessProbe.httpGet.path          | string | `"/api/workers"`                                   |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.readinessProbe.httpGet.port          | string | `"flower"`                                         |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.readinessProbe.initialDelaySeconds   | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.readinessProbe.periodSeconds         | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.readinessProbe.successThreshold      | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.readinessProbe.timeoutSeconds        | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.replicaCount                         | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.resources                            | object | `{}`                                               | Resource settings for the CeleryBeat pods - these settings overwrite might existing values from the global resources object defined above.                                                                                                                                                                                          |
-| supersetCeleryFlower.service.annotations                  | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.service.loadBalancerIP               | string | `nil`                                              |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.service.nodePort.http                | int    | `"nil"`                                            |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.service.port                         | int    | `5555`                                             |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.service.type                         | string | `"ClusterIP"`                                      |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.startupProbe.failureThreshold        | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.startupProbe.httpGet.path            | string | `"/api/workers"`                                   |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.startupProbe.httpGet.port            | string | `"flower"`                                         |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.startupProbe.initialDelaySeconds     | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.startupProbe.periodSeconds           | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.startupProbe.successThreshold        | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.startupProbe.timeoutSeconds          | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetCeleryFlower.topologySpreadConstraints            | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetCeleryFlower deployments                                                                                                                                                                                                                                                            |
-| supersetNode.affinity                                     | object | `{}`                                               | Affinity to be added to supersetNode deployment                                                                                                                                                                                                                                                                                     |
-| supersetNode.autoscaling.enabled                          | bool   | `false`                                            |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.autoscaling.maxReplicas                      | int    | `100`                                              |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.autoscaling.minReplicas                      | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.autoscaling.targetCPUUtilizationPercentage   | int    | `80`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.command                                      | list   | See `values.yaml`                                  | Startup command                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.connections.db_host                          | string | `"{{ .Release.Name }}-postgresql"`                 |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.connections.db_name                          | string | `"superset"`                                       |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.connections.db_pass                          | string | `"superset"`                                       |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.connections.db_port                          | string | `"5432"`                                           |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.connections.db_user                          | string | `"superset"`                                       |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.connections.redis_host                       | string | `"{{ .Release.Name }}-redis-headless"`             | Change in case of bringing your own redis and then also set redis.enabled:false                                                                                                                                                                                                                                                     |
-| supersetNode.connections.redis_port                       | string | `"6379"`                                           |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.containerSecurityContext                     | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.deploymentAnnotations                        | object | `{}`                                               | Annotations to be added to supersetNode deployment                                                                                                                                                                                                                                                                                  |
-| supersetNode.deploymentLabels                             | object | `{}`                                               | Labels to be added to supersetNode deployment                                                                                                                                                                                                                                                                                       |
-| supersetNode.env                                          | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.extraContainers                              | list   | `[]`                                               | Launch additional containers into supersetNode pod                                                                                                                                                                                                                                                                                  |
-| supersetNode.forceReload                                  | bool   | `false`                                            | If true, forces deployment to reload on each upgrade                                                                                                                                                                                                                                                                                |
-| supersetNode.initContainers                               | list   | a container waiting for postgres                   | Init containers                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.livenessProbe.failureThreshold               | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.livenessProbe.httpGet.path                   | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.livenessProbe.httpGet.port                   | string | `"http"`                                           |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.livenessProbe.initialDelaySeconds            | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.livenessProbe.periodSeconds                  | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.livenessProbe.successThreshold               | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.livenessProbe.timeoutSeconds                 | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.podAnnotations                               | object | `{}`                                               | Annotations to be added to supersetNode pods                                                                                                                                                                                                                                                                                        |
-| supersetNode.podLabels                                    | object | `{}`                                               | Labels to be added to supersetNode pods                                                                                                                                                                                                                                                                                             |
-| supersetNode.podSecurityContext                           | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.readinessProbe.failureThreshold              | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.readinessProbe.httpGet.path                  | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.readinessProbe.httpGet.port                  | string | `"http"`                                           |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.readinessProbe.initialDelaySeconds           | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.readinessProbe.periodSeconds                 | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.readinessProbe.successThreshold              | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.readinessProbe.timeoutSeconds                | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.replicaCount                                 | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.resources                                    | object | `{}`                                               | Resource settings for the supersetNode pods - these settings overwrite might existing values from the global resources object defined above.                                                                                                                                                                                        |
-| supersetNode.startupProbe.failureThreshold                | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.startupProbe.httpGet.path                    | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.startupProbe.httpGet.port                    | string | `"http"`                                           |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.startupProbe.initialDelaySeconds             | int    | `15`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.startupProbe.periodSeconds                   | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.startupProbe.successThreshold                | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.startupProbe.timeoutSeconds                  | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.strategy                                     | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetNode.topologySpreadConstraints                    | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetNode deployments                                                                                                                                                                                                                                                                    |
-| supersetWebsockets.affinity                               | object | `{}`                                               | Affinity to be added to supersetWebsockets deployment                                                                                                                                                                                                                                                                               |
-| supersetWebsockets.command                                | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.config                                 | object | see `values.yaml`                                  | The config.json to pass to the server, see https://github.com/apache/superset/tree/master/superset-websocket Note that the configuration can also read from environment variables (which will have priority), see https://github.com/apache/superset/blob/master/superset-websocket/src/config.ts for a list of supported variables |
-| supersetWebsockets.containerSecurityContext               | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.deploymentAnnotations                  | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.enabled                                | bool   | `false`                                            | This is only required if you intend to use `GLOBAL_ASYNC_QUERIES` in `ws` mode see https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries                                                                                                                                                               |
-| supersetWebsockets.extraContainers                        | list   | `[]`                                               | Launch additional containers into supersetWebsockets pods                                                                                                                                                                                                                                                                           |
-| supersetWebsockets.image.pullPolicy                       | string | `"IfNotPresent"`                                   |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.image.repository                       | string | `"oneacrefund/superset-websocket"`                 | There is no official image (yet), this one is community-supported                                                                                                                                                                                                                                                                   |
-| supersetWebsockets.image.tag                              | string | `"latest"`                                         |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.ingress.path                           | string | `"/ws"`                                            |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.ingress.pathType                       | string | `"Prefix"`                                         |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.livenessProbe.failureThreshold         | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.livenessProbe.httpGet.path             | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.livenessProbe.httpGet.port             | string | `"ws"`                                             |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.livenessProbe.initialDelaySeconds      | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.livenessProbe.periodSeconds            | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.livenessProbe.successThreshold         | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.livenessProbe.timeoutSeconds           | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.podAnnotations                         | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.podLabels                              | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.podSecurityContext                     | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.readinessProbe.failureThreshold        | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.readinessProbe.httpGet.path            | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.readinessProbe.httpGet.port            | string | `"ws"`                                             |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.readinessProbe.initialDelaySeconds     | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.readinessProbe.periodSeconds           | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.readinessProbe.successThreshold        | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.readinessProbe.timeoutSeconds          | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.replicaCount                           | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.resources                              | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.service.annotations                    | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.service.loadBalancerIP                 | string | `nil`                                              |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.service.nodePort.http                  | int    | `"nil"`                                            |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.service.port                           | int    | `8080`                                             |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.service.type                           | string | `"ClusterIP"`                                      |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.startupProbe.failureThreshold          | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.startupProbe.httpGet.path              | string | `"/health"`                                        |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.startupProbe.httpGet.port              | string | `"ws"`                                             |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.startupProbe.initialDelaySeconds       | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.startupProbe.periodSeconds             | int    | `5`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.startupProbe.successThreshold          | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.startupProbe.timeoutSeconds            | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.strategy                               | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWebsockets.topologySpreadConstraints              | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetWebsockets deployments                                                                                                                                                                                                                                                              |
-| supersetWorker.affinity                                   | object | `{}`                                               | Affinity to be added to supersetWorker deployment                                                                                                                                                                                                                                                                                   |
-| supersetWorker.autoscaling.enabled                        | bool   | `false`                                            |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.autoscaling.maxReplicas                    | int    | `100`                                              |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.autoscaling.minReplicas                    | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.autoscaling.targetCPUUtilizationPercentage | int    | `80`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.command                                    | list   | a `celery worker` command                          | Worker startup command                                                                                                                                                                                                                                                                                                              |
-| supersetWorker.containerSecurityContext                   | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.deploymentAnnotations                      | object | `{}`                                               | Annotations to be added to supersetWorker deployment                                                                                                                                                                                                                                                                                |
-| supersetWorker.deploymentLabels                           | object | `{}`                                               | Labels to be added to supersetWorker deployment                                                                                                                                                                                                                                                                                     |
-| supersetWorker.extraContainers                            | list   | `[]`                                               | Launch additional containers into supersetWorker pod                                                                                                                                                                                                                                                                                |
-| supersetWorker.forceReload                                | bool   | `false`                                            | If true, forces deployment to reload on each upgrade                                                                                                                                                                                                                                                                                |
-| supersetWorker.initContainers                             | list   | a container waiting for postgres and redis         | Init container                                                                                                                                                                                                                                                                                                                      |
-| supersetWorker.livenessProbe.exec.command                 | list   | a `celery inspect ping` command                    | Liveness probe command                                                                                                                                                                                                                                                                                                              |
-| supersetWorker.livenessProbe.failureThreshold             | int    | `3`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.livenessProbe.initialDelaySeconds          | int    | `120`                                              |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.livenessProbe.periodSeconds                | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.livenessProbe.successThreshold             | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.livenessProbe.timeoutSeconds               | int    | `60`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.podAnnotations                             | object | `{}`                                               | Annotations to be added to supersetWorker pods                                                                                                                                                                                                                                                                                      |
-| supersetWorker.podLabels                                  | object | `{}`                                               | Labels to be added to supersetWorker pods                                                                                                                                                                                                                                                                                           |
-| supersetWorker.podSecurityContext                         | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.readinessProbe                             | object | `{}`                                               | No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic)                                                                                                                                                                                                                 |
-| supersetWorker.replicaCount                               | int    | `1`                                                |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.resources                                  | object | `{}`                                               | Resource settings for the supersetWorker pods - these settings overwrite might existing values from the global resources object defined above.                                                                                                                                                                                      |
-| supersetWorker.startupProbe                               | object | `{}`                                               | No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic)                                                                                                                                                                                                                 |
-| supersetWorker.strategy                                   | object | `{}`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| supersetWorker.topologySpreadConstraints                  | list   | `[]`                                               | TopologySpreadConstrains to be added to supersetWorker deployments                                                                                                                                                                                                                                                                  |
-| tolerations                                               | list   | `[]`                                               |                                                                                                                                                                                                                                                                                                                                     |
-| topologySpreadConstraints                                 | list   | `[]`                                               | TopologySpreadConstrains to be added to all deployments                                                                                                                                                                                                                                                                             |
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| bootstrapScript | string | see `values.yaml` | Install additional packages and do any other bootstrap configuration in this script For production clusters it's recommended to build own image with this step done in CI |
+| configFromSecret | string | `"{{ template \"superset.fullname\" . }}-config"` | The name of the secret which we will use to generate a superset_config.py file Note: this secret must have the key superset_config.py in it and can include other files as well |
+| configMountPath | string | `"/app/pythonpath"` |  |
+| configOverrides | object | `{}` | A dictionary of overrides to append at the end of superset_config.py - the name does not matter WARNING: the order is not guaranteed Files can be passed as helm --set-file configOverrides.my-override=my-file.py |
+| configOverridesFiles | object | `{}` | Same as above but the values are files |
+| envFromSecret | string | `"{{ template \"superset.fullname\" . }}-env"` | The name of the secret which we will use to populate env vars in deployed pods This can be useful for secret keys, etc. |
+| envFromSecrets | list | `[]` | This can be a list of templated strings |
+| extraConfigMountPath | string | `"/app/configs"` |  |
+| extraConfigs | object | `{}` | Extra files to mount on `/app/pythonpath` |
+| extraEnv | object | `{}` | Extra environment variables that will be passed into pods |
+| extraEnvRaw | list | `[]` | Extra environment variables in RAW format that will be passed into pods |
+| extraSecretEnv | object | `{}` | Extra environment variables to pass as secrets |
+| extraSecrets | object | `{}` | Extra files to mount on `/app/pythonpath` as secrets |
+| extraVolumeMounts | list | `[]` |  |
+| extraVolumes | list | `[]` |  |
+| fullnameOverride | string | `nil` | Provide a name to override the full names of resources |
+| hostAliases | list | `[]` | Custom hostAliases for all superset pods # https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"apachesuperset.docker.scarf.sh/apache/superset"` |  |
+| image.tag | string | `""` |  |
+| imagePullSecrets | list | `[]` |  |
+| ingress.annotations | object | `{}` |  |
+| ingress.enabled | bool | `false` |  |
+| ingress.extraHostsRaw | list | `[]` |  |
+| ingress.hosts[0] | string | `"chart-example.local"` |  |
+| ingress.ingressClassName | string | `nil` |  |
+| ingress.path | string | `"/"` |  |
+| ingress.pathType | string | `"ImplementationSpecific"` |  |
+| ingress.tls | list | `[]` |  |
+| init.adminUser.email | string | `"admin@superset.com"` |  |
+| init.adminUser.firstname | string | `"Superset"` |  |
+| init.adminUser.lastname | string | `"Admin"` |  |
+| init.adminUser.password | string | `"admin"` |  |
+| init.adminUser.username | string | `"admin"` |  |
+| init.affinity | object | `{}` |  |
+| init.command | list | a `superset_init.sh` command | Command |
+| init.containerSecurityContext | object | `{}` |  |
+| init.createAdmin | bool | `true` |  |
+| init.enabled | bool | `true` |  |
+| init.extraContainers | list | `[]` | Launch additional containers into init job pod |
+| init.initContainers | list | a container waiting for postgres | List of initContainers |
+| init.initscript | string | a script to create admin user and initialize roles | A Superset init script |
+| init.jobAnnotations."helm.sh/hook" | string | `"post-install,post-upgrade"` |  |
+| init.jobAnnotations."helm.sh/hook-delete-policy" | string | `"before-hook-creation"` |  |
+| init.loadExamples | bool | `false` |  |
+| init.podAnnotations | object | `{}` |  |
+| init.podSecurityContext | object | `{}` |  |
+| init.resources | object | `{}` |  |
+| init.tolerations | list | `[]` |  |
+| init.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to init job |
+| initImage.pullPolicy | string | `"IfNotPresent"` |  |
+| initImage.repository | string | `"apache/superset"` |  |
+| initImage.tag | string | `"dockerize"` |  |
+| nameOverride | string | `nil` | Provide a name to override the name of the chart |
+| nodeSelector | object | `{}` |  |
+| postgresql | object | see `values.yaml` | Configuration values for the postgresql dependency. ref: https://github.com/bitnami/charts/tree/main/bitnami/postgresql |
+| redis | object | see `values.yaml` | Configuration values for the Redis dependency. ref: https://github.com/bitnami/charts/blob/master/bitnami/redis More documentation can be found here: https://artifacthub.io/packages/helm/bitnami/redis |
+| resources | object | `{}` |  |
+| runAsUser | int | `0` | User ID directive. This user must have enough permissions to run the bootstrap script Running containers as root is not recommended in production. Change this to another UID - e.g. 1000 to be more secure |
+| service.annotations | object | `{}` |  |
+| service.loadBalancerIP | string | `nil` |  |
+| service.nodePort.http | int | `"nil"` |  |
+| service.port | int | `8088` |  |
+| service.type | string | `"ClusterIP"` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `false` | Create custom service account for Superset. If create: true and serviceAccountName is not provided, `superset.fullname` will be used. |
+| serviceAccountName | string | `nil` | Specify service account name to be used |
+| supersetCeleryBeat.affinity | object | `{}` | Affinity to be added to supersetCeleryBeat deployment |
+| supersetCeleryBeat.command | list | a `celery beat` command | Command |
+| supersetCeleryBeat.containerSecurityContext | object | `{}` |  |
+| supersetCeleryBeat.deploymentAnnotations | object | `{}` | Annotations to be added to supersetCeleryBeat deployment |
+| supersetCeleryBeat.enabled | bool | `false` | This is only required if you intend to use alerts and reports |
+| supersetCeleryBeat.extraContainers | list | `[]` | Launch additional containers into supersetCeleryBeat pods |
+| supersetCeleryBeat.forceReload | bool | `false` | If true, forces deployment to reload on each upgrade |
+| supersetCeleryBeat.initContainers | list | a container waiting for postgres | List of init containers |
+| supersetCeleryBeat.podAnnotations | object | `{}` | Annotations to be added to supersetCeleryBeat pods |
+| supersetCeleryBeat.podLabels | object | `{}` | Labels to be added to supersetCeleryBeat pods |
+| supersetCeleryBeat.podSecurityContext | object | `{}` |  |
+| supersetCeleryBeat.resources | object | `{}` | Resource settings for the CeleryBeat pods - these settings overwrite might existing values from the global resources object defined above. |
+| supersetCeleryBeat.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetCeleryBeat deployments |
+| supersetCeleryFlower.affinity | object | `{}` | Affinity to be added to supersetCeleryFlower deployment |
+| supersetCeleryFlower.command | list | a `celery flower` command | Command |
+| supersetCeleryFlower.containerSecurityContext | object | `{}` |  |
+| supersetCeleryFlower.deploymentAnnotations | object | `{}` | Annotations to be added to supersetCeleryFlower deployment |
+| supersetCeleryFlower.enabled | bool | `false` | Enables a Celery flower deployment (management UI to monitor celery jobs) WARNING: on superset 1.x, this requires a Superset image that has `flower<1.0.0` installed (which is NOT the case of the default images) flower>=1.0.0 requires Celery 5+ which Superset 1.5 does not support |
+| supersetCeleryFlower.extraContainers | list | `[]` | Launch additional containers into supersetCeleryFlower pods |
+| supersetCeleryFlower.initContainers | list | a container waiting for postgres and redis | List of init containers |
+| supersetCeleryFlower.livenessProbe.failureThreshold | int | `3` |  |
+| supersetCeleryFlower.livenessProbe.httpGet.path | string | `"/api/workers"` |  |
+| supersetCeleryFlower.livenessProbe.httpGet.port | string | `"flower"` |  |
+| supersetCeleryFlower.livenessProbe.initialDelaySeconds | int | `5` |  |
+| supersetCeleryFlower.livenessProbe.periodSeconds | int | `5` |  |
+| supersetCeleryFlower.livenessProbe.successThreshold | int | `1` |  |
+| supersetCeleryFlower.livenessProbe.timeoutSeconds | int | `1` |  |
+| supersetCeleryFlower.podAnnotations | object | `{}` | Annotations to be added to supersetCeleryFlower pods |
+| supersetCeleryFlower.podLabels | object | `{}` | Labels to be added to supersetCeleryFlower pods |
+| supersetCeleryFlower.podSecurityContext | object | `{}` |  |
+| supersetCeleryFlower.readinessProbe.failureThreshold | int | `3` |  |
+| supersetCeleryFlower.readinessProbe.httpGet.path | string | `"/api/workers"` |  |
+| supersetCeleryFlower.readinessProbe.httpGet.port | string | `"flower"` |  |
+| supersetCeleryFlower.readinessProbe.initialDelaySeconds | int | `5` |  |
+| supersetCeleryFlower.readinessProbe.periodSeconds | int | `5` |  |
+| supersetCeleryFlower.readinessProbe.successThreshold | int | `1` |  |
+| supersetCeleryFlower.readinessProbe.timeoutSeconds | int | `1` |  |
+| supersetCeleryFlower.replicaCount | int | `1` |  |
+| supersetCeleryFlower.resources | object | `{}` | Resource settings for the CeleryBeat pods - these settings overwrite might existing values from the global resources object defined above. |
+| supersetCeleryFlower.service.annotations | object | `{}` |  |
+| supersetCeleryFlower.service.loadBalancerIP | string | `nil` |  |
+| supersetCeleryFlower.service.nodePort.http | int | `"nil"` |  |
+| supersetCeleryFlower.service.port | int | `5555` |  |
+| supersetCeleryFlower.service.type | string | `"ClusterIP"` |  |
+| supersetCeleryFlower.startupProbe.failureThreshold | int | `60` |  |
+| supersetCeleryFlower.startupProbe.httpGet.path | string | `"/api/workers"` |  |
+| supersetCeleryFlower.startupProbe.httpGet.port | string | `"flower"` |  |
+| supersetCeleryFlower.startupProbe.initialDelaySeconds | int | `5` |  |
+| supersetCeleryFlower.startupProbe.periodSeconds | int | `5` |  |
+| supersetCeleryFlower.startupProbe.successThreshold | int | `1` |  |
+| supersetCeleryFlower.startupProbe.timeoutSeconds | int | `1` |  |
+| supersetCeleryFlower.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetCeleryFlower deployments |
+| supersetNode.affinity | object | `{}` | Affinity to be added to supersetNode deployment |
+| supersetNode.autoscaling.enabled | bool | `false` |  |
+| supersetNode.autoscaling.maxReplicas | int | `100` |  |
+| supersetNode.autoscaling.minReplicas | int | `1` |  |
+| supersetNode.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| supersetNode.command | list | See `values.yaml` | Startup command |
+| supersetNode.connections.db_host | string | `"{{ .Release.Name }}-postgresql"` |  |
+| supersetNode.connections.db_name | string | `"superset"` |  |
+| supersetNode.connections.db_pass | string | `"superset"` |  |
+| supersetNode.connections.db_port | string | `"5432"` |  |
+| supersetNode.connections.db_user | string | `"superset"` |  |
+| supersetNode.connections.redis_host | string | `"{{ .Release.Name }}-redis-headless"` | Change in case of bringing your own redis and then also set redis.enabled:false |
+| supersetNode.connections.redis_port | string | `"6379"` |  |
+| supersetNode.containerSecurityContext | object | `{}` |  |
+| supersetNode.deploymentAnnotations | object | `{}` | Annotations to be added to supersetNode deployment |
+| supersetNode.deploymentLabels | object | `{}` | Labels to be added to supersetNode deployment |
+| supersetNode.env | object | `{}` |  |
+| supersetNode.extraContainers | list | `[]` | Launch additional containers into supersetNode pod |
+| supersetNode.forceReload | bool | `false` | If true, forces deployment to reload on each upgrade |
+| supersetNode.initContainers | list | a container waiting for postgres | Init containers |
+| supersetNode.livenessProbe.failureThreshold | int | `3` |  |
+| supersetNode.livenessProbe.httpGet.path | string | `"/health"` |  |
+| supersetNode.livenessProbe.httpGet.port | string | `"http"` |  |
+| supersetNode.livenessProbe.initialDelaySeconds | int | `15` |  |
+| supersetNode.livenessProbe.periodSeconds | int | `15` |  |
+| supersetNode.livenessProbe.successThreshold | int | `1` |  |
+| supersetNode.livenessProbe.timeoutSeconds | int | `1` |  |
+| supersetNode.podAnnotations | object | `{}` | Annotations to be added to supersetNode pods |
+| supersetNode.podLabels | object | `{}` | Labels to be added to supersetNode pods |
+| supersetNode.podSecurityContext | object | `{}` |  |
+| supersetNode.readinessProbe.failureThreshold | int | `3` |  |
+| supersetNode.readinessProbe.httpGet.path | string | `"/health"` |  |
+| supersetNode.readinessProbe.httpGet.port | string | `"http"` |  |
+| supersetNode.readinessProbe.initialDelaySeconds | int | `15` |  |
+| supersetNode.readinessProbe.periodSeconds | int | `15` |  |
+| supersetNode.readinessProbe.successThreshold | int | `1` |  |
+| supersetNode.readinessProbe.timeoutSeconds | int | `1` |  |
+| supersetNode.replicaCount | int | `1` |  |
+| supersetNode.resources | object | `{}` | Resource settings for the supersetNode pods - these settings overwrite might existing values from the global resources object defined above. |
+| supersetNode.startupProbe.failureThreshold | int | `60` |  |
+| supersetNode.startupProbe.httpGet.path | string | `"/health"` |  |
+| supersetNode.startupProbe.httpGet.port | string | `"http"` |  |
+| supersetNode.startupProbe.initialDelaySeconds | int | `15` |  |
+| supersetNode.startupProbe.periodSeconds | int | `5` |  |
+| supersetNode.startupProbe.successThreshold | int | `1` |  |
+| supersetNode.startupProbe.timeoutSeconds | int | `1` |  |
+| supersetNode.strategy | object | `{}` |  |
+| supersetNode.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetNode deployments |
+| supersetWebsockets.affinity | object | `{}` | Affinity to be added to supersetWebsockets deployment |
+| supersetWebsockets.command | list | `[]` |  |
+| supersetWebsockets.config | object | see `values.yaml` | The config.json to pass to the server, see https://github.com/apache/superset/tree/master/superset-websocket Note that the configuration can also read from environment variables (which will have priority), see https://github.com/apache/superset/blob/master/superset-websocket/src/config.ts for a list of supported variables |
+| supersetWebsockets.containerSecurityContext | object | `{}` |  |
+| supersetWebsockets.deploymentAnnotations | object | `{}` |  |
+| supersetWebsockets.enabled | bool | `false` | This is only required if you intend to use `GLOBAL_ASYNC_QUERIES` in `ws` mode see https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries |
+| supersetWebsockets.extraContainers | list | `[]` | Launch additional containers into supersetWebsockets pods |
+| supersetWebsockets.image.pullPolicy | string | `"IfNotPresent"` |  |
+| supersetWebsockets.image.repository | string | `"oneacrefund/superset-websocket"` | There is no official image (yet), this one is community-supported |
+| supersetWebsockets.image.tag | string | `"latest"` |  |
+| supersetWebsockets.ingress.path | string | `"/ws"` |  |
+| supersetWebsockets.ingress.pathType | string | `"Prefix"` |  |
+| supersetWebsockets.livenessProbe.failureThreshold | int | `3` |  |
+| supersetWebsockets.livenessProbe.httpGet.path | string | `"/health"` |  |
+| supersetWebsockets.livenessProbe.httpGet.port | string | `"ws"` |  |
+| supersetWebsockets.livenessProbe.initialDelaySeconds | int | `5` |  |
+| supersetWebsockets.livenessProbe.periodSeconds | int | `5` |  |
+| supersetWebsockets.livenessProbe.successThreshold | int | `1` |  |
+| supersetWebsockets.livenessProbe.timeoutSeconds | int | `1` |  |
+| supersetWebsockets.podAnnotations | object | `{}` |  |
+| supersetWebsockets.podLabels | object | `{}` |  |
+| supersetWebsockets.podSecurityContext | object | `{}` |  |
+| supersetWebsockets.readinessProbe.failureThreshold | int | `3` |  |
+| supersetWebsockets.readinessProbe.httpGet.path | string | `"/health"` |  |
+| supersetWebsockets.readinessProbe.httpGet.port | string | `"ws"` |  |
+| supersetWebsockets.readinessProbe.initialDelaySeconds | int | `5` |  |
+| supersetWebsockets.readinessProbe.periodSeconds | int | `5` |  |
+| supersetWebsockets.readinessProbe.successThreshold | int | `1` |  |
+| supersetWebsockets.readinessProbe.timeoutSeconds | int | `1` |  |
+| supersetWebsockets.replicaCount | int | `1` |  |
+| supersetWebsockets.resources | object | `{}` |  |
+| supersetWebsockets.service.annotations | object | `{}` |  |
+| supersetWebsockets.service.loadBalancerIP | string | `nil` |  |
+| supersetWebsockets.service.nodePort.http | int | `"nil"` |  |
+| supersetWebsockets.service.port | int | `8080` |  |
+| supersetWebsockets.service.type | string | `"ClusterIP"` |  |
+| supersetWebsockets.startupProbe.failureThreshold | int | `60` |  |
+| supersetWebsockets.startupProbe.httpGet.path | string | `"/health"` |  |
+| supersetWebsockets.startupProbe.httpGet.port | string | `"ws"` |  |
+| supersetWebsockets.startupProbe.initialDelaySeconds | int | `5` |  |
+| supersetWebsockets.startupProbe.periodSeconds | int | `5` |  |
+| supersetWebsockets.startupProbe.successThreshold | int | `1` |  |
+| supersetWebsockets.startupProbe.timeoutSeconds | int | `1` |  |
+| supersetWebsockets.strategy | object | `{}` |  |
+| supersetWebsockets.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetWebsockets deployments |
+| supersetWorker.affinity | object | `{}` | Affinity to be added to supersetWorker deployment |
+| supersetWorker.autoscaling.enabled | bool | `false` |  |
+| supersetWorker.autoscaling.maxReplicas | int | `100` |  |
+| supersetWorker.autoscaling.minReplicas | int | `1` |  |
+| supersetWorker.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| supersetWorker.command | list | a `celery worker` command | Worker startup command |
+| supersetWorker.containerSecurityContext | object | `{}` |  |
+| supersetWorker.deploymentAnnotations | object | `{}` | Annotations to be added to supersetWorker deployment |
+| supersetWorker.deploymentLabels | object | `{}` | Labels to be added to supersetWorker deployment |
+| supersetWorker.extraContainers | list | `[]` | Launch additional containers into supersetWorker pod |
+| supersetWorker.forceReload | bool | `false` | If true, forces deployment to reload on each upgrade |
+| supersetWorker.initContainers | list | a container waiting for postgres and redis | Init container |
+| supersetWorker.livenessProbe.exec.command | list | a `celery inspect ping` command | Liveness probe command |
+| supersetWorker.livenessProbe.failureThreshold | int | `3` |  |
+| supersetWorker.livenessProbe.initialDelaySeconds | int | `120` |  |
+| supersetWorker.livenessProbe.periodSeconds | int | `60` |  |
+| supersetWorker.livenessProbe.successThreshold | int | `1` |  |
+| supersetWorker.livenessProbe.timeoutSeconds | int | `60` |  |
+| supersetWorker.podAnnotations | object | `{}` | Annotations to be added to supersetWorker pods |
+| supersetWorker.podLabels | object | `{}` | Labels to be added to supersetWorker pods |
+| supersetWorker.podSecurityContext | object | `{}` |  |
+| supersetWorker.readinessProbe | object | `{}` | No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic) |
+| supersetWorker.replicaCount | int | `1` |  |
+| supersetWorker.resources | object | `{}` | Resource settings for the supersetWorker pods - these settings overwrite might existing values from the global resources object defined above. |
+| supersetWorker.startupProbe | object | `{}` | No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic) |
+| supersetWorker.strategy | object | `{}` |  |
+| supersetWorker.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetWorker deployments |
+| tolerations | list | `[]` |  |
+| topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to all deployments |

From 91399b13917ef233ab60ca1b4e3e5f8f4a53baf0 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Fri, 26 Jan 2024 08:57:21 -0500
Subject: [PATCH 019/114] fix: Row limit hardcoded (#26807)

(cherry picked from commit 5e633d2bb0909f1cb4904c07e29a2c683f02131c)
---
 .../src/shared-controls/sharedControls.tsx                    | 4 ++--
 tests/integration_tests/celery_tests.py                       | 2 +-
 tests/integration_tests/superset_test_config.py               | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/superset-frontend/packages/superset-ui-chart-controls/src/shared-controls/sharedControls.tsx b/superset-frontend/packages/superset-ui-chart-controls/src/shared-controls/sharedControls.tsx
index 4396f4f2e9495..56f3bc246e421 100644
--- a/superset-frontend/packages/superset-ui-chart-controls/src/shared-controls/sharedControls.tsx
+++ b/superset-frontend/packages/superset-ui-chart-controls/src/shared-controls/sharedControls.tsx
@@ -245,10 +245,10 @@ const row_limit: SharedControlConfig<'SelectControl'> = {
   freeForm: true,
   label: t('Row limit'),
   clearable: false,
+  mapStateToProps: state => ({ maxValue: state?.common?.conf?.SQL_MAX_ROW }),
   validators: [
     legacyValidateInteger,
-    (v, state) =>
-      validateMaxValue(v, state?.common?.conf?.SQL_MAX_ROW || DEFAULT_MAX_ROW),
+    (v, state) => validateMaxValue(v, state?.maxValue || DEFAULT_MAX_ROW),
   ],
   default: 10000,
   choices: formatSelectOptions(ROW_LIMIT_OPTIONS),
diff --git a/tests/integration_tests/celery_tests.py b/tests/integration_tests/celery_tests.py
index 29a1f7a66afa0..b0ac6ac6c7ed4 100644
--- a/tests/integration_tests/celery_tests.py
+++ b/tests/integration_tests/celery_tests.py
@@ -344,7 +344,7 @@ def test_run_async_cta_query_with_lower_limit(test_client, ctas_method):
     assert QUERY == query.sql
 
     assert query.rows == (1 if backend() == "presto" else 0)
-    assert query.limit == 10000
+    assert query.limit == 50000
     assert query.select_as_cta
     assert query.select_as_cta_used
 
diff --git a/tests/integration_tests/superset_test_config.py b/tests/integration_tests/superset_test_config.py
index 89287be663e55..60b2d1107e508 100644
--- a/tests/integration_tests/superset_test_config.py
+++ b/tests/integration_tests/superset_test_config.py
@@ -60,7 +60,7 @@
 PRESTO_POLL_INTERVAL = 0.1
 HIVE_POLL_INTERVAL = 0.1
 
-SQL_MAX_ROW = 10000
+SQL_MAX_ROW = 50000
 SQLLAB_CTAS_NO_LIMIT = True  # SQL_MAX_ROW will not take effect for the CTA queries
 FEATURE_FLAGS = {
     **FEATURE_FLAGS,

From 84f0d748909ce16d08bc95d72cca5c23fb5f1f73 Mon Sep 17 00:00:00 2001
From: Vitor Avila <96086495+Vitor-Avila@users.noreply.github.com>
Date: Fri, 26 Jan 2024 17:00:27 -0300
Subject: [PATCH 020/114] fix(tags): Filter system tags from the tags list
 (#26701)

(cherry picked from commit 4f56f5ee84dffc401aced7cd705a2df910072e92)
---
 superset-frontend/src/pages/Tags/index.tsx | 20 +++++++++-
 superset/tags/api.py                       |  3 ++
 superset/tags/filters.py                   | 39 ++++++++++++++++++
 tests/integration_tests/tags/api_tests.py  | 46 ++++++++++++++++++++++
 4 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 superset/tags/filters.py

diff --git a/superset-frontend/src/pages/Tags/index.tsx b/superset-frontend/src/pages/Tags/index.tsx
index b0c998c3f32f8..30bdc993431ba 100644
--- a/superset-frontend/src/pages/Tags/index.tsx
+++ b/superset-frontend/src/pages/Tags/index.tsx
@@ -59,6 +59,17 @@ function TagList(props: TagListProps) {
   const { addDangerToast, addSuccessToast, user } = props;
   const { userId } = user;
 
+  const initialFilters = useMemo(
+    () => [
+      {
+        id: 'type',
+        operator: 'custom_tag',
+        value: true,
+      },
+    ],
+    [],
+  );
+
   const {
     state: {
       loading,
@@ -70,7 +81,14 @@ function TagList(props: TagListProps) {
     fetchData,
     toggleBulkSelect,
     refreshData,
-  } = useListViewResource<Tag>('tag', t('tag'), addDangerToast);
+  } = useListViewResource<Tag>(
+    'tag',
+    t('tag'),
+    addDangerToast,
+    undefined,
+    undefined,
+    initialFilters,
+  );
 
   const [showTagModal, setShowTagModal] = useState<boolean>(false);
   const [tagToEdit, setTagToEdit] = useState<Tag | null>(null);
diff --git a/superset/tags/api.py b/superset/tags/api.py
index c0df921e3ebf1..ad25ffe7c936d 100644
--- a/superset/tags/api.py
+++ b/superset/tags/api.py
@@ -40,6 +40,7 @@
 from superset.daos.tag import TagDAO
 from superset.exceptions import MissingUserContextException
 from superset.extensions import event_logger
+from superset.tags.filters import UserCreatedTagTypeFilter
 from superset.tags.models import ObjectType, Tag
 from superset.tags.schemas import (
     delete_tags_schema,
@@ -119,6 +120,8 @@ class TagRestApi(BaseSupersetModelRestApi):
     }
     allowed_rel_fields = {"created_by", "changed_by"}
 
+    search_filters = {"type": [UserCreatedTagTypeFilter]}
+
     add_model_schema = TagPostSchema()
     edit_model_schema = TagPutSchema()
     tag_get_response_schema = TagGetResponseSchema()
diff --git a/superset/tags/filters.py b/superset/tags/filters.py
new file mode 100644
index 0000000000000..ff6be712d3368
--- /dev/null
+++ b/superset/tags/filters.py
@@ -0,0 +1,39 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from flask_babel import lazy_gettext as _
+from sqlalchemy.orm import Query
+
+from superset.tags.models import Tag, TagType
+from superset.views.base import BaseFilter
+
+
+class UserCreatedTagTypeFilter(BaseFilter):  # pylint: disable=too-few-public-methods
+    """
+    Filter for tag type.
+    When set to True, only user-created tags are returned.
+    When set to False, only system tags are returned.
+    """
+
+    name = _("Is custom tag")
+    arg_name = "custom_tag"
+
+    def apply(self, query: Query, value: bool) -> Query:
+        if value:
+            return query.filter(Tag.type == TagType.custom)
+        if value is False:
+            return query.filter(Tag.type != TagType.custom)
+        return query
diff --git a/tests/integration_tests/tags/api_tests.py b/tests/integration_tests/tags/api_tests.py
index 863288a3e73ec..af58eaa195a00 100644
--- a/tests/integration_tests/tags/api_tests.py
+++ b/tests/integration_tests/tags/api_tests.py
@@ -17,6 +17,7 @@
 # isort:skip_file
 """Unit tests for Superset"""
 import json
+import prison
 from datetime import datetime
 
 from flask import g
@@ -30,6 +31,7 @@
 from superset.models.sql_lab import SavedQuery
 from superset.tags.models import user_favorite_tag_table
 from unittest.mock import patch
+from urllib import parse
 
 
 import tests.integration_tests.test_app
@@ -175,6 +177,50 @@ def test_get_list_tag(self):
         # check expected columns
         assert data["list_columns"] == TAGS_LIST_COLUMNS
 
+    def test_get_list_tag_filtered(self):
+        """
+        Query API: Test get list query applying filters for
+        type == "custom" and type != "custom"
+        """
+        tags = [
+            {"name": "Test custom Tag", "type": "custom"},
+            {"name": "type:dashboard", "type": "type"},
+            {"name": "owner:1", "type": "owner"},
+            {"name": "Another Tag", "type": "custom"},
+            {"name": "favorited_by:1", "type": "favorited_by"},
+        ]
+
+        for tag in tags:
+            self.insert_tag(
+                name=tag["name"],
+                tag_type=tag["type"],
+            )
+        self.login(username="admin")
+
+        # Only user-created tags
+        query = {
+            "filters": [
+                {
+                    "col": "type",
+                    "opr": "custom_tag",
+                    "value": True,
+                }
+            ],
+        }
+        uri = f"api/v1/tag/?{parse.urlencode({'q': prison.dumps(query)})}"
+        rv = self.client.get(uri)
+        self.assertEqual(rv.status_code, 200)
+        data = json.loads(rv.data.decode("utf-8"))
+        assert data["count"] == 2
+
+        # Only system tags
+        query["filters"][0]["value"] = False
+        uri = f"api/v1/tag/?{parse.urlencode({'q': prison.dumps(query)})}"
+        rv = self.client.get(uri)
+        self.assertEqual(rv.status_code, 200)
+        data = json.loads(rv.data.decode("utf-8"))
+        assert data["count"] == 3
+
     # test add tagged objects
     @pytest.mark.usefixtures("load_world_bank_dashboard_with_slices")
     @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")

From d184fd9bf8b40bd5a49abf2f96abc36dc6137629 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Fri, 26 Jan 2024 16:06:11 -0500
Subject: [PATCH 021/114] fix(time-series table): Can't compare from the
 beginning of the time range (#26814)

(cherry picked from commit 1f6c270f15797d2929babfd84c03a59fc8a99543)
---
 .../TimeSeriesColumnControl.test.tsx                | 13 +++++++++++++
 .../controls/TimeSeriesColumnControl/index.jsx      |  4 +++-
 .../src/visualizations/TimeTable/TimeTable.jsx      |  6 ++++--
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/superset-frontend/src/explore/components/controls/TimeSeriesColumnControl/TimeSeriesColumnControl.test.tsx b/superset-frontend/src/explore/components/controls/TimeSeriesColumnControl/TimeSeriesColumnControl.test.tsx
index 589ef9173a496..631c34f3f8a8a 100644
--- a/superset-frontend/src/explore/components/controls/TimeSeriesColumnControl/TimeSeriesColumnControl.test.tsx
+++ b/superset-frontend/src/explore/components/controls/TimeSeriesColumnControl/TimeSeriesColumnControl.test.tsx
@@ -104,6 +104,19 @@ test('triggers onChange when time lag changes', () => {
   expect(onChange).toHaveBeenCalledWith(expect.objectContaining({ timeLag }));
 });
 
+test('time lag allows negative values', () => {
+  const timeLag = '-1';
+  const onChange = jest.fn();
+  render(<TimeSeriesColumnControl colType="time" onChange={onChange} />);
+  userEvent.click(screen.getByRole('button'));
+  const timeLagInput = screen.getByPlaceholderText('Time Lag');
+  userEvent.clear(timeLagInput);
+  userEvent.type(timeLagInput, timeLag);
+  expect(onChange).not.toHaveBeenCalled();
+  userEvent.click(screen.getByRole('button', { name: 'Save' }));
+  expect(onChange).toHaveBeenCalledWith(expect.objectContaining({ timeLag }));
+});
+
 test('triggers onChange when color bounds changes', () => {
   const min = 1;
   const max = 5;
diff --git a/superset-frontend/src/explore/components/controls/TimeSeriesColumnControl/index.jsx b/superset-frontend/src/explore/components/controls/TimeSeriesColumnControl/index.jsx
index 29ac223cf3e03..e51a2f496015b 100644
--- a/superset-frontend/src/explore/components/controls/TimeSeriesColumnControl/index.jsx
+++ b/superset-frontend/src/explore/components/controls/TimeSeriesColumnControl/index.jsx
@@ -248,7 +248,9 @@ export default class TimeSeriesColumnControl extends React.Component {
         {['time', 'avg'].indexOf(this.state.colType) >= 0 &&
           this.formRow(
             t('Time lag'),
-            t('Number of periods to compare against'),
+            t(
+              'Number of periods to compare against. You can use negative numbers to compare from the beginning of the time range.',
+            ),
             'time-lag',
             <Input
               value={this.state.timeLag}
diff --git a/superset-frontend/src/visualizations/TimeTable/TimeTable.jsx b/superset-frontend/src/visualizations/TimeTable/TimeTable.jsx
index bf8551bf07457..f0e98ebf7baf4 100644
--- a/superset-frontend/src/visualizations/TimeTable/TimeTable.jsx
+++ b/superset-frontend/src/visualizations/TimeTable/TimeTable.jsx
@@ -181,11 +181,13 @@ const TimeTable = ({
       let v;
       let errorMsg;
       if (column.colType === 'time') {
-        // Time lag ratio
+        // If time lag is negative, we compare from the beginning of the data
         const timeLag = column.timeLag || 0;
         const totalLag = Object.keys(reversedEntries).length;
-        if (timeLag >= totalLag) {
+        if (Math.abs(timeLag) >= totalLag) {
           errorMsg = `The time lag set at ${timeLag} is too large for the length of data at ${reversedEntries.length}. No data available.`;
+        } else if (timeLag < 0) {
+          v = reversedEntries[totalLag + timeLag][valueField];
         } else {
           v = reversedEntries[timeLag][valueField];
         }

From 6cdaf479f23baac6fada36409aca43bf44e7d8f4 Mon Sep 17 00:00:00 2001
From: "JUST.in DO IT" <justin.park@airbnb.com>
Date: Wed, 31 Jan 2024 11:19:55 -0800
Subject: [PATCH 022/114] fix(sqllab): autosync fail on migrated queryEditor
 (#26922)

---
 superset-frontend/src/SqlLab/actions/sqlLab.js      |  1 +
 superset-frontend/src/SqlLab/actions/sqlLab.test.js | 11 ++++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/superset-frontend/src/SqlLab/actions/sqlLab.js b/superset-frontend/src/SqlLab/actions/sqlLab.js
index 567d3383d752d..97db64fb89ad9 100644
--- a/superset-frontend/src/SqlLab/actions/sqlLab.js
+++ b/superset-frontend/src/SqlLab/actions/sqlLab.js
@@ -476,6 +476,7 @@ export function migrateQueryEditorFromLocalStorage(
         const newQueryEditor = {
           ...queryEditor,
           id: json.id.toString(),
+          inLocalStorage: false,
         };
         dispatch({
           type: MIGRATE_QUERY_EDITOR,
diff --git a/superset-frontend/src/SqlLab/actions/sqlLab.test.js b/superset-frontend/src/SqlLab/actions/sqlLab.test.js
index 175ea06ec3ecf..dd48ed8c7b697 100644
--- a/superset-frontend/src/SqlLab/actions/sqlLab.test.js
+++ b/superset-frontend/src/SqlLab/actions/sqlLab.test.js
@@ -937,12 +937,17 @@ describe('async actions', () => {
           { ...query, id: 'previewTwo' },
         ];
         const store = mockStore({});
+        const oldQueryEditor = { ...queryEditor, inLocalStorage: true };
         const expectedActions = [
           {
             type: actions.MIGRATE_QUERY_EDITOR,
-            oldQueryEditor: queryEditor,
+            oldQueryEditor,
             // new qe has a different id
-            newQueryEditor: { ...queryEditor, id: '1' },
+            newQueryEditor: {
+              ...oldQueryEditor,
+              id: '1',
+              inLocalStorage: false,
+            },
           },
           {
             type: actions.MIGRATE_TAB_HISTORY,
@@ -975,7 +980,7 @@ describe('async actions', () => {
         return store
           .dispatch(
             actions.migrateQueryEditorFromLocalStorage(
-              queryEditor,
+              oldQueryEditor,
               tables,
               queries,
             ),

From 1d9cfdabd1816c71f716c8d7e213558d5b7ff05e Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Mon, 22 Jan 2024 11:16:50 -0500
Subject: [PATCH 023/114] feat(sqlparse): improve table parsing (#26476)

(cherry picked from commit c0b57bd1c3d487a661315a1944aca9f9ce728d51)
---
 requirements/base.txt                  |  15 +-
 requirements/testing.txt               |   6 +-
 setup.py                               |   1 +
 superset/commands/dataset/duplicate.py |   5 +-
 superset/commands/sql_lab/export.py    |   5 +-
 superset/connectors/sqla/models.py     |   2 +-
 superset/connectors/sqla/utils.py      |   2 +-
 superset/db_engine_specs/base.py       |  12 +-
 superset/db_engine_specs/bigquery.py   |   2 +-
 superset/models/helpers.py             |   2 +-
 superset/models/sql_lab.py             |   6 +-
 superset/security/manager.py           |   5 +-
 superset/sql_lab.py                    |  11 +-
 superset/sql_parse.py                  | 246 +++++++++++++++++--------
 superset/sql_validators/presto_db.py   |   4 +-
 superset/sqllab/query_render.py        |   6 +-
 tests/unit_tests/sql_parse_tests.py    |  55 ++++--
 17 files changed, 265 insertions(+), 120 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index 2c20094f72aa0..da95b8c571dcb 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -141,7 +141,9 @@ geographiclib==1.52
 geopy==2.2.0
     # via apache-superset
 greenlet==2.0.2
-    # via shillelagh
+    # via
+    #   shillelagh
+    #   sqlalchemy
 gunicorn==21.2.0
     # via apache-superset
 hashids==1.3.1
@@ -155,7 +157,10 @@ idna==3.2
     #   email-validator
     #   requests
 importlib-metadata==6.6.0
-    # via apache-superset
+    # via
+    #   apache-superset
+    #   flask
+    #   shillelagh
 importlib-resources==5.12.0
     # via limits
 isodate==0.6.0
@@ -327,6 +332,8 @@ sqlalchemy-utils==0.38.3
     # via
     #   apache-superset
     #   flask-appbuilder
+sqlglot==20.8.0
+    # via apache-superset
 sqlparse==0.4.4
     # via apache-superset
 sshtunnel==0.4.0
@@ -376,7 +383,9 @@ wtforms-json==0.3.5
 xlsxwriter==3.0.7
     # via apache-superset
 zipp==3.15.0
-    # via importlib-metadata
+    # via
+    #   importlib-metadata
+    #   importlib-resources
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools
diff --git a/requirements/testing.txt b/requirements/testing.txt
index 3bf3c78d03728..b40497c8fc130 100644
--- a/requirements/testing.txt
+++ b/requirements/testing.txt
@@ -24,10 +24,6 @@ db-dtypes==1.1.1
     # via pandas-gbq
 docker==6.1.1
     # via -r requirements/testing.in
-exceptiongroup==1.1.1
-    # via pytest
-ephem==4.1.4
-    # via lunarcalendar
 flask-testing==0.8.1
     # via -r requirements/testing.in
 fonttools==4.39.4
@@ -121,6 +117,8 @@ pyee==9.0.4
     # via playwright
 pyfakefs==5.2.2
     # via -r requirements/testing.in
+pyhive[presto]==0.7.0
+    # via apache-superset
 pytest==7.3.1
     # via
     #   -r requirements/testing.in
diff --git a/setup.py b/setup.py
index 913cfc5c35893..996d6dfe47caa 100644
--- a/setup.py
+++ b/setup.py
@@ -125,6 +125,7 @@ def get_git_sha() -> str:
         "slack_sdk>=3.19.0, <4",
         "sqlalchemy>=1.4, <2",
         "sqlalchemy-utils>=0.38.3, <0.39",
+        "sqlglot>=20,<21",
         "sqlparse>=0.4.4, <0.5",
         "tabulate>=0.8.9, <0.9",
         "typing-extensions>=4, <5",
diff --git a/superset/commands/dataset/duplicate.py b/superset/commands/dataset/duplicate.py
index 0ae47c35bca4d..850290422e1c5 100644
--- a/superset/commands/dataset/duplicate.py
+++ b/superset/commands/dataset/duplicate.py
@@ -70,7 +70,10 @@ def run(self) -> Model:
             table.normalize_columns = self._base_model.normalize_columns
             table.always_filter_main_dttm = self._base_model.always_filter_main_dttm
             table.is_sqllab_view = True
-            table.sql = ParsedQuery(self._base_model.sql).stripped()
+            table.sql = ParsedQuery(
+                self._base_model.sql,
+                engine=database.db_engine_spec.engine,
+            ).stripped()
             db.session.add(table)
             cols = []
             for config_ in self._base_model.columns:
diff --git a/superset/commands/sql_lab/export.py b/superset/commands/sql_lab/export.py
index 1b9b0e03442fa..aa6050f27f9ae 100644
--- a/superset/commands/sql_lab/export.py
+++ b/superset/commands/sql_lab/export.py
@@ -115,7 +115,10 @@ def run(
                 limit = None
             else:
                 sql = self._query.executed_sql
-                limit = ParsedQuery(sql).limit
+                limit = ParsedQuery(
+                    sql,
+                    engine=self._query.database.db_engine_spec.engine,
+                ).limit
             if limit is not None and self._query.limiting_factor in {
                 LimitingFactor.QUERY,
                 LimitingFactor.DROPDOWN,
diff --git a/superset/connectors/sqla/models.py b/superset/connectors/sqla/models.py
index 598bc6741b07c..bd54032d5dae0 100644
--- a/superset/connectors/sqla/models.py
+++ b/superset/connectors/sqla/models.py
@@ -1458,7 +1458,7 @@ def get_from_clause(
             return self.get_sqla_table(), None
 
         from_sql = self.get_rendered_sql(template_processor)
-        parsed_query = ParsedQuery(from_sql)
+        parsed_query = ParsedQuery(from_sql, engine=self.db_engine_spec.engine)
         if not (
             parsed_query.is_unknown()
             or self.db_engine_spec.is_readonly_query(parsed_query)
diff --git a/superset/connectors/sqla/utils.py b/superset/connectors/sqla/utils.py
index 66594084c82d5..688be53515040 100644
--- a/superset/connectors/sqla/utils.py
+++ b/superset/connectors/sqla/utils.py
@@ -111,7 +111,7 @@ def get_virtual_table_metadata(dataset: SqlaTable) -> list[ResultSetColumnType]:
     sql = dataset.get_template_processor().process_template(
         dataset.sql, **dataset.template_params_dict
     )
-    parsed_query = ParsedQuery(sql)
+    parsed_query = ParsedQuery(sql, engine=db_engine_spec.engine)
     if not db_engine_spec.is_readonly_query(parsed_query):
         raise SupersetSecurityException(
             SupersetError(
diff --git a/superset/db_engine_specs/base.py b/superset/db_engine_specs/base.py
index 6bc8c444d69bb..5edd4b7c06ea7 100644
--- a/superset/db_engine_specs/base.py
+++ b/superset/db_engine_specs/base.py
@@ -900,7 +900,7 @@ def apply_limit_to_sql(
             return database.compile_sqla_query(qry)
 
         if cls.limit_method == LimitMethod.FORCE_LIMIT:
-            parsed_query = sql_parse.ParsedQuery(sql)
+            parsed_query = sql_parse.ParsedQuery(sql, engine=cls.engine)
             sql = parsed_query.set_or_update_query_limit(limit, force=force)
 
         return sql
@@ -981,7 +981,7 @@ def get_limit_from_sql(cls, sql: str) -> int | None:
         :param sql: SQL query
         :return: Value of limit clause in query
         """
-        parsed_query = sql_parse.ParsedQuery(sql)
+        parsed_query = sql_parse.ParsedQuery(sql, engine=cls.engine)
         return parsed_query.limit
 
     @classmethod
@@ -993,7 +993,7 @@ def set_or_update_query_limit(cls, sql: str, limit: int) -> str:
         :param limit: New limit to insert/replace into query
         :return: Query with new limit
         """
-        parsed_query = sql_parse.ParsedQuery(sql)
+        parsed_query = sql_parse.ParsedQuery(sql, engine=cls.engine)
         return parsed_query.set_or_update_query_limit(limit)
 
     @classmethod
@@ -1490,7 +1490,7 @@ def process_statement(cls, statement: str, database: Database) -> str:
         :param database: Database instance
         :return: Dictionary with different costs
         """
-        parsed_query = ParsedQuery(statement)
+        parsed_query = ParsedQuery(statement, engine=cls.engine)
         sql = parsed_query.stripped()
         sql_query_mutator = current_app.config["SQL_QUERY_MUTATOR"]
         mutate_after_split = current_app.config["MUTATE_AFTER_SPLIT"]
@@ -1525,7 +1525,7 @@ def estimate_query_cost(
                 "Database does not support cost estimation"
             )
 
-        parsed_query = sql_parse.ParsedQuery(sql)
+        parsed_query = sql_parse.ParsedQuery(sql, engine=cls.engine)
         statements = parsed_query.get_statements()
 
         costs = []
@@ -1586,7 +1586,7 @@ def execute(  # pylint: disable=unused-argument
         :return:
         """
         if not cls.allows_sql_comments:
-            query = sql_parse.strip_comments_from_sql(query)
+            query = sql_parse.strip_comments_from_sql(query, engine=cls.engine)
 
         if cls.arraysize:
             cursor.arraysize = cls.arraysize
diff --git a/superset/db_engine_specs/bigquery.py b/superset/db_engine_specs/bigquery.py
index 8e7ed0bf7d061..a8d834276e60c 100644
--- a/superset/db_engine_specs/bigquery.py
+++ b/superset/db_engine_specs/bigquery.py
@@ -435,7 +435,7 @@ def estimate_query_cost(
         if not cls.get_allow_cost_estimate(extra):
             raise SupersetException("Database does not support cost estimation")
 
-        parsed_query = sql_parse.ParsedQuery(sql)
+        parsed_query = sql_parse.ParsedQuery(sql, engine=cls.engine)
         statements = parsed_query.get_statements()
         costs = []
         for statement in statements:
diff --git a/superset/models/helpers.py b/superset/models/helpers.py
index 7bfbbddfd336e..65d0b53728893 100644
--- a/superset/models/helpers.py
+++ b/superset/models/helpers.py
@@ -1094,7 +1094,7 @@ def get_from_clause(
         """
 
         from_sql = self.get_rendered_sql(template_processor)
-        parsed_query = ParsedQuery(from_sql)
+        parsed_query = ParsedQuery(from_sql, engine=self.db_engine_spec.engine)
         if not (
             parsed_query.is_unknown()
             or self.db_engine_spec.is_readonly_query(parsed_query)
diff --git a/superset/models/sql_lab.py b/superset/models/sql_lab.py
index 7e63e984df0bc..aff8c1ce3d5ca 100644
--- a/superset/models/sql_lab.py
+++ b/superset/models/sql_lab.py
@@ -183,7 +183,7 @@ def username(self) -> str:
 
     @property
     def sql_tables(self) -> list[Table]:
-        return list(ParsedQuery(self.sql).tables)
+        return list(ParsedQuery(self.sql, engine=self.db_engine_spec.engine).tables)
 
     @property
     def columns(self) -> list["TableColumn"]:
@@ -427,7 +427,9 @@ def url(self) -> str:
 
     @property
     def sql_tables(self) -> list[Table]:
-        return list(ParsedQuery(self.sql).tables)
+        return list(
+            ParsedQuery(self.sql, engine=self.database.db_engine_spec.engine).tables
+        )
 
     @property
     def last_run_humanized(self) -> str:
diff --git a/superset/security/manager.py b/superset/security/manager.py
index b8978104d9f54..ef0a5f9a49828 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -1877,7 +1877,10 @@ def raise_for_access(
                 default_schema = database.get_default_schema_for_query(query)
                 tables = {
                     Table(table_.table, table_.schema or default_schema)
-                    for table_ in sql_parse.ParsedQuery(query.sql).tables
+                    for table_ in sql_parse.ParsedQuery(
+                        query.sql,
+                        engine=database.db_engine_spec.engine,
+                    ).tables
                 }
             elif table:
                 tables = {table}
diff --git a/superset/sql_lab.py b/superset/sql_lab.py
index efbef6560a366..e9b4d406f8a8a 100644
--- a/superset/sql_lab.py
+++ b/superset/sql_lab.py
@@ -208,7 +208,7 @@ def execute_sql_statement(  # pylint: disable=too-many-arguments, too-many-local
     database: Database = query.database
     db_engine_spec = database.db_engine_spec
 
-    parsed_query = ParsedQuery(sql_statement)
+    parsed_query = ParsedQuery(sql_statement, engine=db_engine_spec.engine)
     if is_feature_enabled("RLS_IN_SQLLAB"):
         # There are two ways to insert RLS: either replacing the table with a subquery
         # that has the RLS, or appending the RLS to the ``WHERE`` clause. The former is
@@ -228,7 +228,8 @@ def execute_sql_statement(  # pylint: disable=too-many-arguments, too-many-local
                     database.id,
                     query.schema,
                 )
-            )
+            ),
+            engine=db_engine_spec.engine,
         )
 
     sql = parsed_query.stripped()
@@ -419,7 +420,11 @@ def execute_sql_statements(
         )
 
     # Breaking down into multiple statements
-    parsed_query = ParsedQuery(rendered_query, strip_comments=True)
+    parsed_query = ParsedQuery(
+        rendered_query,
+        strip_comments=True,
+        engine=db_engine_spec.engine,
+    )
     if not db_engine_spec.run_multiple_statements_as_one:
         statements = parsed_query.get_statements()
         logger.info(
diff --git a/superset/sql_parse.py b/superset/sql_parse.py
index cecd673276976..07704171dee3d 100644
--- a/superset/sql_parse.py
+++ b/superset/sql_parse.py
@@ -14,15 +14,22 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
+
+# pylint: disable=too-many-lines
+
 import logging
 import re
-from collections.abc import Iterator
+import urllib.parse
+from collections.abc import Iterable, Iterator
 from dataclasses import dataclass
 from typing import Any, cast, Optional
-from urllib import parse
 
 import sqlparse
 from sqlalchemy import and_
+from sqlglot import exp, parse, parse_one
+from sqlglot.dialects import Dialects
+from sqlglot.errors import ParseError
+from sqlglot.optimizer.scope import Scope, ScopeType, traverse_scope
 from sqlparse import keywords
 from sqlparse.lexer import Lexer
 from sqlparse.sql import (
@@ -53,7 +60,7 @@
 
 try:
     from sqloxide import parse_sql as sqloxide_parse
-except:  # pylint: disable=bare-except
+except (ImportError, ModuleNotFoundError):
     sqloxide_parse = None
 
 RESULT_OPERATIONS = {"UNION", "INTERSECT", "EXCEPT", "SELECT"}
@@ -72,6 +79,59 @@
 lex.set_SQL_REGEX(sqlparser_sql_regex)
 
 
+# mapping between DB engine specs and sqlglot dialects
+SQLGLOT_DIALECTS = {
+    "ascend": Dialects.HIVE,
+    "awsathena": Dialects.PRESTO,
+    "bigquery": Dialects.BIGQUERY,
+    "clickhouse": Dialects.CLICKHOUSE,
+    "clickhousedb": Dialects.CLICKHOUSE,
+    "cockroachdb": Dialects.POSTGRES,
+    # "crate": ???
+    # "databend": ???
+    "databricks": Dialects.DATABRICKS,
+    # "db2": ???
+    # "dremio": ???
+    "drill": Dialects.DRILL,
+    # "druid": ???
+    "duckdb": Dialects.DUCKDB,
+    # "dynamodb": ???
+    # "elasticsearch": ???
+    # "exa": ???
+    # "firebird": ???
+    # "firebolt": ???
+    "gsheets": Dialects.SQLITE,
+    "hana": Dialects.POSTGRES,
+    "hive": Dialects.HIVE,
+    # "ibmi": ???
+    # "impala": ???
+    # "kustokql": ???
+    # "kylin": ???
+    # "mssql": ???
+    "mysql": Dialects.MYSQL,
+    "netezza": Dialects.POSTGRES,
+    # "ocient": ???
+    # "odelasticsearch": ???
+    "oracle": Dialects.ORACLE,
+    # "pinot": ???
+    "postgresql": Dialects.POSTGRES,
+    "presto": Dialects.PRESTO,
+    "pydoris": Dialects.DORIS,
+    "redshift": Dialects.REDSHIFT,
+    # "risingwave": ???
+    # "rockset": ???
+    "shillelagh": Dialects.SQLITE,
+    "snowflake": Dialects.SNOWFLAKE,
+    # "solr": ???
+    "sqlite": Dialects.SQLITE,
+    "starrocks": Dialects.STARROCKS,
+    "superset": Dialects.SQLITE,
+    "teradatasql": Dialects.TERADATA,
+    "trino": Dialects.TRINO,
+    "vertica": Dialects.POSTGRES,
+}
+
+
 class CtasMethod(StrEnum):
     TABLE = "TABLE"
     VIEW = "VIEW"
@@ -150,7 +210,7 @@ def get_cte_remainder_query(sql: str) -> tuple[Optional[str], str]:
     return cte, remainder
 
 
-def strip_comments_from_sql(statement: str) -> str:
+def strip_comments_from_sql(statement: str, engine: Optional[str] = None) -> str:
     """
     Strips comments from a SQL statement, does a simple test first
     to avoid always instantiating the expensive ParsedQuery constructor
@@ -160,7 +220,11 @@ def strip_comments_from_sql(statement: str) -> str:
     :param statement: A string with the SQL statement
     :return: SQL statement without comments
     """
-    return ParsedQuery(statement).strip_comments() if "--" in statement else statement
+    return (
+        ParsedQuery(statement, engine=engine).strip_comments()
+        if "--" in statement
+        else statement
+    )
 
 
 @dataclass(eq=True, frozen=True)
@@ -179,7 +243,7 @@ def __str__(self) -> str:
         """
 
         return ".".join(
-            parse.quote(part, safe="").replace(".", "%2E")
+            urllib.parse.quote(part, safe="").replace(".", "%2E")
             for part in [self.catalog, self.schema, self.table]
             if part
         )
@@ -189,11 +253,17 @@ def __eq__(self, __o: object) -> bool:
 
 
 class ParsedQuery:
-    def __init__(self, sql_statement: str, strip_comments: bool = False):
+    def __init__(
+        self,
+        sql_statement: str,
+        strip_comments: bool = False,
+        engine: Optional[str] = None,
+    ):
         if strip_comments:
             sql_statement = sqlparse.format(sql_statement, strip_comments=True)
 
         self.sql: str = sql_statement
+        self._dialect = SQLGLOT_DIALECTS.get(engine) if engine else None
         self._tables: set[Table] = set()
         self._alias_names: set[str] = set()
         self._limit: Optional[int] = None
@@ -206,14 +276,94 @@ def __init__(self, sql_statement: str, strip_comments: bool = False):
     @property
     def tables(self) -> set[Table]:
         if not self._tables:
-            for statement in self._parsed:
-                self._extract_from_token(statement)
-
-            self._tables = {
-                table for table in self._tables if str(table) not in self._alias_names
-            }
+            self._tables = self._extract_tables_from_sql()
         return self._tables
 
+    def _extract_tables_from_sql(self) -> set[Table]:
+        """
+        Extract all table references in a query.
+
+        Note: this uses sqlglot, since it's better at catching more edge cases.
+        """
+        try:
+            statements = parse(self.sql, dialect=self._dialect)
+        except ParseError:
+            logger.warning("Unable to parse SQL (%s): %s", self._dialect, self.sql)
+            return set()
+
+        return {
+            table
+            for statement in statements
+            for table in self._extract_tables_from_statement(statement)
+            if statement
+        }
+
+    def _extract_tables_from_statement(self, statement: exp.Expression) -> set[Table]:
+        """
+        Extract all table references in a single statement.
+
+        Please not that this is not trivial; consider the following queries:
+
+            DESCRIBE some_table;
+            SHOW PARTITIONS FROM some_table;
+            WITH masked_name AS (SELECT * FROM some_table) SELECT * FROM masked_name;
+
+        See the unit tests for other tricky cases.
+        """
+        sources: Iterable[exp.Table]
+
+        if isinstance(statement, exp.Describe):
+            # A `DESCRIBE` query has no sources in sqlglot, so we need to explicitly
+            # query for all tables.
+            sources = statement.find_all(exp.Table)
+        elif isinstance(statement, exp.Command):
+            # Commands, like `SHOW COLUMNS FROM foo`, have to be converted into a
+            # `SELECT` statetement in order to extract tables.
+            literal = statement.find(exp.Literal)
+            if not literal:
+                return set()
+
+            pseudo_query = parse_one(f"SELECT {literal.this}", dialect=self._dialect)
+            sources = pseudo_query.find_all(exp.Table)
+        else:
+            sources = [
+                source
+                for scope in traverse_scope(statement)
+                for source in scope.sources.values()
+                if isinstance(source, exp.Table) and not self._is_cte(source, scope)
+            ]
+
+        return {
+            Table(
+                source.name,
+                source.db if source.db != "" else None,
+                source.catalog if source.catalog != "" else None,
+            )
+            for source in sources
+        }
+
+    def _is_cte(self, source: exp.Table, scope: Scope) -> bool:
+        """
+        Is the source a CTE?
+
+        CTEs in the parent scope look like tables (and are represented by
+        exp.Table objects), but should not be considered as such;
+        otherwise a user with access to table `foo` could access any table
+        with a query like this:
+
+            WITH foo AS (SELECT * FROM target_table) SELECT * FROM foo
+
+        """
+        parent_sources = scope.parent.sources if scope.parent else {}
+        ctes_in_scope = {
+            name
+            for name, parent_scope in parent_sources.items()
+            if isinstance(parent_scope, Scope)
+            and parent_scope.scope_type == ScopeType.CTE
+        }
+
+        return source.name in ctes_in_scope
+
     @property
     def limit(self) -> Optional[int]:
         return self._limit
@@ -393,28 +543,6 @@ def get_table(tlist: TokenList) -> Optional[Table]:
     def _is_identifier(token: Token) -> bool:
         return isinstance(token, (IdentifierList, Identifier))
 
-    def _process_tokenlist(self, token_list: TokenList) -> None:
-        """
-        Add table names to table set
-
-        :param token_list: TokenList to be processed
-        """
-        # exclude subselects
-        if "(" not in str(token_list):
-            table = self.get_table(token_list)
-            if table and not table.table.startswith(CTE_PREFIX):
-                self._tables.add(table)
-            return
-
-        # store aliases
-        if token_list.has_alias():
-            self._alias_names.add(token_list.get_alias())
-
-        # some aliases are not parsed properly
-        if token_list.tokens[0].ttype == Name:
-            self._alias_names.add(token_list.tokens[0].value)
-        self._extract_from_token(token_list)
-
     def as_create_table(
         self,
         table_name: str,
@@ -441,50 +569,6 @@ def as_create_table(
         exec_sql += f"CREATE {method} {full_table_name} AS \n{sql}"
         return exec_sql
 
-    def _extract_from_token(self, token: Token) -> None:
-        """
-        <Identifier> store a list of subtokens and <IdentifierList> store lists of
-        subtoken list.
-
-        It extracts <IdentifierList> and <Identifier> from :param token: and loops
-        through all subtokens recursively. It finds table_name_preceding_token and
-        passes <IdentifierList> and <Identifier> to self._process_tokenlist to populate
-        self._tables.
-
-        :param token: instance of Token or child class, e.g. TokenList, to be processed
-        """
-        if not hasattr(token, "tokens"):
-            return
-
-        table_name_preceding_token = False
-
-        for item in token.tokens:
-            if item.is_group and (
-                not self._is_identifier(item) or isinstance(item.tokens[0], Parenthesis)
-            ):
-                self._extract_from_token(item)
-
-            if item.ttype in Keyword and (
-                item.normalized in PRECEDES_TABLE_NAME
-                or item.normalized.endswith(" JOIN")
-            ):
-                table_name_preceding_token = True
-                continue
-
-            if item.ttype in Keyword:
-                table_name_preceding_token = False
-                continue
-            if table_name_preceding_token:
-                if isinstance(item, Identifier):
-                    self._process_tokenlist(item)
-                elif isinstance(item, IdentifierList):
-                    for token2 in item.get_identifiers():
-                        if isinstance(token2, TokenList):
-                            self._process_tokenlist(token2)
-            elif isinstance(item, IdentifierList):
-                if any(not self._is_identifier(token2) for token2 in item.tokens):
-                    self._extract_from_token(item)
-
     def set_or_update_query_limit(self, new_limit: int, force: bool = False) -> str:
         """Returns the query with the specified limit.
 
@@ -881,7 +965,7 @@ def insert_rls_in_predicate(
 
 
 # mapping between sqloxide and SQLAlchemy dialects
-SQLOXITE_DIALECTS = {
+SQLOXIDE_DIALECTS = {
     "ansi": {"trino", "trinonative", "presto"},
     "hive": {"hive", "databricks"},
     "ms": {"mssql"},
@@ -914,7 +998,7 @@ def extract_table_references(
     tree = None
 
     if sqloxide_parse:
-        for dialect, sqla_dialects in SQLOXITE_DIALECTS.items():
+        for dialect, sqla_dialects in SQLOXIDE_DIALECTS.items():
             if sqla_dialect in sqla_dialects:
                 break
         sql_text = RE_JINJA_BLOCK.sub(" ", sql_text)
diff --git a/superset/sql_validators/presto_db.py b/superset/sql_validators/presto_db.py
index c01b9386718ca..fed1ff3bfae62 100644
--- a/superset/sql_validators/presto_db.py
+++ b/superset/sql_validators/presto_db.py
@@ -50,7 +50,7 @@ def validate_statement(
     ) -> Optional[SQLValidationAnnotation]:
         # pylint: disable=too-many-locals
         db_engine_spec = database.db_engine_spec
-        parsed_query = ParsedQuery(statement)
+        parsed_query = ParsedQuery(statement, engine=db_engine_spec.engine)
         sql = parsed_query.stripped()
 
         # Hook to allow environment-specific mutation (usually comments) to the SQL
@@ -154,7 +154,7 @@ def validate(
         For example, "SELECT 1 FROM default.mytable" becomes "EXPLAIN (TYPE
         VALIDATE) SELECT 1 FROM default.mytable.
         """
-        parsed_query = ParsedQuery(sql)
+        parsed_query = ParsedQuery(sql, engine=database.db_engine_spec.engine)
         statements = parsed_query.get_statements()
 
         logger.info("Validating %i statement(s)", len(statements))
diff --git a/superset/sqllab/query_render.py b/superset/sqllab/query_render.py
index f4c1c26c6eb4e..5597bcb086d7c 100644
--- a/superset/sqllab/query_render.py
+++ b/superset/sqllab/query_render.py
@@ -58,7 +58,11 @@ def render(self, execution_context: SqlJsonExecutionContext) -> str:
                 database=query_model.database, query=query_model
             )
 
-            parsed_query = ParsedQuery(query_model.sql, strip_comments=True)
+            parsed_query = ParsedQuery(
+                query_model.sql,
+                strip_comments=True,
+                engine=query_model.database.db_engine_spec.engine,
+            )
             rendered_query = sql_template_processor.process_template(
                 parsed_query.stripped(), **execution_context.template_params
             )
diff --git a/tests/unit_tests/sql_parse_tests.py b/tests/unit_tests/sql_parse_tests.py
index efd883810147e..f650b77734f36 100644
--- a/tests/unit_tests/sql_parse_tests.py
+++ b/tests/unit_tests/sql_parse_tests.py
@@ -40,11 +40,11 @@
 )
 
 
-def extract_tables(query: str) -> set[Table]:
+def extract_tables(query: str, engine: Optional[str] = None) -> set[Table]:
     """
     Helper function to extract tables referenced in a query.
     """
-    return ParsedQuery(query).tables
+    return ParsedQuery(query, engine=engine).tables
 
 
 def test_table() -> None:
@@ -96,8 +96,13 @@ def test_extract_tables() -> None:
         Table("left_table")
     }
 
-    # reverse select
-    assert extract_tables("FROM t1 SELECT field") == {Table("t1")}
+    assert extract_tables(
+        "SELECT FROM (SELECT FROM forbidden_table) AS forbidden_table;"
+    ) == {Table("forbidden_table")}
+
+    assert extract_tables(
+        "select * from (select * from forbidden_table) forbidden_table"
+    ) == {Table("forbidden_table")}
 
 
 def test_extract_tables_subselect() -> None:
@@ -263,14 +268,16 @@ def test_extract_tables_illdefined() -> None:
     assert extract_tables("SELECT * FROM schemaname.") == set()
     assert extract_tables("SELECT * FROM catalogname.schemaname.") == set()
     assert extract_tables("SELECT * FROM catalogname..") == set()
-    assert extract_tables("SELECT * FROM catalogname..tbname") == set()
+    assert extract_tables("SELECT * FROM catalogname..tbname") == {
+        Table(table="tbname", schema=None, catalog="catalogname")
+    }
 
 
 def test_extract_tables_show_tables_from() -> None:
     """
     Test ``SHOW TABLES FROM``.
     """
-    assert extract_tables("SHOW TABLES FROM s1 like '%order%'") == set()
+    assert extract_tables("SHOW TABLES FROM s1 like '%order%'", "mysql") == set()
 
 
 def test_extract_tables_show_columns_from() -> None:
@@ -311,7 +318,7 @@ def test_extract_tables_where_subquery() -> None:
             """
 SELECT name
 FROM t1
-WHERE regionkey EXISTS (SELECT regionkey FROM t2)
+WHERE EXISTS (SELECT 1 FROM t2 WHERE t1.regionkey = t2.regionkey);
 """
         )
         == {Table("t1"), Table("t2")}
@@ -526,6 +533,18 @@ def test_extract_tables_reusing_aliases() -> None:
         == {Table("src")}
     )
 
+    # weird query with circular dependency
+    assert (
+        extract_tables(
+            """
+with src as ( select key from q2 where key = '5'),
+q2 as ( select key from src where key = '5')
+select * from (select key from src) a
+"""
+        )
+        == set()
+    )
+
 
 def test_extract_tables_multistatement() -> None:
     """
@@ -665,7 +684,8 @@ def test_extract_tables_nested_select() -> None:
 select (extractvalue(1,concat(0x7e,(select GROUP_CONCAT(TABLE_NAME)
 from INFORMATION_SCHEMA.COLUMNS
 WHERE TABLE_SCHEMA like "%bi%"),0x7e)));
-"""
+""",
+            "mysql",
         )
         == {Table("COLUMNS", "INFORMATION_SCHEMA")}
     )
@@ -676,7 +696,8 @@ def test_extract_tables_nested_select() -> None:
 select (extractvalue(1,concat(0x7e,(select GROUP_CONCAT(COLUMN_NAME)
 from INFORMATION_SCHEMA.COLUMNS
 WHERE TABLE_NAME="bi_achievement_daily"),0x7e)));
-"""
+""",
+            "mysql",
         )
         == {Table("COLUMNS", "INFORMATION_SCHEMA")}
     )
@@ -1306,6 +1327,14 @@ def test_sqlparse_issue_652():
             "(SELECT table_name FROM /**/ information_schema.tables WHERE table_name LIKE '%user%' LIMIT 1)",
             True,
         ),
+        (
+            "SELECT FROM (SELECT FROM forbidden_table) AS forbidden_table;",
+            True,
+        ),
+        (
+            "SELECT * FROM (SELECT * FROM forbidden_table) forbidden_table",
+            True,
+        ),
     ],
 )
 def test_has_table_query(sql: str, expected: bool) -> None:
@@ -1790,13 +1819,17 @@ def test_extract_table_references(mocker: MockerFixture) -> None:
     assert extract_table_references(
         sql,
         "trino",
-    ) == {Table(table="other_table", schema=None, catalog=None)}
+    ) == {
+        Table(table="table", schema=None, catalog=None),
+        Table(table="other_table", schema=None, catalog=None),
+    }
     logger.warning.assert_called_once()
 
     logger = mocker.patch("superset.migrations.shared.utils.logger")
     sql = "SELECT * FROM table UNION ALL SELECT * FROM other_table"
     assert extract_table_references(sql, "trino", show_warning=False) == {
-        Table(table="other_table", schema=None, catalog=None)
+        Table(table="table", schema=None, catalog=None),
+        Table(table="other_table", schema=None, catalog=None),
     }
     logger.warning.assert_not_called()
 

From 1be9eb577ae31ae952011b20a2d4fa6824799ab9 Mon Sep 17 00:00:00 2001
From: Matthew Chiang <36670322+Mattc1221@users.noreply.github.com>
Date: Mon, 29 Jan 2024 05:10:11 -0800
Subject: [PATCH 024/114] fix(deck.gl Multiple Layer Chart): Add Contour and
 Heatmap Layer as options (#25923)

(cherry picked from commit 64ba5797df92d0f8067ccd2b30ba6ff58e0bd791)
---
 .../plugins/legacy-preset-chart-deckgl/src/index.ts    |  2 ++
 .../legacy-preset-chart-deckgl/src/layers/Arc/Arc.tsx  |  8 ++++----
 .../src/layers/Geojson/Geojson.tsx                     |  4 ++--
 .../src/layers/Heatmap/Heatmap.tsx                     |  2 +-
 .../src/layers/Path/Path.tsx                           |  2 +-
 .../src/layers/Polygon/Polygon.tsx                     | 10 +++++-----
 .../src/layers/Scatter/Scatter.tsx                     | 10 +++++-----
 .../src/layers/Screengrid/Screengrid.tsx               |  4 ++--
 .../legacy-preset-chart-deckgl/src/layers/index.ts     |  4 ++++
 9 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/index.ts b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/index.ts
index 819964173ed85..fc4aa7fca0151 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/index.ts
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/index.ts
@@ -26,3 +26,5 @@ export { default as PathChartPlugin } from './layers/Path';
 export { default as PolygonChartPlugin } from './layers/Polygon';
 export { default as ScatterChartPlugin } from './layers/Scatter';
 export { default as ScreengridChartPlugin } from './layers/Screengrid';
+export { default as ContourChartPlugin } from './layers/Contour';
+export { default as HeatmapChartPlugin } from './layers/Heatmap';
diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Arc/Arc.tsx b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Arc/Arc.tsx
index 1bc19618b678d..7ad1870170410 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Arc/Arc.tsx
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Arc/Arc.tsx
@@ -45,16 +45,16 @@ function setTooltipContent(formData: QueryFormData) {
     <div className="deckgl-tooltip">
       <TooltipRow
         label={t('Start (Longitude, Latitude): ')}
-        value={`${o.object.sourcePosition[0]}, ${o.object.sourcePosition[1]}`}
+        value={`${o.object?.sourcePosition?.[0]}, ${o.object?.sourcePosition?.[1]}`}
       />
       <TooltipRow
         label={t('End (Longitude, Latitude): ')}
-        value={`${o.object.targetPosition[0]}, ${o.object.targetPosition[1]}`}
+        value={`${o.object?.targetPosition?.[0]}, ${o.object?.targetPosition?.[1]}`}
       />
       {formData.dimension && (
         <TooltipRow
-          label={`${formData.dimension}: `}
-          value={`${o.object.cat_color}`}
+          label={`${formData?.dimension}: `}
+          value={`${o.object?.cat_color}`}
         />
       )}
     </div>
diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Geojson/Geojson.tsx b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Geojson/Geojson.tsx
index c8c9d4863ce9b..a5dc2a14a0386 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Geojson/Geojson.tsx
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Geojson/Geojson.tsx
@@ -93,13 +93,13 @@ const recurseGeoJson = (
 
 function setTooltipContent(o: JsonObject) {
   return (
-    o.object.extraProps && (
+    o.object?.extraProps && (
       <div className="deckgl-tooltip">
         {Object.keys(o.object.extraProps).map((prop, index) => (
           <TooltipRow
             key={`prop-${index}`}
             label={`${prop}: `}
-            value={`${o.object.extraProps[prop]}`}
+            value={`${o.object.extraProps?.[prop]}`}
           />
         ))}
       </div>
diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Heatmap/Heatmap.tsx b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Heatmap/Heatmap.tsx
index b491d6dba164c..5a1453459d9b9 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Heatmap/Heatmap.tsx
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Heatmap/Heatmap.tsx
@@ -30,7 +30,7 @@ function setTooltipContent(o: JsonObject) {
     <div className="deckgl-tooltip">
       <TooltipRow
         label={t('Centroid (Longitude and Latitude): ')}
-        value={`(${o.coordinate[0]}, ${o.coordinate[1]})`}
+        value={`(${o?.coordinate[0]}, ${o?.coordinate[1]})`}
       />
     </div>
   );
diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Path/Path.tsx b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Path/Path.tsx
index c4f13f0e57f91..f2f5c35e3d46d 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Path/Path.tsx
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Path/Path.tsx
@@ -29,7 +29,7 @@ import { Point } from '../../types';
 
 function setTooltipContent(o: JsonObject) {
   return (
-    o.object.extraProps && (
+    o.object?.extraProps && (
       <div className="deckgl-tooltip">
         {Object.keys(o.object.extraProps).map((prop, index) => (
           <TooltipRow
diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Polygon/Polygon.tsx b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Polygon/Polygon.tsx
index 460c4a3b51969..08f2e4514069a 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Polygon/Polygon.tsx
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Polygon/Polygon.tsx
@@ -62,27 +62,27 @@ function getElevation(
 
 function setTooltipContent(formData: PolygonFormData) {
   return (o: JsonObject) => {
-    const metricLabel = formData.metric.label || formData.metric;
+    const metricLabel = formData?.metric?.label || formData?.metric;
 
     return (
       <div className="deckgl-tooltip">
-        {o.object.name && (
+        {o.object?.name && (
           <TooltipRow
             // eslint-disable-next-line prefer-template
             label={t('name') + ': '}
             value={`${o.object.name}`}
           />
         )}
-        {o.object[formData.line_column] && (
+        {o.object?.[formData?.line_column] && (
           <TooltipRow
             label={`${formData.line_column}: `}
             value={`${o.object[formData.line_column]}`}
           />
         )}
-        {formData.metric && (
+        {formData?.metric && (
           <TooltipRow
             label={`${metricLabel}: `}
-            value={`${o.object[metricLabel]}`}
+            value={`${o.object?.[metricLabel]}`}
           />
         )}
       </div>
diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Scatter/Scatter.tsx b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Scatter/Scatter.tsx
index c529e5c1d9df3..3ce1dcf25ef3d 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Scatter/Scatter.tsx
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Scatter/Scatter.tsx
@@ -48,17 +48,17 @@ function setTooltipContent(
         <TooltipRow
           // eslint-disable-next-line prefer-template
           label={t('Longitude and Latitude') + ': '}
-          value={`${o.object.position[0]}, ${o.object.position[1]}`}
+          value={`${o.object?.position?.[0]}, ${o.object?.position?.[1]}`}
         />
-        {o.object.cat_color && (
+        {o.object?.cat_color && (
           <TooltipRow
             // eslint-disable-next-line prefer-template
             label={t('Category') + ': '}
-            value={`${o.object.cat_color}`}
+            value={`${o.object?.cat_color}`}
           />
         )}
-        {o.object.metric && (
-          <TooltipRow label={`${label}: `} value={`${o.object.metric}`} />
+        {o.object?.metric && (
+          <TooltipRow label={`${label}: `} value={`${o.object?.metric}`} />
         )}
       </div>
     );
diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Screengrid/Screengrid.tsx b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Screengrid/Screengrid.tsx
index 7e47cc9530c04..9584c8f53eed6 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Screengrid/Screengrid.tsx
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/Screengrid/Screengrid.tsx
@@ -45,12 +45,12 @@ function setTooltipContent(o: JsonObject) {
       <TooltipRow
         // eslint-disable-next-line prefer-template
         label={t('Longitude and Latitude') + ': '}
-        value={`${o.coordinate[0]}, ${o.coordinate[1]}`}
+        value={`${o?.coordinate?.[0]}, ${o?.coordinate?.[1]}`}
       />
       <TooltipRow
         // eslint-disable-next-line prefer-template
         label={t('Weight') + ': '}
-        value={`${o.object.cellWeight}`}
+        value={`${o.object?.cellWeight}`}
       />
     </div>
   );
diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/index.ts b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/index.ts
index b77d5bd12c49c..9747a50b1e761 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/index.ts
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/layers/index.ts
@@ -25,6 +25,8 @@ import { getLayer as deck_scatter } from './Scatter/Scatter';
 import { getLayer as deck_geojson } from './Geojson/Geojson';
 import { getLayer as deck_arc } from './Arc/Arc';
 import { getLayer as deck_polygon } from './Polygon/Polygon';
+import { getLayer as deck_heatmap } from './Heatmap/Heatmap';
+import { getLayer as deck_contour } from './Contour/Contour';
 
 const layerGenerators = {
   deck_grid,
@@ -35,6 +37,8 @@ const layerGenerators = {
   deck_geojson,
   deck_arc,
   deck_polygon,
+  deck_heatmap,
+  deck_contour,
 };
 
 export default layerGenerators;

From ba9032e8d0f2789de86502c8604ab7de88ed932a Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Mon, 29 Jan 2024 12:59:33 -0500
Subject: [PATCH 025/114] fix: prevent guest user from modifying metrics
 (#26749)

(cherry picked from commit fade4806ceebde32a775c04d86a46c7e93bc371f)
---
 superset/common/query_object.py               |  2 +-
 superset/security/manager.py                  | 26 ++++++-
 .../security/guest_token_security_tests.py    | 15 ++++
 tests/unit_tests/security/manager_test.py     | 76 +++++++++++++++++++
 4 files changed, 117 insertions(+), 2 deletions(-)

diff --git a/superset/common/query_object.py b/superset/common/query_object.py
index 989df5775b2e7..5109c465e0abe 100644
--- a/superset/common/query_object.py
+++ b/superset/common/query_object.py
@@ -125,7 +125,7 @@ def __init__(  # pylint: disable=too-many-locals
         order_desc: bool = True,
         orderby: list[OrderBy] | None = None,
         post_processing: list[dict[str, Any] | None] | None = None,
-        row_limit: int | None,
+        row_limit: int | None = None,
         row_offset: int | None = None,
         series_columns: list[Column] | None = None,
         series_limit: int = 0,
diff --git a/superset/security/manager.py b/superset/security/manager.py
index ef0a5f9a49828..28046d0fefd42 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -1819,7 +1819,7 @@ def get_exclude_users_from_lists() -> list[str]:
         return []
 
     def raise_for_access(
-        # pylint: disable=too-many-arguments,too-many-branches,too-many-locals
+        # pylint: disable=too-many-arguments,too-many-branches,too-many-locals,too-many-statements
         self,
         dashboard: Optional["Dashboard"] = None,
         database: Optional["Database"] = None,
@@ -1909,6 +1909,30 @@ def raise_for_access(
                     self.get_table_access_error_object(denied)
                 )
 
+        if self.is_guest_user() and query_context:
+            # Guest users MUST not modify the payload so it's requesting a different
+            # chart or different ad-hoc metrics from what's saved.
+            form_data = query_context.form_data
+            stored_chart = query_context.slice_
+
+            if (
+                form_data is None
+                or stored_chart is None
+                or form_data.get("slice_id") != stored_chart.id
+                or form_data.get("metrics", []) != stored_chart.params_dict["metrics"]
+                or any(
+                    query.metrics != stored_chart.params_dict["metrics"]
+                    for query in query_context.queries
+                )
+            ):
+                raise SupersetSecurityException(
+                    SupersetError(
+                        error_type=SupersetErrorType.DASHBOARD_SECURITY_ACCESS_ERROR,
+                        message=_("Guest user cannot modify chart payload"),
+                        level=ErrorLevel.ERROR,
+                    )
+                )
+
         if datasource or query_context or viz:
             form_data = None
 
diff --git a/tests/integration_tests/security/guest_token_security_tests.py b/tests/integration_tests/security/guest_token_security_tests.py
index 4cd8a77f7635c..b812929433c9b 100644
--- a/tests/integration_tests/security/guest_token_security_tests.py
+++ b/tests/integration_tests/security/guest_token_security_tests.py
@@ -288,7 +288,10 @@ def test_raise_for_access__happy_path(self):
                         form_data={
                             "dashboardId": self.dash.id,
                             "slice_id": self.chart.id,
+                            "metrics": self.chart.params_dict["metrics"],
                         },
+                        slice_=self.chart,
+                        queries=[],
                     )
                 }
             )
@@ -304,7 +307,11 @@ def test_raise_for_access__native_filter_happy_path(self):
                             "dashboardId": self.dash.id,
                             "native_filter_id": "NATIVE_FILTER-ABCDEFGH",
                             "type": "NATIVE_FILTER",
+                            "slice_id": self.chart.id,
+                            "metrics": self.chart.params_dict["metrics"],
                         },
+                        slice_=self.chart,
+                        queries=[],
                     )
                 }
             )
@@ -382,7 +389,11 @@ def test_raise_for_access__native_filter_no_id_in_form_data(self):
                             form_data={
                                 "dashboardId": self.dash.id,
                                 "type": "NATIVE_FILTER",
+                                "slice_id": self.chart.id,
+                                "metrics": self.chart.params_dict["metrics"],
                             },
+                            slice_=self.chart,
+                            queries=[],
                         )
                     }
                 )
@@ -399,7 +410,11 @@ def test_raise_for_access__native_filter_datasource_not_associated(self):
                                 "dashboardId": self.dash.id,
                                 "native_filter_id": "NATIVE_FILTER-ABCDEFGH",
                                 "type": "NATIVE_FILTER",
+                                "slice_id": self.chart.id,
+                                "metrics": self.chart.params_dict["metrics"],
                             },
+                            slice_=self.chart,
+                            queries=[],
                         )
                     }
                 )
diff --git a/tests/unit_tests/security/manager_test.py b/tests/unit_tests/security/manager_test.py
index 1843e7261cc9a..ad6e53e9930ce 100644
--- a/tests/unit_tests/security/manager_test.py
+++ b/tests/unit_tests/security/manager_test.py
@@ -18,6 +18,7 @@
 import pytest
 from pytest_mock import MockFixture
 
+from superset.common.query_object import QueryObject
 from superset.exceptions import SupersetSecurityException
 from superset.extensions import appbuilder
 from superset.security.manager import SupersetSecurityManager
@@ -31,6 +32,81 @@ def test_security_manager(app_context: None) -> None:
     assert sm
 
 
+def test_raise_for_access_guest_user(
+    mocker: MockFixture,
+    app_context: None,
+) -> None:
+    """
+    Test that guest user can't modify chart payload.
+    """
+    sm = SupersetSecurityManager(appbuilder)
+    mocker.patch.object(sm, "is_guest_user", return_value=True)
+    mocker.patch.object(sm, "can_access", return_value=True)
+
+    query_context = mocker.MagicMock()
+    query_context.slice_.id = 42
+    stored_metrics = [
+        {
+            "aggregate": None,
+            "column": None,
+            "datasourceWarning": False,
+            "expressionType": "SQL",
+            "hasCustomLabel": False,
+            "label": "COUNT(*) + 1",
+            "optionName": "metric_ssa1gwimio_cxpyjc7vj3s",
+            "sqlExpression": "COUNT(*) + 1",
+        }
+    ]
+    query_context.slice_.params_dict = {
+        "metrics": stored_metrics,
+    }
+
+    # normal request
+    query_context.form_data = {
+        "slice_id": 42,
+        "metrics": stored_metrics,
+    }
+    query_context.queries = [QueryObject(metrics=stored_metrics)]  # type: ignore
+    sm.raise_for_access(query_context=query_context)
+
+    # tampered requests
+    query_context.form_data = {
+        "slice_id": 43,
+        "metrics": stored_metrics,
+    }
+    query_context.queries = [QueryObject(metrics=stored_metrics)]  # type: ignore
+    with pytest.raises(SupersetSecurityException):
+        sm.raise_for_access(query_context=query_context)
+
+    tampered_metrics = [
+        {
+            "aggregate": None,
+            "column": None,
+            "datasourceWarning": False,
+            "expressionType": "SQL",
+            "hasCustomLabel": False,
+            "label": "COUNT(*) + 2",
+            "optionName": "metric_ssa1gwimio_cxpyjc7vj3s",
+            "sqlExpression": "COUNT(*) + 2",
+        }
+    ]
+
+    query_context.form_data = {
+        "slice_id": 42,
+        "metrics": tampered_metrics,
+    }
+    with pytest.raises(SupersetSecurityException):
+        sm.raise_for_access(query_context=query_context)
+
+    query_context.form_data = {
+        "slice_id": 42,
+        "metrics": stored_metrics,
+    }
+    query_context.queries = [QueryObject(metrics=tampered_metrics)]  # type: ignore
+    with pytest.raises(SupersetSecurityException):
+        sm.raise_for_access(query_context=query_context)
+
+
 def test_raise_for_access_query_default_schema(
     mocker: MockFixture,
     app_context: None,

From 81353e280ba8d432bcef62762e5b786d28e6f161 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Mon, 29 Jan 2024 15:25:16 -0500
Subject: [PATCH 026/114] fix: Bar charts horizontal margin adjustment error
 (#26817)

(cherry picked from commit 84c48d11d8b3bef244823643804f5fd3d6e3ca86)
---
 .../src/Timeseries/transformProps.ts          |  1 +
 .../src/Timeseries/transformers.ts            | 42 +++++++++++--------
 .../plugin-chart-echarts/src/utils/series.ts  | 14 +++++++
 .../test/utils/series.test.ts                 | 32 ++++++++++++++
 4 files changed, 72 insertions(+), 17 deletions(-)

diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
index 3bbe285aeca54..a5c380c5ffb36 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
@@ -437,6 +437,7 @@ export default function transformProps(
     yAxisTitlePosition,
     convertInteger(yAxisTitleMargin),
     convertInteger(xAxisTitleMargin),
+    isHorizontal,
   );
 
   const legendData = rawSeries
diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformers.ts b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformers.ts
index 3b62417f16335..5b9fa43047a3c 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformers.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformers.ts
@@ -550,6 +550,7 @@ export function getPadding(
   yAxisTitlePosition?: string,
   yAxisTitleMargin?: number,
   xAxisTitleMargin?: number,
+  isHorizontal?: boolean,
 ): {
   bottom: number;
   left: number;
@@ -560,21 +561,28 @@ export function getPadding(
     ? TIMESERIES_CONSTANTS.yAxisLabelTopOffset
     : 0;
   const xAxisOffset = addXAxisTitleOffset ? Number(xAxisTitleMargin) || 0 : 0;
-  return getChartPadding(showLegend, legendOrientation, margin, {
-    top:
-      yAxisTitlePosition && yAxisTitlePosition === 'Top'
-        ? TIMESERIES_CONSTANTS.gridOffsetTop + (Number(yAxisTitleMargin) || 0)
-        : TIMESERIES_CONSTANTS.gridOffsetTop + yAxisOffset,
-    bottom: zoomable
-      ? TIMESERIES_CONSTANTS.gridOffsetBottomZoomable + xAxisOffset
-      : TIMESERIES_CONSTANTS.gridOffsetBottom + xAxisOffset,
-    left:
-      yAxisTitlePosition === 'Left'
-        ? TIMESERIES_CONSTANTS.gridOffsetLeft + (Number(yAxisTitleMargin) || 0)
-        : TIMESERIES_CONSTANTS.gridOffsetLeft,
-    right:
-      showLegend && legendOrientation === LegendOrientation.Right
-        ? 0
-        : TIMESERIES_CONSTANTS.gridOffsetRight,
-  });
+  return getChartPadding(
+    showLegend,
+    legendOrientation,
+    margin,
+    {
+      top:
+        yAxisTitlePosition && yAxisTitlePosition === 'Top'
+          ? TIMESERIES_CONSTANTS.gridOffsetTop + (Number(yAxisTitleMargin) || 0)
+          : TIMESERIES_CONSTANTS.gridOffsetTop + yAxisOffset,
+      bottom: zoomable
+        ? TIMESERIES_CONSTANTS.gridOffsetBottomZoomable + xAxisOffset
+        : TIMESERIES_CONSTANTS.gridOffsetBottom + xAxisOffset,
+      left:
+        yAxisTitlePosition === 'Left'
+          ? TIMESERIES_CONSTANTS.gridOffsetLeft +
+            (Number(yAxisTitleMargin) || 0)
+          : TIMESERIES_CONSTANTS.gridOffsetLeft,
+      right:
+        showLegend && legendOrientation === LegendOrientation.Right
+          ? 0
+          : TIMESERIES_CONSTANTS.gridOffsetRight,
+    },
+    isHorizontal,
+  );
 }
diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/utils/series.ts b/superset-frontend/plugins/plugin-chart-echarts/src/utils/series.ts
index 6a51e7cbf7c5c..8c87bf4333c61 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/utils/series.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/utils/series.ts
@@ -466,6 +466,7 @@ export function getChartPadding(
   orientation: LegendOrientation,
   margin?: string | number | null,
   padding?: { top?: number; bottom?: number; left?: number; right?: number },
+  isHorizontal?: boolean,
 ): {
   bottom: number;
   left: number;
@@ -486,6 +487,19 @@ export function getChartPadding(
   }
 
   const { bottom = 0, left = 0, right = 0, top = 0 } = padding || {};
+
+  if (isHorizontal) {
+    return {
+      left:
+        left + (orientation === LegendOrientation.Bottom ? legendMargin : 0),
+      right:
+        right + (orientation === LegendOrientation.Right ? legendMargin : 0),
+      top: top + (orientation === LegendOrientation.Top ? legendMargin : 0),
+      bottom:
+        bottom + (orientation === LegendOrientation.Left ? legendMargin : 0),
+    };
+  }
+
   return {
     left: left + (orientation === LegendOrientation.Left ? legendMargin : 0),
     right: right + (orientation === LegendOrientation.Right ? legendMargin : 0),
diff --git a/superset-frontend/plugins/plugin-chart-echarts/test/utils/series.test.ts b/superset-frontend/plugins/plugin-chart-echarts/test/utils/series.test.ts
index 3d7d21c8d0b02..10768a47f8d4d 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/test/utils/series.test.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/test/utils/series.test.ts
@@ -795,6 +795,14 @@ describe('getChartPadding', () => {
       right: 0,
       top: 0,
     });
+    expect(
+      getChartPadding(true, LegendOrientation.Left, 100, undefined, true),
+    ).toEqual({
+      bottom: 100,
+      left: 0,
+      right: 0,
+      top: 0,
+    });
   });
 
   it('should return the correct padding for right orientation', () => {
@@ -804,6 +812,14 @@ describe('getChartPadding', () => {
       right: 50,
       top: 0,
     });
+    expect(
+      getChartPadding(true, LegendOrientation.Right, 50, undefined, true),
+    ).toEqual({
+      bottom: 0,
+      left: 0,
+      right: 50,
+      top: 0,
+    });
   });
 
   it('should return the correct padding for top orientation', () => {
@@ -813,6 +829,14 @@ describe('getChartPadding', () => {
       right: 0,
       top: 20,
     });
+    expect(
+      getChartPadding(true, LegendOrientation.Top, 20, undefined, true),
+    ).toEqual({
+      bottom: 0,
+      left: 0,
+      right: 0,
+      top: 20,
+    });
   });
 
   it('should return the correct padding for bottom orientation', () => {
@@ -822,6 +846,14 @@ describe('getChartPadding', () => {
       right: 0,
       top: 0,
     });
+    expect(
+      getChartPadding(true, LegendOrientation.Bottom, 10, undefined, true),
+    ).toEqual({
+      bottom: 0,
+      left: 10,
+      right: 0,
+      top: 0,
+    });
   });
 });
 

From 61b4017b2f50ddddadc6477c6e8bd3ddde65a161 Mon Sep 17 00:00:00 2001
From: Erich <134291879+ege-st@users.noreply.github.com>
Date: Tue, 30 Jan 2024 23:49:55 -0500
Subject: [PATCH 027/114] fix(pinot): typo in the name for epoch_ms_to_dttm
 (#26906)

(cherry picked from commit 484901f4832b64845931f728db3e367f7f7c562c)
---
 superset/db_engine_specs/pinot.py                  |  2 +-
 .../db_engine_specs/pinot_tests.py                 | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/superset/db_engine_specs/pinot.py b/superset/db_engine_specs/pinot.py
index 2cafd5ecb08e5..0f53cfa77bd57 100644
--- a/superset/db_engine_specs/pinot.py
+++ b/superset/db_engine_specs/pinot.py
@@ -62,7 +62,7 @@ def epoch_to_dttm(cls) -> str:
         )
 
     @classmethod
-    def epoch_ms_to_dttm_(cls) -> str:
+    def epoch_ms_to_dttm(cls) -> str:
         return (
             "DATETIMECONVERT({col}, '1:MILLISECONDS:EPOCH', "
             + "'1:MILLISECONDS:EPOCH', '1:MILLISECONDS')"
diff --git a/tests/integration_tests/db_engine_specs/pinot_tests.py b/tests/integration_tests/db_engine_specs/pinot_tests.py
index 3998d2094057d..c8deef6fc42b5 100755
--- a/tests/integration_tests/db_engine_specs/pinot_tests.py
+++ b/tests/integration_tests/db_engine_specs/pinot_tests.py
@@ -84,6 +84,20 @@ def test_pinot_time_expression_sec_one_1m_grain(self):
             expected,
         )
 
+    def test_pinot_time_expression_millisec_one_1m_grain(self):
+        col = column("tstamp")
+        expr = PinotEngineSpec.get_timestamp_expr(col, "epoch_ms", "P1M")
+        result = str(expr.compile())
+        expected = (
+            "CAST(DATE_TRUNC('month', CAST("
+            + "DATETIMECONVERT(tstamp, '1:MILLISECONDS:EPOCH', "
+            + "'1:MILLISECONDS:EPOCH', '1:MILLISECONDS') AS TIMESTAMP)) AS TIMESTAMP)"
+        )
+        self.assertEqual(
+            result,
+            expected,
+        )
+
     def test_invalid_get_time_expression_arguments(self):
         with self.assertRaises(NotImplementedError):
             PinotEngineSpec.get_timestamp_expr(column("tstamp"), None, "P0.25Y")

From de61591a6a224233f170fdfedcc104918ca7edd2 Mon Sep 17 00:00:00 2001
From: mapledan <mapledan829@gmail.com>
Date: Thu, 1 Feb 2024 10:07:43 +0800
Subject: [PATCH 028/114] fix: handle CRLF endings causing sqlglot failure
 (#26911)

(cherry picked from commit f2bf9f72e4f17604f5db80f25815525236a7269a)
---
 superset/sql_parse.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/superset/sql_parse.py b/superset/sql_parse.py
index 07704171dee3d..7b89ab8f0e2cb 100644
--- a/superset/sql_parse.py
+++ b/superset/sql_parse.py
@@ -286,7 +286,7 @@ def _extract_tables_from_sql(self) -> set[Table]:
         Note: this uses sqlglot, since it's better at catching more edge cases.
         """
         try:
-            statements = parse(self.sql, dialect=self._dialect)
+            statements = parse(self.stripped(), dialect=self._dialect)
         except ParseError:
             logger.warning("Unable to parse SQL (%s): %s", self._dialect, self.sql)
             return set()
@@ -494,7 +494,7 @@ def is_unknown(self) -> bool:
         return self._parsed[0].get_type() == "UNKNOWN"
 
     def stripped(self) -> str:
-        return self.sql.strip(" \t\n;")
+        return self.sql.strip(" \t\r\n;")
 
     def strip_comments(self) -> str:
         return sqlparse.format(self.stripped(), strip_comments=True)

From 322812b1c8938d480a5f5862562ff1d3e459d642 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Thu, 1 Feb 2024 10:09:59 +0000
Subject: [PATCH 029/114] fix: dashboard import validation (#26887)

(cherry picked from commit 36ce9e26f0da7893946d787488a30722bdb4d51b)
---
 .../commands/dashboard/importers/v1/utils.py  |   8 +-
 .../commands/importers/v1/import_test.py      | 110 +++++++++++++++++-
 2 files changed, 111 insertions(+), 7 deletions(-)

diff --git a/superset/commands/dashboard/importers/v1/utils.py b/superset/commands/dashboard/importers/v1/utils.py
index 1deb44949a685..712161bc16481 100644
--- a/superset/commands/dashboard/importers/v1/utils.py
+++ b/superset/commands/dashboard/importers/v1/utils.py
@@ -157,7 +157,13 @@ def import_dashboard(
     )
     existing = session.query(Dashboard).filter_by(uuid=config["uuid"]).first()
     if existing:
-        if not overwrite or not can_write:
+        if overwrite and can_write and hasattr(g, "user") and g.user:
+            if not security_manager.can_access_dashboard(existing):
+                raise ImportFailedError(
+                    "A dashboard already exists and user doesn't "
+                    "have permissions to overwrite it"
+                )
+        elif not overwrite or not can_write:
             return existing
         config["id"] = existing.id
     elif not can_write:
diff --git a/tests/unit_tests/dashboards/commands/importers/v1/import_test.py b/tests/unit_tests/dashboards/commands/importers/v1/import_test.py
index 67e089775598f..190f0660f5c49 100644
--- a/tests/unit_tests/dashboards/commands/importers/v1/import_test.py
+++ b/tests/unit_tests/dashboards/commands/importers/v1/import_test.py
@@ -23,6 +23,7 @@
 from sqlalchemy.orm.session import Session
 
 from superset.commands.exceptions import ImportFailedError
+from superset.utils.core import override_user
 
 
 def test_import_dashboard(mocker: MockFixture, session: Session) -> None:
@@ -31,8 +32,6 @@ def test_import_dashboard(mocker: MockFixture, session: Session) -> None:
     """
     from superset import security_manager
     from superset.commands.dashboard.importers.v1.utils import import_dashboard
-    from superset.connectors.sqla.models import SqlaTable
-    from superset.models.core import Database
     from superset.models.slice import Slice
     from tests.integration_tests.fixtures.importexport import dashboard_config
 
@@ -48,6 +47,8 @@ def test_import_dashboard(mocker: MockFixture, session: Session) -> None:
     assert dashboard.description is None
     assert dashboard.is_managed_externally is False
     assert dashboard.external_url is None
+    # Assert that the can write to dashboard was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Dashboard")
 
 
 def test_import_dashboard_managed_externally(
@@ -59,8 +60,6 @@ def test_import_dashboard_managed_externally(
     """
     from superset import security_manager
     from superset.commands.dashboard.importers.v1.utils import import_dashboard
-    from superset.connectors.sqla.models import SqlaTable
-    from superset.models.core import Database
     from superset.models.slice import Slice
     from tests.integration_tests.fixtures.importexport import dashboard_config
 
@@ -77,6 +76,9 @@ def test_import_dashboard_managed_externally(
     assert dashboard.is_managed_externally is True
     assert dashboard.external_url == "https://example.org/my_dashboard"
 
+    # Assert that the can write to dashboard was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Dashboard")
+
 
 def test_import_dashboard_without_permission(
     mocker: MockFixture,
@@ -87,8 +89,6 @@ def test_import_dashboard_without_permission(
     """
     from superset import security_manager
     from superset.commands.dashboard.importers.v1.utils import import_dashboard
-    from superset.connectors.sqla.models import SqlaTable
-    from superset.models.core import Database
     from superset.models.slice import Slice
     from tests.integration_tests.fixtures.importexport import dashboard_config
 
@@ -105,3 +105,101 @@ def test_import_dashboard_without_permission(
         str(excinfo.value)
         == "Dashboard doesn't exist and user doesn't have permission to create dashboards"
     )
+
+    # Assert that the can write to dashboard was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Dashboard")
+
+
+def test_import_existing_dashboard_without_permission(
+    mocker: MockFixture,
+    session: Session,
+) -> None:
+    """
+    Test importing a dashboard when a user doesn't have permissions to create.
+    """
+    from superset import security_manager
+    from superset.commands.dashboard.importers.v1.utils import g, import_dashboard
+    from superset.models.dashboard import Dashboard
+    from superset.models.slice import Slice
+    from tests.integration_tests.fixtures.importexport import dashboard_config
+
+    mocker.patch.object(security_manager, "can_access", return_value=True)
+    mocker.patch.object(security_manager, "can_access_dashboard", return_value=False)
+    mock_g = mocker.patch(
+        "superset.commands.dashboard.importers.v1.utils.g"
+    )  # Replace with the actual path to g
+    mock_g.user = mocker.MagicMock(return_value=True)
+
+    engine = session.get_bind()
+    Slice.metadata.create_all(engine)  # pylint: disable=no-member
+    Dashboard.metadata.create_all(engine)  # pylint: disable=no-member
+
+    dashboard_obj = Dashboard(
+        id=100,
+        dashboard_title="Test dash",
+        slug=None,
+        slices=[],
+        published=True,
+        uuid="c4b28c4e-a1fe-4cf8-a5ac-d6f11d6fdd51",
+    )
+    session.add(dashboard_obj)
+    session.flush()
+    config = copy.deepcopy(dashboard_config)
+
+    with pytest.raises(ImportFailedError) as excinfo:
+        import_dashboard(session, config, overwrite=True)
+    assert (
+        str(excinfo.value)
+        == "A dashboard already exists and user doesn't have permissions to overwrite it"
+    )
+
+    # Assert that the can write to dashboard was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Dashboard")
+    security_manager.can_access_dashboard.assert_called_once_with(dashboard_obj)
+
+
+def test_import_existing_dashboard_with_permission(
+    mocker: MockFixture,
+    session: Session,
+) -> None:
+    """
+    Test importing a dashboard when a user doesn't have permissions to create.
+    """
+    from flask_appbuilder.security.sqla.models import Role, User
+
+    from superset import security_manager
+    from superset.commands.dashboard.importers.v1.utils import import_dashboard
+    from superset.models.dashboard import Dashboard
+    from tests.integration_tests.fixtures.importexport import dashboard_config
+
+    mocker.patch.object(security_manager, "can_access", return_value=True)
+    mocker.patch.object(security_manager, "can_access_dashboard", return_value=True)
+
+    engine = session.get_bind()
+    Dashboard.metadata.create_all(engine)  # pylint: disable=no-member
+
+    admin = User(
+        first_name="Alice",
+        last_name="Doe",
+        email="adoe@example.org",
+        username="admin",
+        roles=[Role(name="Admin")],
+    )
+
+    dashboard_obj = Dashboard(
+        id=100,
+        dashboard_title="Test dash",
+        slug=None,
+        slices=[],
+        published=True,
+        uuid="c4b28c4e-a1fe-4cf8-a5ac-d6f11d6fdd51",
+    )
+    session.add(dashboard_obj)
+    session.flush()
+    config = copy.deepcopy(dashboard_config)
+
+    with override_user(admin):
+        import_dashboard(session, config, overwrite=True)
+    # Assert that the can write to dashboard was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Dashboard")
+    security_manager.can_access_dashboard.assert_called_once_with(dashboard_obj)

From e8a3c5d5f12ff7df2bf9e3324ce45674f5d850ed Mon Sep 17 00:00:00 2001
From: Sebastian Bernauer <sebastian.bernauer@stackable.de>
Date: Thu, 1 Feb 2024 16:12:29 +0100
Subject: [PATCH 030/114] fix: Allow exporting saved queries without schema
 information (#26889)

(cherry picked from commit 4c5176eea82e3b168c5d11f130387d5913b33efa)
---
 superset/commands/query/export.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/superset/commands/query/export.py b/superset/commands/query/export.py
index a8fa8acbf0525..43a110c3b9117 100644
--- a/superset/commands/query/export.py
+++ b/superset/commands/query/export.py
@@ -40,11 +40,16 @@ class ExportSavedQueriesCommand(ExportModelsCommand):
     def _export(
         model: SavedQuery, export_related: bool = True
     ) -> Iterator[tuple[str, str]]:
-        # build filename based on database, optional schema, and label
+        # build filename based on database, optional schema, and label.
+        # we call secure_filename() multiple times and join the directories afterwards,
+        # as secure_filename() replaces "/" with "_".
         database_slug = secure_filename(model.database.database_name)
-        schema_slug = secure_filename(model.schema)
         query_slug = secure_filename(model.label) or str(model.uuid)
-        file_name = f"queries/{database_slug}/{schema_slug}/{query_slug}.yaml"
+        if model.schema is None:
+            file_name = f"queries/{database_slug}/{query_slug}.yaml"
+        else:
+            schema_slug = secure_filename(model.schema)
+            file_name = f"queries/{database_slug}/{schema_slug}/{query_slug}.yaml"
 
         payload = model.export_to_dict(
             recursive=False,

From 86794cbb5eef340b7fa51f139561b1029c5b491c Mon Sep 17 00:00:00 2001
From: Usiel Riedl <usiel.riedl@automattic.com>
Date: Thu, 1 Feb 2024 07:34:07 -0800
Subject: [PATCH 031/114] fix(cache): remove unused webserver config & handle
 trailing slashes (#22849)

(cherry picked from commit 56069b05f9cf4d0c725d1b4b0ad6038b50837cd4)
---
 superset/config.py                            |  4 --
 superset/tasks/cache.py                       |  4 +-
 .../integration_tests/superset_test_config.py |  1 -
 .../superset_test_config_thumbnails.py        |  1 -
 tests/integration_tests/tasks/test_cache.py   | 58 +++++++++++++++++++
 5 files changed, 60 insertions(+), 8 deletions(-)
 create mode 100644 tests/integration_tests/tasks/test_cache.py

diff --git a/superset/config.py b/superset/config.py
index ca801442d9cff..6ef25fb3aacba 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -154,10 +154,6 @@ def _try_json_readsha(filepath: str, length: int) -> str | None:
 # values may be "Last day", "Last week", "<ISO date> : now", etc.
 DEFAULT_TIME_FILTER = NO_TIME_RANGE
 
-SUPERSET_WEBSERVER_PROTOCOL = "http"
-SUPERSET_WEBSERVER_ADDRESS = "0.0.0.0"
-SUPERSET_WEBSERVER_PORT = 8088
-
 # This is an important setting, and should be lower than your
 # [load balancer / proxy / envoy / kong / ...] timeout settings.
 # You should also make sure to configure your WSGI server
diff --git a/superset/tasks/cache.py b/superset/tasks/cache.py
index 569797ba27ab0..1f60a5cd84451 100644
--- a/superset/tasks/cache.py
+++ b/superset/tasks/cache.py
@@ -32,6 +32,7 @@
 from superset.tags.models import Tag, TaggedObject
 from superset.utils.date_parser import parse_human_datetime
 from superset.utils.machine_auth import MachineAuthProvider
+from superset.utils.urls import get_url_path
 
 logger = get_task_logger(__name__)
 logger.setLevel(logging.INFO)
@@ -233,8 +234,7 @@ def fetch_url(data: str, headers: dict[str, str]) -> dict[str, str]:
     """
     result = {}
     try:
-        baseurl = app.config["WEBDRIVER_BASEURL"]
-        url = f"{baseurl}api/v1/chart/warm_up_cache"
+        url = get_url_path("Superset.warm_up_cache")
         logger.info("Fetching %s with payload %s", url, data)
         req = request.Request(
             url, data=bytes(data, "utf-8"), headers=headers, method="PUT"
diff --git a/tests/integration_tests/superset_test_config.py b/tests/integration_tests/superset_test_config.py
index 60b2d1107e508..580ce14d35edb 100644
--- a/tests/integration_tests/superset_test_config.py
+++ b/tests/integration_tests/superset_test_config.py
@@ -36,7 +36,6 @@
     DATA_DIR, "unittests.integration_tests.db"
 )
 DEBUG = False
-SUPERSET_WEBSERVER_PORT = 8081
 SILENCE_FAB = False
 # Allowing SQLALCHEMY_DATABASE_URI and SQLALCHEMY_EXAMPLES_URI to be defined as an env vars for
 # continuous integration
diff --git a/tests/integration_tests/superset_test_config_thumbnails.py b/tests/integration_tests/superset_test_config_thumbnails.py
index a761ef6611bb6..0b5710d3424d5 100644
--- a/tests/integration_tests/superset_test_config_thumbnails.py
+++ b/tests/integration_tests/superset_test_config_thumbnails.py
@@ -24,7 +24,6 @@
     DATA_DIR, "unittests.integration_tests.db"
 )
 DEBUG = True
-SUPERSET_WEBSERVER_PORT = 8081
 
 # Allowing SQLALCHEMY_DATABASE_URI to be defined as an env var for
 # continuous integration
diff --git a/tests/integration_tests/tasks/test_cache.py b/tests/integration_tests/tasks/test_cache.py
new file mode 100644
index 0000000000000..943b444f76936
--- /dev/null
+++ b/tests/integration_tests/tasks/test_cache.py
@@ -0,0 +1,58 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from unittest import mock
+
+import pytest
+
+from tests.integration_tests.test_app import app
+
+
+@pytest.mark.parametrize(
+    "base_url",
+    [
+        "http://base-url",
+        "http://base-url/",
+    ],
+    ids=["Without trailing slash", "With trailing slash"],
+)
+@mock.patch("superset.tasks.cache.request.Request")
+@mock.patch("superset.tasks.cache.request.urlopen")
+def test_fetch_url(mock_urlopen, mock_request_cls, base_url):
+    from superset.tasks.cache import fetch_url
+
+    mock_request = mock.MagicMock()
+    mock_request_cls.return_value = mock_request
+
+    mock_urlopen.return_value = mock.MagicMock()
+    mock_urlopen.return_value.code = 200
+
+    app.config["WEBDRIVER_BASEURL"] = base_url
+    headers = {"key": "value"}
+    data = "data"
+    data_encoded = b"data"
+
+    result = fetch_url(data, headers)
+
+    assert data == result["success"]
+    mock_request_cls.assert_called_once_with(
+        "http://base-url/superset/warm_up_cache/",
+        data=data_encoded,
+        headers=headers,
+        method="PUT",
+    )
+    # assert the same Request object is used
+    mock_urlopen.assert_called_once_with(mock_request, timeout=mock.ANY)

From dac73fe0cd0838576d08d4b6dbb4aaadc6f257a3 Mon Sep 17 00:00:00 2001
From: Zef Lin <zef@preset.io>
Date: Mon, 8 Jan 2024 17:11:45 -0800
Subject: [PATCH 032/114] feat(embedded+async queries): support async queries
 to work with embedded guest user (#26332)

(cherry picked from commit efdeb9df0550458363e1c84850770012f501c9fb)
---
 superset/async_events/async_query_manager.py  | 26 +++++-
 superset/common/query_context_processor.py    | 10 ++-
 superset/tasks/async_queries.py               | 37 ++++++---
 .../integration_tests/query_context_tests.py  |  1 +
 .../async_events/async_query_manager_tests.py | 79 ++++++++++++++++++-
 5 files changed, 134 insertions(+), 19 deletions(-)

diff --git a/superset/async_events/async_query_manager.py b/superset/async_events/async_query_manager.py
index 94941541fb4f9..32cf247cf304f 100644
--- a/superset/async_events/async_query_manager.py
+++ b/superset/async_events/async_query_manager.py
@@ -191,9 +191,14 @@ def submit_explore_json_job(
         force: Optional[bool] = False,
         user_id: Optional[int] = None,
     ) -> dict[str, Any]:
+        # pylint: disable=import-outside-toplevel
+        from superset import security_manager
+
         job_metadata = self.init_job(channel_id, user_id)
         self._load_explore_json_into_cache_job.delay(
-            job_metadata,
+            {**job_metadata, "guest_token": guest_user.guest_token}
+            if (guest_user := security_manager.get_current_guest_user_if_guest())
+            else job_metadata,
             form_data,
             response_type,
             force,
@@ -201,10 +206,25 @@ def submit_explore_json_job(
         return job_metadata
 
     def submit_chart_data_job(
-        self, channel_id: str, form_data: dict[str, Any], user_id: Optional[int]
+        self,
+        channel_id: str,
+        form_data: dict[str, Any],
+        user_id: Optional[int] = None,
     ) -> dict[str, Any]:
+        # pylint: disable=import-outside-toplevel
+        from superset import security_manager
+
+        # if it's guest user, we want to pass the guest token to the celery task
+        # chart data cache key is calculated based on the current user
+        # this way we can keep the cache key consistent between sync and async command
+        # so that it can be looked up consistently
         job_metadata = self.init_job(channel_id, user_id)
-        self._load_chart_data_into_cache_job.delay(job_metadata, form_data)
+        self._load_chart_data_into_cache_job.delay(
+            {**job_metadata, "guest_token": guest_user.guest_token}
+            if (guest_user := security_manager.get_current_guest_user_if_guest())
+            else job_metadata,
+            form_data,
+        )
         return job_metadata
 
     def read_events(
diff --git a/superset/common/query_context_processor.py b/superset/common/query_context_processor.py
index 5b1414d53b396..d8b5bea4bb729 100644
--- a/superset/common/query_context_processor.py
+++ b/superset/common/query_context_processor.py
@@ -600,7 +600,15 @@ def get_payload(
             set_and_log_cache(
                 cache_manager.cache,
                 cache_key,
-                {"data": self._query_context.cache_values},
+                {
+                    "data": {
+                        # setting form_data into query context cache value as well
+                        # so that it can be used to reconstruct form_data field
+                        # for query context object when reading from cache
+                        "form_data": self._query_context.form_data,
+                        **self._query_context.cache_values,
+                    },
+                },
                 self.get_cache_timeout(),
             )
             return_value["cache_key"] = cache_key  # type: ignore
diff --git a/superset/tasks/async_queries.py b/superset/tasks/async_queries.py
index 61970ca1f3801..b804847cd84e3 100644
--- a/superset/tasks/async_queries.py
+++ b/superset/tasks/async_queries.py
@@ -22,6 +22,7 @@
 
 from celery.exceptions import SoftTimeLimitExceeded
 from flask import current_app, g
+from flask_appbuilder.security.sqla.models import User
 from marshmallow import ValidationError
 
 from superset.charts.schemas import ChartDataQueryContextSchema
@@ -58,6 +59,20 @@ def _create_query_context_from_form(form_data: dict[str, Any]) -> QueryContext:
         raise error
 
 
+def _load_user_from_job_metadata(job_metadata: dict[str, Any]) -> User:
+    if user_id := job_metadata.get("user_id"):
+        # logged in user
+        user = security_manager.get_user_by_id(user_id)
+    elif guest_token := job_metadata.get("guest_token"):
+        # embedded guest user
+        user = security_manager.get_guest_user_from_token(guest_token)
+        del job_metadata["guest_token"]
+    else:
+        # default to anonymous user if no user is found
+        user = security_manager.get_anonymous_user()
+    return user
+
+
 @celery_app.task(name="load_chart_data_into_cache", soft_time_limit=query_timeout)
 def load_chart_data_into_cache(
     job_metadata: dict[str, Any],
@@ -66,12 +81,7 @@ def load_chart_data_into_cache(
     # pylint: disable=import-outside-toplevel
     from superset.commands.chart.data.get_data_command import ChartDataCommand
 
-    user = (
-        security_manager.get_user_by_id(job_metadata.get("user_id"))
-        or security_manager.get_anonymous_user()
-    )
-
-    with override_user(user, force=False):
+    with override_user(_load_user_from_job_metadata(job_metadata), force=False):
         try:
             set_form_data(form_data)
             query_context = _create_query_context_from_form(form_data)
@@ -106,12 +116,7 @@ def load_explore_json_into_cache(  # pylint: disable=too-many-locals
 ) -> None:
     cache_key_prefix = "ejr-"  # ejr: explore_json request
 
-    user = (
-        security_manager.get_user_by_id(job_metadata.get("user_id"))
-        or security_manager.get_anonymous_user()
-    )
-
-    with override_user(user, force=False):
+    with override_user(_load_user_from_job_metadata(job_metadata), force=False):
         try:
             set_form_data(form_data)
             datasource_id, datasource_type = get_datasource_info(None, None, form_data)
@@ -140,7 +145,13 @@ def load_explore_json_into_cache(  # pylint: disable=too-many-locals
                 "response_type": response_type,
             }
             cache_key = generate_cache_key(cache_value, cache_key_prefix)
-            set_and_log_cache(cache_manager.cache, cache_key, cache_value)
+            cache_instance = cache_manager.cache
+            cache_timeout = (
+                cache_instance.cache.default_timeout if cache_instance.cache else None
+            )
+            set_and_log_cache(
+                cache_instance, cache_key, cache_value, cache_timeout=cache_timeout
+            )
             result_url = f"/superset/explore_json/data/{cache_key}"
             async_query_manager.update_job(
                 job_metadata,
diff --git a/tests/integration_tests/query_context_tests.py b/tests/integration_tests/query_context_tests.py
index 8c2082d1c4b12..30cd160d7ee58 100644
--- a/tests/integration_tests/query_context_tests.py
+++ b/tests/integration_tests/query_context_tests.py
@@ -121,6 +121,7 @@ def test_cache(self):
 
         cached = cache_manager.cache.get(cache_key)
         assert cached is not None
+        assert "form_data" in cached["data"]
 
         rehydrated_qc = ChartDataQueryContextSchema().load(cached["data"])
         rehydrated_qo = rehydrated_qc.queries[0]
diff --git a/tests/unit_tests/async_events/async_query_manager_tests.py b/tests/unit_tests/async_events/async_query_manager_tests.py
index b4ae06dfc3f6f..85ea1142019ee 100644
--- a/tests/unit_tests/async_events/async_query_manager_tests.py
+++ b/tests/unit_tests/async_events/async_query_manager_tests.py
@@ -14,12 +14,14 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
+from unittest import mock
+from unittest.mock import ANY, Mock
 
-from unittest.mock import Mock
-
+from flask import g
 from jwt import encode
 from pytest import fixture, raises
 
+from superset import security_manager
 from superset.async_events.async_query_manager import (
     AsyncQueryManager,
     AsyncQueryTokenException,
@@ -38,6 +40,12 @@ def async_query_manager():
     return query_manager
 
 
+def set_current_as_guest_user():
+    g.user = security_manager.get_guest_user_from_token(
+        {"user": {}, "resources": [{"type": "dashboard", "id": "some-uuid"}]}
+    )
+
+
 def test_parse_channel_id_from_request(async_query_manager):
     encoded_token = encode(
         {"channel": "test_channel_id"}, JWT_TOKEN_SECRET, algorithm="HS256"
@@ -65,3 +73,70 @@ def test_parse_channel_id_from_request_bad_jwt(async_query_manager):
 
     with raises(AsyncQueryTokenException):
         async_query_manager.parse_channel_id_from_request(request)
+
+
+@mock.patch("superset.is_feature_enabled")
+def test_submit_chart_data_job_as_guest_user(
+    is_feature_enabled_mock, async_query_manager
+):
+    is_feature_enabled_mock.return_value = True
+    set_current_as_guest_user()
+    job_mock = Mock()
+    async_query_manager._load_chart_data_into_cache_job = job_mock
+    job_meta = async_query_manager.submit_chart_data_job(
+        channel_id="test_channel_id",
+        form_data={},
+    )
+
+    job_mock.delay.assert_called_once_with(
+        {
+            "channel_id": "test_channel_id",
+            "errors": [],
+            "guest_token": {
+                "resources": [{"id": "some-uuid", "type": "dashboard"}],
+                "user": {},
+            },
+            "job_id": ANY,
+            "result_url": None,
+            "status": "pending",
+            "user_id": None,
+        },
+        {},
+    )
+
+    assert "guest_token" not in job_meta
+
+
+@mock.patch("superset.is_feature_enabled")
+def test_submit_explore_json_job_as_guest_user(
+    is_feature_enabled_mock, async_query_manager
+):
+    is_feature_enabled_mock.return_value = True
+    set_current_as_guest_user()
+    job_mock = Mock()
+    async_query_manager._load_explore_json_into_cache_job = job_mock
+    job_meta = async_query_manager.submit_explore_json_job(
+        channel_id="test_channel_id",
+        form_data={},
+        response_type="json",
+    )
+
+    job_mock.delay.assert_called_once_with(
+        {
+            "channel_id": "test_channel_id",
+            "errors": [],
+            "guest_token": {
+                "resources": [{"id": "some-uuid", "type": "dashboard"}],
+                "user": {},
+            },
+            "job_id": ANY,
+            "result_url": None,
+            "status": "pending",
+            "user_id": None,
+        },
+        {},
+        "json",
+        False,
+    )
+
+    assert "guest_token" not in job_meta

From ab7f560d4b7eb09618bf9ac02fd394b7d272d71f Mon Sep 17 00:00:00 2001
From: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Date: Thu, 1 Feb 2024 18:27:22 +0100
Subject: [PATCH 033/114] fix(plugin-chart-table): Prevent misalignment of
 totals and headers when scrollbar is visible (#26964)

(cherry picked from commit e6d2fb6fdfa4d741de16b322bdc4bd01fb559413)
---
 .../plugin-chart-table/src/DataTable/hooks/useSticky.tsx      | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/superset-frontend/plugins/plugin-chart-table/src/DataTable/hooks/useSticky.tsx b/superset-frontend/plugins/plugin-chart-table/src/DataTable/hooks/useSticky.tsx
index 067d071ee1926..e154a521f6922 100644
--- a/superset-frontend/plugins/plugin-chart-table/src/DataTable/hooks/useSticky.tsx
+++ b/superset-frontend/plugins/plugin-chart-table/src/DataTable/hooks/useSticky.tsx
@@ -226,6 +226,7 @@ function StickyWrap({
           height: maxHeight,
           overflow: 'auto',
           visibility: 'hidden',
+          scrollbarGutter: 'stable',
         }}
       >
         {React.cloneElement(table, {}, theadWithRef, tbody, tfootWithRef)}
@@ -252,6 +253,7 @@ function StickyWrap({
         ref={scrollHeaderRef}
         style={{
           overflow: 'hidden',
+          scrollbarGutter: 'stable',
         }}
       >
         {React.cloneElement(
@@ -270,6 +272,7 @@ function StickyWrap({
         ref={scrollFooterRef}
         style={{
           overflow: 'hidden',
+          scrollbarGutter: 'stable',
         }}
       >
         {React.cloneElement(
@@ -297,6 +300,7 @@ function StickyWrap({
         style={{
           height: bodyHeight,
           overflow: 'auto',
+          scrollbarGutter: 'stable',
         }}
         onScroll={sticky.hasHorizontalScroll ? onScroll : undefined}
       >

From e3abdd5b6ac84ecae593274049eb094b49f83ab7 Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Fri, 2 Feb 2024 12:56:02 -0500
Subject: [PATCH 034/114] fix: column values with NaN (#26946)

(cherry picked from commit d8a98475036a4fba28b3d3eb508b3d1f3f5072aa)
---
 superset/models/helpers.py                    |  7 ++++++-
 tests/integration_tests/conftest.py           | 21 ++++++++++---------
 .../integration_tests/datasource/api_tests.py | 10 +++++++++
 tests/integration_tests/datasource_tests.py   |  9 +++++++-
 4 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/superset/models/helpers.py b/superset/models/helpers.py
index 65d0b53728893..4ff206882ec75 100644
--- a/superset/models/helpers.py
+++ b/superset/models/helpers.py
@@ -1341,7 +1341,10 @@ def get_time_filter(  # pylint: disable=too-many-arguments
         return and_(*l)
 
     def values_for_column(
-        self, column_name: str, limit: int = 10000, denormalize_column: bool = False
+        self,
+        column_name: str,
+        limit: int = 10000,
+        denormalize_column: bool = False,
     ) -> list[Any]:
         # denormalize column name before querying for values
         # unless disabled in the dataset configuration
@@ -1379,6 +1382,8 @@ def values_for_column(
             sql = self.mutate_query_from_config(sql)
 
             df = pd.read_sql_query(sql=sql, con=engine)
+            # replace NaN with None to ensure it can be serialized to JSON
+            df = df.replace({np.nan: None})
             return df["column_values"].to_list()
 
     def get_timestamp_expression(
diff --git a/tests/integration_tests/conftest.py b/tests/integration_tests/conftest.py
index 3e6aa963072b1..b90416587c2e8 100644
--- a/tests/integration_tests/conftest.py
+++ b/tests/integration_tests/conftest.py
@@ -296,25 +296,25 @@ def virtual_dataset():
     dataset = SqlaTable(
         table_name="virtual_dataset",
         sql=(
-            "SELECT 0 as col1, 'a' as col2, 1.0 as col3, NULL as col4, '2000-01-01 00:00:00' as col5 "
+            "SELECT 0 as col1, 'a' as col2, 1.0 as col3, NULL as col4, '2000-01-01 00:00:00' as col5, 1 as col6 "
             "UNION ALL "
-            "SELECT 1, 'b', 1.1, NULL, '2000-01-02 00:00:00' "
+            "SELECT 1, 'b', 1.1, NULL, '2000-01-02 00:00:00', NULL "
             "UNION ALL "
-            "SELECT 2 as col1, 'c' as col2, 1.2, NULL, '2000-01-03 00:00:00' "
+            "SELECT 2 as col1, 'c' as col2, 1.2, NULL, '2000-01-03 00:00:00', 3 "
             "UNION ALL "
-            "SELECT 3 as col1, 'd' as col2, 1.3, NULL, '2000-01-04 00:00:00' "
+            "SELECT 3 as col1, 'd' as col2, 1.3, NULL, '2000-01-04 00:00:00', 4 "
             "UNION ALL "
-            "SELECT 4 as col1, 'e' as col2, 1.4, NULL, '2000-01-05 00:00:00' "
+            "SELECT 4 as col1, 'e' as col2, 1.4, NULL, '2000-01-05 00:00:00', 5 "
             "UNION ALL "
-            "SELECT 5 as col1, 'f' as col2, 1.5, NULL, '2000-01-06 00:00:00' "
+            "SELECT 5 as col1, 'f' as col2, 1.5, NULL, '2000-01-06 00:00:00', 6 "
             "UNION ALL "
-            "SELECT 6 as col1, 'g' as col2, 1.6, NULL, '2000-01-07 00:00:00' "
+            "SELECT 6 as col1, 'g' as col2, 1.6, NULL, '2000-01-07 00:00:00', 7 "
             "UNION ALL "
-            "SELECT 7 as col1, 'h' as col2, 1.7, NULL, '2000-01-08 00:00:00' "
+            "SELECT 7 as col1, 'h' as col2, 1.7, NULL, '2000-01-08 00:00:00', 8 "
             "UNION ALL "
-            "SELECT 8 as col1, 'i' as col2, 1.8, NULL, '2000-01-09 00:00:00' "
+            "SELECT 8 as col1, 'i' as col2, 1.8, NULL, '2000-01-09 00:00:00', 9 "
             "UNION ALL "
-            "SELECT 9 as col1, 'j' as col2, 1.9, NULL, '2000-01-10 00:00:00' "
+            "SELECT 9 as col1, 'j' as col2, 1.9, NULL, '2000-01-10 00:00:00', 10"
         ),
         database=get_example_database(),
     )
@@ -324,6 +324,7 @@ def virtual_dataset():
     TableColumn(column_name="col4", type="VARCHAR(255)", table=dataset)
     # Different database dialect datetime type is not consistent, so temporarily use varchar
     TableColumn(column_name="col5", type="VARCHAR(255)", table=dataset)
+    TableColumn(column_name="col6", type="INTEGER", table=dataset)
 
     SqlMetric(metric_name="count", expression="count(*)", table=dataset)
     db.session.add(dataset)
diff --git a/tests/integration_tests/datasource/api_tests.py b/tests/integration_tests/datasource/api_tests.py
index b6a6af105d7ac..2605ec399f0ed 100644
--- a/tests/integration_tests/datasource/api_tests.py
+++ b/tests/integration_tests/datasource/api_tests.py
@@ -72,6 +72,16 @@ def test_get_column_values_nulls(self):
         response = json.loads(rv.data.decode("utf-8"))
         self.assertEqual(response["result"], [None])
 
+    @pytest.mark.usefixtures("app_context", "virtual_dataset")
+    def test_get_column_values_integers_with_nulls(self):
+        self.login(username="admin")
+        table = self.get_virtual_dataset()
+        rv = self.client.get(f"api/v1/datasource/table/{table.id}/column/col6/values/")
+        self.assertEqual(rv.status_code, 200)
+        response = json.loads(rv.data.decode("utf-8"))
+        for val in [1, None, 3, 4, 5, 6, 7, 8, 9, 10]:
+            assert val in response["result"]
+
     @pytest.mark.usefixtures("app_context", "virtual_dataset")
     def test_get_column_values_invalid_datasource_type(self):
         self.login(username="admin")
diff --git a/tests/integration_tests/datasource_tests.py b/tests/integration_tests/datasource_tests.py
index 5ab81b58d12cd..d5f548f204226 100644
--- a/tests/integration_tests/datasource_tests.py
+++ b/tests/integration_tests/datasource_tests.py
@@ -602,7 +602,14 @@ def test_get_samples_with_filters(test_client, login_as_admin, virtual_dataset):
         },
     )
     assert rv.status_code == 200
-    assert rv.json["result"]["colnames"] == ["col1", "col2", "col3", "col4", "col5"]
+    assert rv.json["result"]["colnames"] == [
+        "col1",
+        "col2",
+        "col3",
+        "col4",
+        "col5",
+        "col6",
+    ]
     assert rv.json["result"]["rowcount"] == 1
 
     # empty results

From 4df40bedc28c162eb62504a17cb8386a1c873c50 Mon Sep 17 00:00:00 2001
From: Vitor Avila <96086495+Vitor-Avila@users.noreply.github.com>
Date: Wed, 7 Feb 2024 13:20:28 -0300
Subject: [PATCH 035/114] fix(tags): Improve support for tags with colons
 (#26965)

(cherry picked from commit e437356013adc8beb2eca39a31beca6ba56f4c23)
---
 superset-frontend/src/components/Tags/utils.tsx |  9 +++++----
 superset-frontend/src/features/tags/tags.ts     | 16 +++++++---------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/superset-frontend/src/components/Tags/utils.tsx b/superset-frontend/src/components/Tags/utils.tsx
index 2dd38e6236911..ec08a3b126a32 100644
--- a/superset-frontend/src/components/Tags/utils.tsx
+++ b/superset-frontend/src/components/Tags/utils.tsx
@@ -56,7 +56,10 @@ export const loadTags = async (
 ) => {
   const searchColumn = 'name';
   const query = rison.encode({
-    filters: [{ col: searchColumn, opr: 'ct', value: search }],
+    filters: [
+      { col: searchColumn, opr: 'ct', value: search },
+      { col: 'type', opr: 'custom_tag', value: true },
+    ],
     page,
     page_size: pageSize,
     order_column: searchColumn,
@@ -78,9 +81,7 @@ export const loadTags = async (
       const data: {
         label: string;
         value: string | number;
-      }[] = response.json.result
-        .filter((item: Tag & { table_name: string }) => item.type === 1)
-        .map(tagToSelectOption);
+      }[] = response.json.result.map(tagToSelectOption);
       return {
         data,
         totalCount: response.json.count,
diff --git a/superset-frontend/src/features/tags/tags.ts b/superset-frontend/src/features/tags/tags.ts
index db172681cb90f..c1f5c3815106c 100644
--- a/superset-frontend/src/features/tags/tags.ts
+++ b/superset-frontend/src/features/tags/tags.ts
@@ -47,10 +47,15 @@ const map_object_type_to_id = (objectType: string) => {
 };
 
 export function fetchAllTags(
+  // fetch all tags (excluding system tags)
   callback: (json: JsonObject) => void,
   error: (response: Response) => void,
 ) {
-  SupersetClient.get({ endpoint: `/api/v1/tag` })
+  SupersetClient.get({
+    endpoint: `/api/v1/tag/?q=${rison.encode({
+      filters: [{ col: 'type', opr: 'custom_tag', value: true }],
+    })}`,
+  })
     .then(({ json }) => callback(json))
     .catch(response => error(response));
 }
@@ -89,11 +94,7 @@ export function fetchTags(
     endpoint: `/api/v1/${objectType}/${objectId}`,
   })
     .then(({ json }) =>
-      callback(
-        json.result.tags.filter(
-          (tag: Tag) => tag.name.indexOf(':') === -1 || includeTypes,
-        ),
-      ),
+      callback(json.result.tags.filter((tag: Tag) => tag.type === 1)),
     )
     .catch(response => error(response));
 }
@@ -163,9 +164,6 @@ export function addTag(
   if (objectType === undefined || objectId === undefined) {
     throw new Error('Need to specify objectType and objectId');
   }
-  if (tag.indexOf(':') !== -1 && !includeTypes) {
-    return;
-  }
   const objectTypeId = map_object_type_to_id(objectType);
   SupersetClient.post({
     endpoint: `/api/v1/tag/${objectTypeId}/${objectId}/`,

From 5a6109b2dee046764babcfef4a5a67c32f2256ea Mon Sep 17 00:00:00 2001
From: Vitor Avila <96086495+Vitor-Avila@users.noreply.github.com>
Date: Wed, 7 Feb 2024 13:20:41 -0300
Subject: [PATCH 036/114] fix(security manager): Users should not have access
 to all draft dashboards (#27015)

(cherry picked from commit 01e2f8ace31950ca337a6a8d7348d37c59cf8126)
---
 superset/security/manager.py                  | 31 ++++++++++---------
 .../security/security_rbac_tests.py           | 24 ++++++++------
 2 files changed, 32 insertions(+), 23 deletions(-)

diff --git a/superset/security/manager.py b/superset/security/manager.py
index 28046d0fefd42..e11ab68e74380 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -2018,25 +2018,28 @@ def raise_for_access(
             if self.is_admin() or self.is_owner(dashboard):
                 return
 
-            # RBAC and legacy (datasource inferred) access controls.
+            # TODO: Once a better sharing flow is in place, we should move the
+            # dashboard.published check here so that it's applied to both
+            # regular RBAC and DASHBOARD_RBAC
+
+            # DASHBOARD_RBAC logic - Manage dashboard access through roles.
+            # Only applicable in case the dashboard has roles set.
             if is_feature_enabled("DASHBOARD_RBAC") and dashboard.roles:
                 if dashboard.published and {role.id for role in dashboard.roles} & {
                     role.id for role in self.get_user_roles()
                 }:
                     return
-            elif (
-                # To understand why we rely on status and give access to draft dashboards
-                # without roles take a look at:
-                #
-                #   - https://github.com/apache/superset/pull/24350#discussion_r1225061550
-                #   - https://github.com/apache/superset/pull/17511#issuecomment-975870169
-                #
-                not dashboard.published
-                or not dashboard.datasources
-                or any(
-                    self.can_access_datasource(datasource)
-                    for datasource in dashboard.datasources
-                )
+
+            # REGULAR RBAC logic
+            # User can only acess the dashboard in case:
+            #    It doesn't have any datasets; OR
+            #    They have access to at least one dataset used.
+            # We currently don't check if the dashboard is published,
+            # to allow creators to share a WIP dashboard with a viewer
+            # to collect feedback.
+            elif not dashboard.datasources or any(
+                self.can_access_datasource(datasource)
+                for datasource in dashboard.datasources
             ):
                 return
 
diff --git a/tests/integration_tests/dashboards/security/security_rbac_tests.py b/tests/integration_tests/dashboards/security/security_rbac_tests.py
index 792c9d1716d31..4f1cc5b221196 100644
--- a/tests/integration_tests/dashboards/security/security_rbac_tests.py
+++ b/tests/integration_tests/dashboards/security/security_rbac_tests.py
@@ -404,22 +404,28 @@ def test_get_dashboards_api__public_user_get_only_published_permitted_dashboards
         for dash in published_dashboards + draft_dashboards:
             revoke_access_to_dashboard(dash, "Public")
 
-    def test_get_draft_dashboard_without_roles_by_uuid(self):
+    def test_cannot_get_draft_dashboard_without_roles_by_uuid(self):
         """
         Dashboard API: Test get draft dashboard without roles by uuid
         """
         admin = self.get_user("admin")
-        dashboard = self.insert_dashboard("title", "slug1", [admin.id])
-        assert not dashboard.published
-        assert dashboard.roles == []
+
+        database = create_database_to_db(name="test_db_rbac")
+        table = create_datasource_table_to_db(
+            name="test_datasource_rbac", db_id=database.id, owners=[admin]
+        )
+        dashboard_to_access = create_dashboard_to_db(
+            dashboard_title="test_dashboard_rbac",
+            owners=[admin],
+            slices=[create_slice_to_db(datasource_id=table.id)],
+        )
+        assert not dashboard_to_access.published
+        assert dashboard_to_access.roles == []
 
         self.login(username="gamma")
-        uri = f"api/v1/dashboard/{dashboard.uuid}"
+        uri = f"api/v1/dashboard/{dashboard_to_access.uuid}"
         rv = self.client.get(uri)
-        assert rv.status_code == 200
-        # rollback changes
-        db.session.delete(dashboard)
-        db.session.commit()
+        assert rv.status_code == 403
 
     def test_cannot_get_draft_dashboard_with_roles_by_uuid(self):
         """

From c974daa0c7f05bdf8a5e59897c9a2feaaf94bc4e Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Wed, 7 Feb 2024 14:58:51 -0500
Subject: [PATCH 037/114] fix: safer error message in alerts (#27019)

(cherry picked from commit 686ce33ea5017aad4cca18a6409c00f6b366dcf4)
---
 superset/commands/report/alert.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/superset/commands/report/alert.py b/superset/commands/report/alert.py
index 68013a2c005b0..fc1be14e02049 100644
--- a/superset/commands/report/alert.py
+++ b/superset/commands/report/alert.py
@@ -150,7 +150,7 @@ def _execute_query(self) -> pd.DataFrame:
                 rendered_sql, ALERT_SQL_LIMIT
             )
 
-            _, username = get_executor(
+            executor, username = get_executor(  # pylint: disable=unused-variable
                 executor_types=app.config["ALERT_REPORTS_EXECUTE_AS"],
                 model=self._report_schedule,
             )
@@ -169,7 +169,12 @@ def _execute_query(self) -> pd.DataFrame:
             logger.warning("A timeout occurred while executing the alert query: %s", ex)
             raise AlertQueryTimeout() from ex
         except Exception as ex:
-            raise AlertQueryError(message=str(ex)) from ex
+            logger.exception("An error occurred when running alert query")
+            # The exception message here can reveal to much information to malicious
+            # users, so we raise a generic message.
+            raise AlertQueryError(
+                message=_("An error occurred when running alert query")
+            ) from ex
 
     def validate(self) -> None:
         """

From d572af307349762a92d29451661fe769d5ab22e5 Mon Sep 17 00:00:00 2001
From: "JUST.in DO IT" <justin.park@airbnb.com>
Date: Thu, 8 Feb 2024 09:27:59 -0800
Subject: [PATCH 038/114] fix(explore): allow free-form d3 format on custom
 column formatting (#27023)

(cherry picked from commit fd06ff3745b0ce96ef2506e18b6d5f27d3eee045)
---
 .../packages/superset-ui-chart-controls/src/types.ts             | 1 +
 .../components/controls/ColumnConfigControl/constants.tsx        | 1 +
 2 files changed, 2 insertions(+)

diff --git a/superset-frontend/packages/superset-ui-chart-controls/src/types.ts b/superset-frontend/packages/superset-ui-chart-controls/src/types.ts
index 9314f8d33f3b9..83b711baaa42f 100644
--- a/superset-frontend/packages/superset-ui-chart-controls/src/types.ts
+++ b/superset-frontend/packages/superset-ui-chart-controls/src/types.ts
@@ -518,6 +518,7 @@ export type ControlFormItemSpec<T extends ControlType = ControlType> = {
   debounceDelay?: number;
 } & (T extends 'Select'
   ? {
+      allowNewOptions?: boolean;
       options: any;
       value?: string;
       defaultValue?: string;
diff --git a/superset-frontend/src/explore/components/controls/ColumnConfigControl/constants.tsx b/superset-frontend/src/explore/components/controls/ColumnConfigControl/constants.tsx
index 684d8faf14b1d..985fc2f47c81b 100644
--- a/superset-frontend/src/explore/components/controls/ColumnConfigControl/constants.tsx
+++ b/superset-frontend/src/explore/components/controls/ColumnConfigControl/constants.tsx
@@ -42,6 +42,7 @@ export type SharedColumnConfigProp =
   | 'currencyFormat';
 
 const d3NumberFormat: ControlFormItemSpec<'Select'> = {
+  allowNewOptions: true,
   controlType: 'Select',
   label: t('D3 format'),
   description: D3_FORMAT_DOCS,

From bb44099c68a004c93d4328dc66d036ae036f8d7f Mon Sep 17 00:00:00 2001
From: "JUST.in DO IT" <justin.park@airbnb.com>
Date: Thu, 8 Feb 2024 15:24:24 -0800
Subject: [PATCH 039/114] fix(plugins): missing currency on small number format
 in table chart (#27041)

(cherry picked from commit 6f402991e54ae6ab0c6c98613d7e831c7f847f54)
---
 .../src/utils/formatValue.ts                  |  6 +++
 .../test/TableChart.test.tsx                  | 42 +++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/superset-frontend/plugins/plugin-chart-table/src/utils/formatValue.ts b/superset-frontend/plugins/plugin-chart-table/src/utils/formatValue.ts
index 139f92336c12b..043fa6b59d500 100644
--- a/superset-frontend/plugins/plugin-chart-table/src/utils/formatValue.ts
+++ b/superset-frontend/plugins/plugin-chart-table/src/utils/formatValue.ts
@@ -17,6 +17,7 @@
  * under the License.
  */
 import {
+  CurrencyFormatter,
   DataRecordValue,
   GenericDataType,
   getNumberFormatter,
@@ -64,6 +65,11 @@ export function formatColumnValue(
   const smallNumberFormatter =
     config.d3SmallNumberFormat === undefined
       ? formatter
+      : config.currencyFormat
+      ? new CurrencyFormatter({
+          d3Format: config.d3SmallNumberFormat,
+          currency: config.currencyFormat,
+        })
       : getNumberFormatter(config.d3SmallNumberFormat);
   return formatValue(
     isNumber && typeof value === 'number' && Math.abs(value) < 1
diff --git a/superset-frontend/plugins/plugin-chart-table/test/TableChart.test.tsx b/superset-frontend/plugins/plugin-chart-table/test/TableChart.test.tsx
index d6998476baa2b..52cfab166215f 100644
--- a/superset-frontend/plugins/plugin-chart-table/test/TableChart.test.tsx
+++ b/superset-frontend/plugins/plugin-chart-table/test/TableChart.test.tsx
@@ -166,6 +166,48 @@ describe('plugin-chart-table', () => {
       expect(cells[2]).toHaveTextContent('$ 0');
     });
 
+    it('render small formatted data with currencies', () => {
+      const props = transformProps({
+        ...testData.raw,
+        rawFormData: {
+          ...testData.raw.rawFormData,
+          column_config: {
+            num: {
+              d3SmallNumberFormat: '.2r',
+              currencyFormat: { symbol: 'USD', symbolPosition: 'prefix' },
+            },
+          },
+        },
+        queriesData: [
+          {
+            ...testData.raw.queriesData[0],
+            data: [
+              {
+                num: 1234,
+              },
+              {
+                num: 0.5,
+              },
+              {
+                num: 0.61234,
+              },
+            ],
+          },
+        ],
+      });
+      render(
+        ProviderWrapper({
+          children: <TableChart {...props} sticky={false} />,
+        }),
+      );
+      const cells = document.querySelectorAll('td');
+
+      expect(document.querySelectorAll('th')[0]).toHaveTextContent('num');
+      expect(cells[0]).toHaveTextContent('$ 1.23k');
+      expect(cells[1]).toHaveTextContent('$ 0.50');
+      expect(cells[2]).toHaveTextContent('$ 0.61');
+    });
+
     it('render empty data', () => {
       wrap.setProps({ ...transformProps(testData.empty), sticky: false });
       tree = wrap.render();

From 3d6dc9c280a67f3daac5df284de4847fde333344 Mon Sep 17 00:00:00 2001
From: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Date: Fri, 9 Feb 2024 18:02:05 +0100
Subject: [PATCH 040/114] fix: Exclude header controls from dashboard PDF
 export (#27068)

(cherry picked from commit 005cee023b7c312d51e0f10629834d53dab4c60a)
---
 superset-frontend/src/types/dom-to-pdf.d.ts  | 1 +
 superset-frontend/src/utils/downloadAsPdf.ts | 1 +
 2 files changed, 2 insertions(+)

diff --git a/superset-frontend/src/types/dom-to-pdf.d.ts b/superset-frontend/src/types/dom-to-pdf.d.ts
index 19ecce85b4bfd..bc884fd43ad63 100644
--- a/superset-frontend/src/types/dom-to-pdf.d.ts
+++ b/superset-frontend/src/types/dom-to-pdf.d.ts
@@ -9,6 +9,7 @@ declare module 'dom-to-pdf' {
     filename: string;
     image: Image;
     html2canvas: object;
+    excludeClassNames?: string[];
   }
 
   const domToPdf = (
diff --git a/superset-frontend/src/utils/downloadAsPdf.ts b/superset-frontend/src/utils/downloadAsPdf.ts
index eebca66b8b70a..5367efc7245f5 100644
--- a/superset-frontend/src/utils/downloadAsPdf.ts
+++ b/superset-frontend/src/utils/downloadAsPdf.ts
@@ -61,6 +61,7 @@ export default function downloadAsPdf(
       filename: `${generateFileStem(description)}.pdf`,
       image: { type: 'jpeg', quality: 1 },
       html2canvas: { scale: 2 },
+      excludeClassNames: ['header-controls'],
     };
     return domToPdf(elementToPrint, options)
       .then(() => {

From 3c74a9b866daba89920677b34b0df1e395516674 Mon Sep 17 00:00:00 2001
From: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Date: Fri, 9 Feb 2024 18:16:39 +0100
Subject: [PATCH 041/114] fix: Filters sidebar stretching dashboard height
 (#27069)

(cherry picked from commit 3f91bdb40d76539e953dd9205481459f6b2ae082)
---
 .../dashboard/components/DashboardBuilder/DashboardWrapper.tsx   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/superset-frontend/src/dashboard/components/DashboardBuilder/DashboardWrapper.tsx b/superset-frontend/src/dashboard/components/DashboardBuilder/DashboardWrapper.tsx
index f39c7ed630277..5bb193de1bd4a 100644
--- a/superset-frontend/src/dashboard/components/DashboardBuilder/DashboardWrapper.tsx
+++ b/superset-frontend/src/dashboard/components/DashboardBuilder/DashboardWrapper.tsx
@@ -25,6 +25,7 @@ import classNames from 'classnames';
 
 const StyledDiv = styled.div`
   ${({ theme }) => css`
+    position: relative;
     display: grid;
     grid-template-columns: auto 1fr;
     grid-template-rows: auto 1fr;

From f440a6a5355a12ce92d66bf308e3888b54e004b9 Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Mon, 12 Feb 2024 12:11:06 -0500
Subject: [PATCH 042/114] fix(drill): no rows returned (#27073)

(cherry picked from commit 0950bb7b7dd4658a112cc90e2d813267836ae002)
---
 setup.py                          |  2 +-
 superset/db_engine_specs/drill.py | 37 +++++++++++++++++++++++++------
 2 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/setup.py b/setup.py
index 996d6dfe47caa..4307b51c870c0 100644
--- a/setup.py
+++ b/setup.py
@@ -154,7 +154,7 @@ def get_git_sha() -> str:
         ],
         "db2": ["ibm-db-sa>0.3.8, <=0.4.0"],
         "dremio": ["sqlalchemy-dremio>=1.1.5, <1.3"],
-        "drill": ["sqlalchemy-drill==0.1.dev"],
+        "drill": ["sqlalchemy-drill>=1.1.4, <2"],
         "druid": ["pydruid>=0.6.5,<0.7"],
         "duckdb": ["duckdb-engine>=0.9.5, <0.10"],
         "dynamodb": ["pydynamodb>=0.4.2"],
diff --git a/superset/db_engine_specs/drill.py b/superset/db_engine_specs/drill.py
index fb42409b4e952..276ff5b185448 100644
--- a/superset/db_engine_specs/drill.py
+++ b/superset/db_engine_specs/drill.py
@@ -14,8 +14,11 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
+
+from __future__ import annotations
+
 from datetime import datetime
-from typing import Any, Optional
+from typing import Any
 from urllib import parse
 
 from sqlalchemy import types
@@ -60,8 +63,8 @@ def epoch_ms_to_dttm(cls) -> str:
 
     @classmethod
     def convert_dttm(
-        cls, target_type: str, dttm: datetime, db_extra: Optional[dict[str, Any]] = None
-    ) -> Optional[str]:
+        cls, target_type: str, dttm: datetime, db_extra: dict[str, Any] | None = None
+    ) -> str | None:
         sqla_type = cls.get_sqla_column_type(target_type)
 
         if isinstance(sqla_type, types.Date):
@@ -76,8 +79,8 @@ def adjust_engine_params(
         cls,
         uri: URL,
         connect_args: dict[str, Any],
-        catalog: Optional[str] = None,
-        schema: Optional[str] = None,
+        catalog: str | None = None,
+        schema: str | None = None,
     ) -> tuple[URL, dict[str, Any]]:
         if schema:
             uri = uri.set(database=parse.quote(schema.replace(".", "/"), safe=""))
@@ -89,7 +92,7 @@ def get_schema_from_engine_params(
         cls,
         sqlalchemy_uri: URL,
         connect_args: dict[str, Any],
-    ) -> Optional[str]:
+    ) -> str | None:
         """
         Return the configured schema.
         """
@@ -97,7 +100,7 @@ def get_schema_from_engine_params(
 
     @classmethod
     def get_url_for_impersonation(
-        cls, url: URL, impersonate_user: bool, username: Optional[str]
+        cls, url: URL, impersonate_user: bool, username: str | None
     ) -> URL:
         """
         Return a modified URL with the username set.
@@ -117,3 +120,23 @@ def get_url_for_impersonation(
                 )
 
         return url
+
+    @classmethod
+    def fetch_data(
+        cls,
+        cursor: Any,
+        limit: int | None = None,
+    ) -> list[tuple[Any, ...]]:
+        """
+        Custom `fetch_data` for Drill.
+
+        When no rows are returned, Drill raises a `RuntimeError` with the message
+        "generator raised StopIteration". This method catches the exception and
+        returns an empty list instead.
+        """
+        try:
+            return super().fetch_data(cursor, limit)
+        except RuntimeError as ex:
+            if str(ex) == "generator raised StopIteration":
+                return []
+            raise

From cde63c8c1e741eac5cf4ae665fb52f17d237c601 Mon Sep 17 00:00:00 2001
From: Maxime Beauchemin <maximebeauchemin@gmail.com>
Date: Mon, 12 Feb 2024 19:09:13 -0800
Subject: [PATCH 043/114] fix(big_number): white-space: nowrap to prevent
 wrapping (#27096)

(cherry picked from commit 4796484190010275c037595c79b01d281d09ff60)
---
 .../plugins/plugin-chart-echarts/src/BigNumber/BigNumberViz.tsx  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/BigNumber/BigNumberViz.tsx b/superset-frontend/plugins/plugin-chart-echarts/src/BigNumber/BigNumberViz.tsx
index 112e21657f013..8a95a81d5f06b 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/BigNumber/BigNumberViz.tsx
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/BigNumber/BigNumberViz.tsx
@@ -354,6 +354,7 @@ export default styled(BigNumberVis)`
     .header-line {
       position: relative;
       line-height: 1em;
+      white-space: nowrap;
       span {
         position: absolute;
         bottom: 0;

From 4704380b2a0c05001f414489345f5aecd384b2cf Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Jan 2024 20:25:01 -0700
Subject: [PATCH 044/114] build(deps): bump csstype from 2.6.9 to 3.1.3 in
 /superset-frontend (#26716)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 superset-frontend/package-lock.json            | 18 ++++++++++++++----
 .../packages/superset-ui-core/package.json     |  2 +-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/superset-frontend/package-lock.json b/superset-frontend/package-lock.json
index e308f2aed64e3..6cacdb3a0bc71 100644
--- a/superset-frontend/package-lock.json
+++ b/superset-frontend/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "superset",
-  "version": "0.0.0-dev",
+  "version": "3.1.0",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "superset",
-      "version": "0.0.0-dev",
+      "version": "3.1.0",
       "license": "Apache-2.0",
       "workspaces": [
         "packages/*",
@@ -62018,7 +62018,7 @@
         "@types/rison": "0.0.6",
         "@types/seedrandom": "^2.4.28",
         "@vx/responsive": "^0.0.199",
-        "csstype": "^2.6.4",
+        "csstype": "^3.1.3",
         "d3-format": "^1.3.2",
         "d3-interpolate": "^1.4.0",
         "d3-scale": "^3.0.0",
@@ -62112,6 +62112,11 @@
       "resolved": "https://registry.npmjs.org/@types/d3-time/-/d3-time-3.0.0.tgz",
       "integrity": "sha512-sZLCdHvBUcNby1cB6Fd3ZBrABbjz3v1Vm90nysCQ6Vt7vd6e/h9Lt7SiJUoEX0l4Dzc7P5llKyhqSi1ycSf1Hg=="
     },
+    "packages/superset-ui-core/node_modules/csstype": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.3.tgz",
+      "integrity": "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw=="
+    },
     "packages/superset-ui-core/node_modules/d3-array": {
       "version": "2.12.1",
       "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-2.12.1.tgz",
@@ -77236,7 +77241,7 @@
         "@types/rison": "0.0.6",
         "@types/seedrandom": "^2.4.28",
         "@vx/responsive": "^0.0.199",
-        "csstype": "^2.6.4",
+        "csstype": "^3.1.3",
         "d3-format": "^1.3.2",
         "d3-interpolate": "^1.4.0",
         "d3-scale": "^3.0.0",
@@ -77291,6 +77296,11 @@
           "resolved": "https://registry.npmjs.org/@types/d3-time/-/d3-time-3.0.0.tgz",
           "integrity": "sha512-sZLCdHvBUcNby1cB6Fd3ZBrABbjz3v1Vm90nysCQ6Vt7vd6e/h9Lt7SiJUoEX0l4Dzc7P5llKyhqSi1ycSf1Hg=="
         },
+        "csstype": {
+          "version": "3.1.3",
+          "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.3.tgz",
+          "integrity": "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw=="
+        },
         "d3-array": {
           "version": "2.12.1",
           "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-2.12.1.tgz",
diff --git a/superset-frontend/packages/superset-ui-core/package.json b/superset-frontend/packages/superset-ui-core/package.json
index 62deb7709b652..91d7d28a321f8 100644
--- a/superset-frontend/packages/superset-ui-core/package.json
+++ b/superset-frontend/packages/superset-ui-core/package.json
@@ -41,7 +41,7 @@
     "@types/rison": "0.0.6",
     "@types/seedrandom": "^2.4.28",
     "@vx/responsive": "^0.0.199",
-    "csstype": "^2.6.4",
+    "csstype": "^3.1.3",
     "d3-format": "^1.3.2",
     "d3-interpolate": "^1.4.0",
     "d3-scale": "^3.0.0",

From 10c9a7f0e253dd5b55f6336d2c64904ae4a6dfc5 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Tue, 6 Feb 2024 12:14:02 +0000
Subject: [PATCH 045/114] fix: chart import validation (#26993)

---
 superset/commands/chart/importers/v1/utils.py |  13 +-
 .../commands/dashboard/importers/v1/utils.py  |   8 +-
 .../commands/dataset/importers/v1/utils.py    |   7 +-
 superset/errors.py                            |   1 +
 superset/jinja_context.py                     |   9 +-
 superset/security/manager.py                  |  45 ++++-
 superset/utils/core.py                        |   9 +
 .../charts/commands_tests.py                  |   2 +-
 .../dashboards/commands_tests.py              |   2 +-
 .../datasets/commands_tests.py                |   2 +-
 .../commands/importers/v1/import_test.py      | 164 ++++++++++++++----
 .../commands/importers/v1/import_test.py      | 152 +++++++---------
 tests/unit_tests/security/manager_test.py     | 140 +++++++++++++++
 13 files changed, 405 insertions(+), 149 deletions(-)

diff --git a/superset/commands/chart/importers/v1/utils.py b/superset/commands/chart/importers/v1/utils.py
index f905f8cc3ad4f..2aac3ea9c4882 100644
--- a/superset/commands/chart/importers/v1/utils.py
+++ b/superset/commands/chart/importers/v1/utils.py
@@ -20,7 +20,6 @@
 from inspect import isclass
 from typing import Any
 
-from flask import g
 from sqlalchemy.orm import Session
 
 from superset import security_manager
@@ -28,7 +27,7 @@
 from superset.migrations.shared.migrate_viz import processors
 from superset.migrations.shared.migrate_viz.base import MigrateViz
 from superset.models.slice import Slice
-from superset.utils.core import AnnotationType
+from superset.utils.core import AnnotationType, get_user
 
 
 def filter_chart_annotations(chart_config: dict[str, Any]) -> None:
@@ -55,6 +54,12 @@ def import_chart(
     can_write = ignore_permissions or security_manager.can_access("can_write", "Chart")
     existing = session.query(Slice).filter_by(uuid=config["uuid"]).first()
     if existing:
+        if overwrite and can_write and get_user():
+            if not security_manager.can_access_chart(existing):
+                raise ImportFailedError(
+                    "A chart already exists and user doesn't "
+                    "have permissions to overwrite it"
+                )
         if not overwrite or not can_write:
             return existing
         config["id"] = existing.id
@@ -77,8 +82,8 @@ def import_chart(
     if chart.id is None:
         session.flush()
 
-    if hasattr(g, "user") and g.user:
-        chart.owners.append(g.user)
+    if user := get_user():
+        chart.owners.append(user)
 
     return chart
 
diff --git a/superset/commands/dashboard/importers/v1/utils.py b/superset/commands/dashboard/importers/v1/utils.py
index 712161bc16481..b8ac3144dba50 100644
--- a/superset/commands/dashboard/importers/v1/utils.py
+++ b/superset/commands/dashboard/importers/v1/utils.py
@@ -19,12 +19,12 @@
 import logging
 from typing import Any
 
-from flask import g
 from sqlalchemy.orm import Session
 
 from superset import security_manager
 from superset.commands.exceptions import ImportFailedError
 from superset.models.dashboard import Dashboard
+from superset.utils.core import get_user
 
 logger = logging.getLogger(__name__)
 
@@ -157,7 +157,7 @@ def import_dashboard(
     )
     existing = session.query(Dashboard).filter_by(uuid=config["uuid"]).first()
     if existing:
-        if overwrite and can_write and hasattr(g, "user") and g.user:
+        if overwrite and can_write and get_user():
             if not security_manager.can_access_dashboard(existing):
                 raise ImportFailedError(
                     "A dashboard already exists and user doesn't "
@@ -191,7 +191,7 @@ def import_dashboard(
     if dashboard.id is None:
         session.flush()
 
-    if hasattr(g, "user") and g.user:
-        dashboard.owners.append(g.user)
+    if user := get_user():
+        dashboard.owners.append(user)
 
     return dashboard
diff --git a/superset/commands/dataset/importers/v1/utils.py b/superset/commands/dataset/importers/v1/utils.py
index c145cc50f91f9..b0a681becf01c 100644
--- a/superset/commands/dataset/importers/v1/utils.py
+++ b/superset/commands/dataset/importers/v1/utils.py
@@ -22,7 +22,7 @@
 from urllib import request
 
 import pandas as pd
-from flask import current_app, g
+from flask import current_app
 from sqlalchemy import BigInteger, Boolean, Date, DateTime, Float, String, Text
 from sqlalchemy.orm import Session
 from sqlalchemy.orm.exc import MultipleResultsFound
@@ -33,6 +33,7 @@
 from superset.commands.exceptions import ImportFailedError
 from superset.connectors.sqla.models import SqlaTable
 from superset.models.core import Database
+from superset.utils.core import get_user
 
 logger = logging.getLogger(__name__)
 
@@ -176,8 +177,8 @@ def import_dataset(
     if data_uri and (not table_exists or force_data):
         load_data(data_uri, dataset, dataset.database, session)
 
-    if hasattr(g, "user") and g.user:
-        dataset.owners.append(g.user)
+    if user := get_user():
+        dataset.owners.append(user)
 
     return dataset
 
diff --git a/superset/errors.py b/superset/errors.py
index 87cdf77b9944b..6be4f966ce403 100644
--- a/superset/errors.py
+++ b/superset/errors.py
@@ -66,6 +66,7 @@ class SupersetErrorType(StrEnum):
     MISSING_OWNERSHIP_ERROR = "MISSING_OWNERSHIP_ERROR"
     USER_ACTIVITY_SECURITY_ACCESS_ERROR = "USER_ACTIVITY_SECURITY_ACCESS_ERROR"
     DASHBOARD_SECURITY_ACCESS_ERROR = "DASHBOARD_SECURITY_ACCESS_ERROR"
+    CHART_SECURITY_ACCESS_ERROR = "CHART_SECURITY_ACCESS_ERROR"
 
     # Other errors
     BACKEND_TIMEOUT_ERROR = "BACKEND_TIMEOUT_ERROR"
diff --git a/superset/jinja_context.py b/superset/jinja_context.py
index 3b046b732e30b..54d1f54866d24 100644
--- a/superset/jinja_context.py
+++ b/superset/jinja_context.py
@@ -36,7 +36,7 @@
 from superset.extensions import feature_flag_manager
 from superset.utils.core import (
     convert_legacy_filters_into_adhoc,
-    get_user_id,
+    get_user,
     merge_extra_filters,
 )
 
@@ -110,11 +110,10 @@ def current_user_id(self, add_to_cache_keys: bool = True) -> Optional[int]:
         :returns: The user ID
         """
 
-        if hasattr(g, "user") and g.user:
-            id_ = get_user_id()
+        if user := get_user():
             if add_to_cache_keys:
-                self.cache_key_wrapper(id_)
-            return id_
+                self.cache_key_wrapper(user.id)
+            return user.id
         return None
 
     def current_username(self, add_to_cache_keys: bool = True) -> Optional[str]:
diff --git a/superset/security/manager.py b/superset/security/manager.py
index e11ab68e74380..1cc289f877d81 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -85,6 +85,7 @@
     )
     from superset.models.core import Database
     from superset.models.dashboard import Dashboard
+    from superset.models.slice import Slice
     from superset.models.sql_lab import Query
     from superset.sql_parse import Table
     from superset.viz import BaseViz
@@ -422,6 +423,19 @@ def can_access_dashboard(self, dashboard: "Dashboard") -> bool:
 
         return True
 
+    def can_access_chart(self, chart: "Slice") -> bool:
+        """
+        Return True if the user can access the specified chart, False otherwise.
+        :param chart: The chart
+        :return: Whether the user can access the chart
+        """
+        try:
+            self.raise_for_access(chart=chart)
+        except SupersetSecurityException:
+            return False
+
+        return True
+
     def get_dashboard_access_error_object(  # pylint: disable=invalid-name
         self,
         dashboard: "Dashboard",  # pylint: disable=unused-argument
@@ -439,6 +453,23 @@ def get_dashboard_access_error_object(  # pylint: disable=invalid-name
             level=ErrorLevel.ERROR,
         )
 
+    def get_chart_access_error_object(  # pylint: disable=invalid-name
+        self,
+        dashboard: "Dashboard",  # pylint: disable=unused-argument
+    ) -> SupersetError:
+        """
+        Return the error object for the denied Superset dashboard.
+
+        :param dashboard: The denied Superset dashboard
+        :returns: The error object
+        """
+
+        return SupersetError(
+            error_type=SupersetErrorType.CHART_SECURITY_ACCESS_ERROR,
+            message="You don't have access to this chart.",
+            level=ErrorLevel.ERROR,
+        )
+
     @staticmethod
     def get_datasource_access_error_msg(datasource: "BaseDatasource") -> str:
         """
@@ -1822,6 +1853,7 @@ def raise_for_access(
         # pylint: disable=too-many-arguments,too-many-branches,too-many-locals,too-many-statements
         self,
         dashboard: Optional["Dashboard"] = None,
+        chart: Optional["Slice"] = None,
         database: Optional["Database"] = None,
         datasource: Optional["BaseDatasource"] = None,
         query: Optional["Query"] = None,
@@ -2047,9 +2079,16 @@ def raise_for_access(
                 self.get_dashboard_access_error_object(dashboard)
             )
 
-    def get_user_by_username(
-        self, username: str, session: Session = None
-    ) -> Optional[User]:
+        if chart:
+            if self.is_admin() or self.is_owner(chart):
+                return
+
+            if chart.datasource and self.can_access_datasource(chart.datasource):
+                return
+
+            raise SupersetSecurityException(self.get_chart_access_error_object(chart))
+
+    def get_user_by_username(self, username: str, session: Session = None) -> Optional[User]:
         """
         Retrieves a user by it's username case sensitive. Optional session parameter
         utility method normally useful for celery tasks where the session
diff --git a/superset/utils/core.py b/superset/utils/core.py
index b9c24076a4e12..3d7f208532aae 100644
--- a/superset/utils/core.py
+++ b/superset/utils/core.py
@@ -1344,6 +1344,15 @@ def split_adhoc_filters_into_base_filters(  # pylint: disable=invalid-name
         form_data["filters"] = simple_where_filters
 
 
+def get_user() -> User | None:
+    """
+    Get the current user (if defined).
+
+    :returns: The current user
+    """
+    return g.user if hasattr(g, "user") else None
+
+
 def get_username() -> str | None:
     """
     Get username (if defined) associated with the current user.
diff --git a/tests/integration_tests/charts/commands_tests.py b/tests/integration_tests/charts/commands_tests.py
index b6adf197f5751..a72a716d1767c 100644
--- a/tests/integration_tests/charts/commands_tests.py
+++ b/tests/integration_tests/charts/commands_tests.py
@@ -171,7 +171,7 @@ def test_export_chart_command_no_related(self, mock_g):
 
 
 class TestImportChartsCommand(SupersetTestCase):
-    @patch("superset.commands.chart.importers.v1.utils.g")
+    @patch("superset.utils.core.g")
     @patch("superset.security.manager.g")
     def test_import_v1_chart(self, sm_g, utils_g):
         """Test that we can import a chart"""
diff --git a/tests/integration_tests/dashboards/commands_tests.py b/tests/integration_tests/dashboards/commands_tests.py
index 175a8a3198da6..d173c48cf0be5 100644
--- a/tests/integration_tests/dashboards/commands_tests.py
+++ b/tests/integration_tests/dashboards/commands_tests.py
@@ -486,7 +486,7 @@ def test_import_v0_dashboard_cli_export(self):
         db.session.delete(dataset)
         db.session.commit()
 
-    @patch("superset.commands.dashboard.importers.v1.utils.g")
+    @patch("superset.utils.core.g")
     @patch("superset.security.manager.g")
     def test_import_v1_dashboard(self, sm_g, utils_g):
         """Test that we can import a dashboard"""
diff --git a/tests/integration_tests/datasets/commands_tests.py b/tests/integration_tests/datasets/commands_tests.py
index b45bbdb76d5eb..7b6066a22af67 100644
--- a/tests/integration_tests/datasets/commands_tests.py
+++ b/tests/integration_tests/datasets/commands_tests.py
@@ -339,7 +339,7 @@ def test_import_v0_dataset_ui_export(self):
         db.session.delete(dataset)
         db.session.commit()
 
-    @patch("superset.commands.dataset.importers.v1.utils.g")
+    @patch("superset.utils.core.g")
     @patch("superset.security.manager.g")
     @pytest.mark.usefixtures("load_energy_table_with_slice")
     def test_import_v1_dataset(self, sm_g, utils_g):
diff --git a/tests/unit_tests/charts/commands/importers/v1/import_test.py b/tests/unit_tests/charts/commands/importers/v1/import_test.py
index 903b7468baf21..bcff3ee411ada 100644
--- a/tests/unit_tests/charts/commands/importers/v1/import_test.py
+++ b/tests/unit_tests/charts/commands/importers/v1/import_test.py
@@ -17,104 +17,130 @@
 # pylint: disable=unused-argument, import-outside-toplevel, unused-import, invalid-name
 
 import copy
+from collections.abc import Generator
 
 import pytest
+from flask_appbuilder.security.sqla.models import Role, User
 from pytest_mock import MockFixture
 from sqlalchemy.orm.session import Session
 
+from superset import security_manager
+from superset.commands.chart.importers.v1.utils import import_chart
 from superset.commands.exceptions import ImportFailedError
+from superset.connectors.sqla.models import Database, SqlaTable
+from superset.models.slice import Slice
+from superset.utils.core import override_user
+from tests.integration_tests.fixtures.importexport import chart_config
 
 
-def test_import_chart(mocker: MockFixture, session: Session) -> None:
+@pytest.fixture
+def session_with_data(session: Session) -> Generator[Session, None, None]:
+    engine = session.get_bind()
+    SqlaTable.metadata.create_all(engine)  # pylint: disable=no-member
+
+    dataset = SqlaTable(
+        table_name="test_table",
+        metrics=[],
+        main_dttm_col=None,
+        database=Database(database_name="my_database", sqlalchemy_uri="sqlite://"),
+    )
+    session.add(dataset)
+    session.flush()
+    slice = Slice(
+        id=1,
+        datasource_id=dataset.id,
+        datasource_type="table",
+        datasource_name="tmp_perm_table",
+        slice_name="slice_name",
+        uuid=chart_config["uuid"],
+    )
+    session.add(slice)
+    session.flush()
+
+    yield session
+    session.rollback()
+
+
+@pytest.fixture
+def session_with_schema(session: Session) -> Generator[Session, None, None]:
+    from superset.connectors.sqla.models import SqlaTable
+
+    engine = session.get_bind()
+    SqlaTable.metadata.create_all(engine)  # pylint: disable=no-member
+
+    yield session
+
+
+def test_import_chart(mocker: MockFixture, session_with_schema: Session) -> None:
     """
     Test importing a chart.
     """
-    from superset import security_manager
-    from superset.commands.chart.importers.v1.utils import import_chart
-    from superset.connectors.sqla.models import SqlaTable
-    from superset.models.core import Database
-    from superset.models.slice import Slice
-    from tests.integration_tests.fixtures.importexport import chart_config
 
     mocker.patch.object(security_manager, "can_access", return_value=True)
 
-    engine = session.get_bind()
-    Slice.metadata.create_all(engine)  # pylint: disable=no-member
-
     config = copy.deepcopy(chart_config)
     config["datasource_id"] = 1
     config["datasource_type"] = "table"
 
-    chart = import_chart(session, config)
+    chart = import_chart(session_with_schema, config)
     assert chart.slice_name == "Deck Path"
     assert chart.viz_type == "deck_path"
     assert chart.is_managed_externally is False
     assert chart.external_url is None
 
+    # Assert that the can write to chart was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Chart")
 
-def test_import_chart_managed_externally(mocker: MockFixture, session: Session) -> None:
+
+def test_import_chart_managed_externally(
+    mocker: MockFixture, session_with_schema: Session
+) -> None:
     """
     Test importing a chart that is managed externally.
     """
-    from superset import security_manager
-    from superset.commands.chart.importers.v1.utils import import_chart
-    from superset.connectors.sqla.models import SqlaTable
-    from superset.models.core import Database
-    from superset.models.slice import Slice
-    from tests.integration_tests.fixtures.importexport import chart_config
-
     mocker.patch.object(security_manager, "can_access", return_value=True)
 
-    engine = session.get_bind()
-    Slice.metadata.create_all(engine)  # pylint: disable=no-member
-
     config = copy.deepcopy(chart_config)
     config["datasource_id"] = 1
     config["datasource_type"] = "table"
     config["is_managed_externally"] = True
     config["external_url"] = "https://example.org/my_chart"
 
-    chart = import_chart(session, config)
+    chart = import_chart(session_with_schema, config)
     assert chart.is_managed_externally is True
     assert chart.external_url == "https://example.org/my_chart"
 
+    # Assert that the can write to chart was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Chart")
+
 
 def test_import_chart_without_permission(
     mocker: MockFixture,
-    session: Session,
+    session_with_schema: Session,
 ) -> None:
     """
     Test importing a chart when a user doesn't have permissions to create.
     """
-    from superset import security_manager
-    from superset.commands.chart.importers.v1.utils import import_chart
-    from superset.connectors.sqla.models import SqlaTable
-    from superset.models.core import Database
-    from superset.models.slice import Slice
-    from tests.integration_tests.fixtures.importexport import chart_config
-
     mocker.patch.object(security_manager, "can_access", return_value=False)
 
-    engine = session.get_bind()
-    Slice.metadata.create_all(engine)  # pylint: disable=no-member
-
     config = copy.deepcopy(chart_config)
     config["datasource_id"] = 1
     config["datasource_type"] = "table"
 
     with pytest.raises(ImportFailedError) as excinfo:
-        import_chart(session, config)
+        import_chart(session_with_schema, config)
     assert (
         str(excinfo.value)
         == "Chart doesn't exist and user doesn't have permission to create charts"
     )
+    # Assert that the can write to chart was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Chart")
 
 
-def test_filter_chart_annotations(mocker: MockFixture, session: Session) -> None:
+def test_filter_chart_annotations(session: Session) -> None:
     """
     Test importing a chart.
     """
-    from superset import security_manager
     from superset.commands.chart.importers.v1.utils import filter_chart_annotations
     from tests.integration_tests.fixtures.importexport import (
         chart_config_with_mixed_annotations,
@@ -127,3 +153,67 @@ def test_filter_chart_annotations(mocker: MockFixture, session: Session) -> None
 
     assert len(annotation_layers) == 1
     assert all([al["annotationType"] == "FORMULA" for al in annotation_layers])
+
+
+def test_import_existing_chart_without_permission(
+    mocker: MockFixture,
+    session_with_data: Session,
+) -> None:
+    """
+    Test importing a chart when a user doesn't have permissions to modify.
+    """
+    mocker.patch.object(security_manager, "can_access", return_value=True)
+    mocker.patch.object(security_manager, "can_access_chart", return_value=False)
+
+    slice = (
+        session_with_data.query(Slice)
+        .filter(Slice.uuid == chart_config["uuid"])
+        .one_or_none()
+    )
+
+    with override_user("admin"):
+        with pytest.raises(ImportFailedError) as excinfo:
+            import_chart(session_with_data, chart_config, overwrite=True)
+        assert (
+            str(excinfo.value)
+            == "A chart already exists and user doesn't have permissions to overwrite it"
+        )
+
+    # Assert that the can write to chart was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Chart")
+    security_manager.can_access_chart.assert_called_once_with(slice)
+
+
+def test_import_existing_chart_with_permission(
+    mocker: MockFixture,
+    session_with_data: Session,
+) -> None:
+    """
+    Test importing a chart that exists when a user has access permission to that chart.
+    """
+    mocker.patch.object(security_manager, "can_access", return_value=True)
+    mocker.patch.object(security_manager, "can_access_chart", return_value=True)
+
+    admin = User(
+        first_name="Alice",
+        last_name="Doe",
+        email="adoe@example.org",
+        username="admin",
+        roles=[Role(name="Admin")],
+    )
+
+    config = copy.deepcopy(chart_config)
+    config["datasource_id"] = 1
+    config["datasource_type"] = "table"
+
+    slice = (
+        session_with_data.query(Slice)
+        .filter(Slice.uuid == config["uuid"])
+        .one_or_none()
+    )
+
+    with override_user(admin):
+        import_chart(session_with_data, config, overwrite=True)
+    # Assert that the can write to chart was checked
+    security_manager.can_access.assert_called_once_with("can_write", "Chart")
+    security_manager.can_access_chart.assert_called_once_with(slice)
diff --git a/tests/unit_tests/dashboards/commands/importers/v1/import_test.py b/tests/unit_tests/dashboards/commands/importers/v1/import_test.py
index 190f0660f5c49..afbce49cd96b1 100644
--- a/tests/unit_tests/dashboards/commands/importers/v1/import_test.py
+++ b/tests/unit_tests/dashboards/commands/importers/v1/import_test.py
@@ -17,32 +17,57 @@
 # pylint: disable=unused-argument, import-outside-toplevel, unused-import, invalid-name
 
 import copy
+from collections.abc import Generator
 
 import pytest
+from flask_appbuilder.security.sqla.models import Role, User
 from pytest_mock import MockFixture
 from sqlalchemy.orm.session import Session
 
+from superset import security_manager
+from superset.commands.dashboard.importers.v1.utils import import_dashboard
 from superset.commands.exceptions import ImportFailedError
+from superset.models.dashboard import Dashboard
 from superset.utils.core import override_user
+from tests.integration_tests.fixtures.importexport import dashboard_config
 
 
-def test_import_dashboard(mocker: MockFixture, session: Session) -> None:
-    """
-    Test importing a dashboard.
-    """
-    from superset import security_manager
-    from superset.commands.dashboard.importers.v1.utils import import_dashboard
-    from superset.models.slice import Slice
-    from tests.integration_tests.fixtures.importexport import dashboard_config
+@pytest.fixture
+def session_with_data(session: Session) -> Generator[Session, None, None]:
+    engine = session.get_bind()
+    Dashboard.metadata.create_all(engine)  # pylint: disable=no-member
+
+    dashboard = Dashboard(
+        id=100,
+        dashboard_title="Test dash",
+        slug=None,
+        slices=[],
+        published=True,
+        uuid=dashboard_config["uuid"],
+    )
+
+    session.add(dashboard)
+    session.flush()
+    yield session
+    session.rollback()
 
-    mocker.patch.object(security_manager, "can_access", return_value=True)
 
+@pytest.fixture
+def session_with_schema(session: Session) -> Generator[Session, None, None]:
     engine = session.get_bind()
-    Slice.metadata.create_all(engine)  # pylint: disable=no-member
+    Dashboard.metadata.create_all(engine)  # pylint: disable=no-member
 
-    config = copy.deepcopy(dashboard_config)
+    yield session
+    session.rollback()
+
+
+def test_import_dashboard(mocker: MockFixture, session_with_schema: Session) -> None:
+    """
+    Test importing a dashboard.
+    """
+    mocker.patch.object(security_manager, "can_access", return_value=True)
 
-    dashboard = import_dashboard(session, config)
+    dashboard = import_dashboard(session_with_schema, dashboard_config)
     assert dashboard.dashboard_title == "Test dash"
     assert dashboard.description is None
     assert dashboard.is_managed_externally is False
@@ -53,26 +78,18 @@ def test_import_dashboard(mocker: MockFixture, session: Session) -> None:
 
 def test_import_dashboard_managed_externally(
     mocker: MockFixture,
-    session: Session,
+    session_with_schema: Session,
 ) -> None:
     """
     Test importing a dashboard that is managed externally.
     """
-    from superset import security_manager
-    from superset.commands.dashboard.importers.v1.utils import import_dashboard
-    from superset.models.slice import Slice
-    from tests.integration_tests.fixtures.importexport import dashboard_config
-
     mocker.patch.object(security_manager, "can_access", return_value=True)
 
-    engine = session.get_bind()
-    Slice.metadata.create_all(engine)  # pylint: disable=no-member
-
     config = copy.deepcopy(dashboard_config)
     config["is_managed_externally"] = True
     config["external_url"] = "https://example.org/my_dashboard"
 
-    dashboard = import_dashboard(session, config)
+    dashboard = import_dashboard(session_with_schema, config)
     assert dashboard.is_managed_externally is True
     assert dashboard.external_url == "https://example.org/my_dashboard"
 
@@ -82,25 +99,15 @@ def test_import_dashboard_managed_externally(
 
 def test_import_dashboard_without_permission(
     mocker: MockFixture,
-    session: Session,
+    session_with_schema: Session,
 ) -> None:
     """
     Test importing a dashboard when a user doesn't have permissions to create.
     """
-    from superset import security_manager
-    from superset.commands.dashboard.importers.v1.utils import import_dashboard
-    from superset.models.slice import Slice
-    from tests.integration_tests.fixtures.importexport import dashboard_config
-
     mocker.patch.object(security_manager, "can_access", return_value=False)
 
-    engine = session.get_bind()
-    Slice.metadata.create_all(engine)  # pylint: disable=no-member
-
-    config = copy.deepcopy(dashboard_config)
-
     with pytest.raises(ImportFailedError) as excinfo:
-        import_dashboard(session, config)
+        import_dashboard(session_with_schema, dashboard_config)
     assert (
         str(excinfo.value)
         == "Dashboard doesn't exist and user doesn't have permission to create dashboards"
@@ -112,72 +119,43 @@ def test_import_dashboard_without_permission(
 
 def test_import_existing_dashboard_without_permission(
     mocker: MockFixture,
-    session: Session,
+    session_with_data: Session,
 ) -> None:
     """
     Test importing a dashboard when a user doesn't have permissions to create.
     """
-    from superset import security_manager
-    from superset.commands.dashboard.importers.v1.utils import g, import_dashboard
-    from superset.models.dashboard import Dashboard
-    from superset.models.slice import Slice
-    from tests.integration_tests.fixtures.importexport import dashboard_config
-
     mocker.patch.object(security_manager, "can_access", return_value=True)
     mocker.patch.object(security_manager, "can_access_dashboard", return_value=False)
-    mock_g = mocker.patch(
-        "superset.commands.dashboard.importers.v1.utils.g"
-    )  # Replace with the actual path to g
-    mock_g.user = mocker.MagicMock(return_value=True)
-
-    engine = session.get_bind()
-    Slice.metadata.create_all(engine)  # pylint: disable=no-member
-    Dashboard.metadata.create_all(engine)  # pylint: disable=no-member
 
-    dashboard_obj = Dashboard(
-        id=100,
-        dashboard_title="Test dash",
-        slug=None,
-        slices=[],
-        published=True,
-        uuid="c4b28c4e-a1fe-4cf8-a5ac-d6f11d6fdd51",
+    dashboard = (
+        session_with_data.query(Dashboard)
+        .filter(Dashboard.uuid == dashboard_config["uuid"])
+        .one_or_none()
     )
-    session.add(dashboard_obj)
-    session.flush()
-    config = copy.deepcopy(dashboard_config)
 
-    with pytest.raises(ImportFailedError) as excinfo:
-        import_dashboard(session, config, overwrite=True)
-    assert (
-        str(excinfo.value)
-        == "A dashboard already exists and user doesn't have permissions to overwrite it"
-    )
+    with override_user("admin"):
+        with pytest.raises(ImportFailedError) as excinfo:
+            import_dashboard(session_with_data, dashboard_config, overwrite=True)
+        assert (
+            str(excinfo.value)
+            == "A dashboard already exists and user doesn't have permissions to overwrite it"
+        )
 
     # Assert that the can write to dashboard was checked
     security_manager.can_access.assert_called_once_with("can_write", "Dashboard")
-    security_manager.can_access_dashboard.assert_called_once_with(dashboard_obj)
+    security_manager.can_access_dashboard.assert_called_once_with(dashboard)
 
 
 def test_import_existing_dashboard_with_permission(
     mocker: MockFixture,
-    session: Session,
+    session_with_data: Session,
 ) -> None:
     """
-    Test importing a dashboard when a user doesn't have permissions to create.
+    Test importing a dashboard that exists when a user has access permission to that dashboard.
     """
-    from flask_appbuilder.security.sqla.models import Role, User
-
-    from superset import security_manager
-    from superset.commands.dashboard.importers.v1.utils import import_dashboard
-    from superset.models.dashboard import Dashboard
-    from tests.integration_tests.fixtures.importexport import dashboard_config
-
     mocker.patch.object(security_manager, "can_access", return_value=True)
     mocker.patch.object(security_manager, "can_access_dashboard", return_value=True)
 
-    engine = session.get_bind()
-    Dashboard.metadata.create_all(engine)  # pylint: disable=no-member
-
     admin = User(
         first_name="Alice",
         last_name="Doe",
@@ -186,20 +164,14 @@ def test_import_existing_dashboard_with_permission(
         roles=[Role(name="Admin")],
     )
 
-    dashboard_obj = Dashboard(
-        id=100,
-        dashboard_title="Test dash",
-        slug=None,
-        slices=[],
-        published=True,
-        uuid="c4b28c4e-a1fe-4cf8-a5ac-d6f11d6fdd51",
+    dashboard = (
+        session_with_data.query(Dashboard)
+        .filter(Dashboard.uuid == dashboard_config["uuid"])
+        .one_or_none()
     )
-    session.add(dashboard_obj)
-    session.flush()
-    config = copy.deepcopy(dashboard_config)
 
     with override_user(admin):
-        import_dashboard(session, config, overwrite=True)
+        import_dashboard(session_with_data, dashboard_config, overwrite=True)
     # Assert that the can write to dashboard was checked
     security_manager.can_access.assert_called_once_with("can_write", "Dashboard")
-    security_manager.can_access_dashboard.assert_called_once_with(dashboard_obj)
+    security_manager.can_access_dashboard.assert_called_once_with(dashboard)
diff --git a/tests/unit_tests/security/manager_test.py b/tests/unit_tests/security/manager_test.py
index ad6e53e9930ce..7d2b9153a392d 100644
--- a/tests/unit_tests/security/manager_test.py
+++ b/tests/unit_tests/security/manager_test.py
@@ -16,12 +16,16 @@
 # under the License.
 
 import pytest
+from flask_appbuilder.security.sqla.models import Role, User
 from pytest_mock import MockFixture
 
 from superset.common.query_object import QueryObject
+from superset.connectors.sqla.models import Database, SqlaTable
 from superset.exceptions import SupersetSecurityException
 from superset.extensions import appbuilder
+from superset.models.slice import Slice
 from superset.security.manager import SupersetSecurityManager
+from superset.utils.core import override_user
 
 
 def test_security_manager(app_context: None) -> None:
@@ -164,3 +168,139 @@ def test_raise_for_access_query_default_schema(
         == """You need access to the following tables: `public.ab_user`,
             `all_database_access` or `all_datasource_access` permission"""
     )
+
+
+def test_raise_for_access_chart_for_datasource_permission(
+    mocker: MockFixture,
+    app_context: None,
+) -> None:
+    """
+    Test that the security manager can raise an exception for chart access,
+    when the user does not have access to the chart datasource
+    """
+    sm = SupersetSecurityManager(appbuilder)
+    session = sm.get_session
+
+    engine = session.get_bind()
+    Slice.metadata.create_all(engine)  # pylint: disable=no-member
+
+    alpha = User(
+        first_name="Alice",
+        last_name="Doe",
+        email="adoe@example.org",
+        username="admin",
+        roles=[Role(name="Alpha")],
+    )
+
+    dataset = SqlaTable(
+        table_name="test_table",
+        metrics=[],
+        main_dttm_col=None,
+        database=Database(database_name="my_database", sqlalchemy_uri="sqlite://"),
+    )
+    session.add(dataset)
+    session.flush()
+
+    slice = Slice(
+        id=1,
+        datasource_id=dataset.id,
+        datasource_type="table",
+        datasource_name="tmp_perm_table",
+        slice_name="slice_name",
+    )
+    session.add(slice)
+    session.flush()
+
+    mocker.patch.object(sm, "can_access_datasource", return_value=False)
+    with override_user(alpha):
+        with pytest.raises(SupersetSecurityException) as excinfo:
+            sm.raise_for_access(
+                chart=slice,
+            )
+        assert str(excinfo.value) == "You don't have access to this chart."
+
+    mocker.patch.object(sm, "can_access_datasource", return_value=True)
+    with override_user(alpha):
+        sm.raise_for_access(
+            chart=slice,
+        )
+
+
+def test_raise_for_access_chart_on_admin(
+    app_context: None,
+) -> None:
+    """
+    Test that the security manager can raise an exception for chart access,
+    when the user does not have access to the chart datasource
+    """
+    from flask_appbuilder.security.sqla.models import Role, User
+
+    from superset.models.slice import Slice
+    from superset.utils.core import override_user
+
+    sm = SupersetSecurityManager(appbuilder)
+    session = sm.get_session
+
+    engine = session.get_bind()
+    Slice.metadata.create_all(engine)  # pylint: disable=no-member
+
+    admin = User(
+        first_name="Alice",
+        last_name="Doe",
+        email="adoe@example.org",
+        username="admin",
+        roles=[Role(name="Admin")],
+    )
+
+    slice = Slice(
+        id=1,
+        datasource_id=1,
+        datasource_type="table",
+        datasource_name="tmp_perm_table",
+        slice_name="slice_name",
+    )
+    session.add(slice)
+    session.flush()
+
+    with override_user(admin):
+        sm.raise_for_access(
+            chart=slice,
+        )
+
+
+def test_raise_for_access_chart_owner(
+    app_context: None,
+) -> None:
+    """
+    Test that the security manager can raise an exception for chart access,
+    when the user does not have access to the chart datasource
+    """
+    sm = SupersetSecurityManager(appbuilder)
+    session = sm.get_session
+
+    engine = session.get_bind()
+    Slice.metadata.create_all(engine)  # pylint: disable=no-member
+
+    alpha = User(
+        first_name="Alice",
+        last_name="Doe",
+        email="adoe@example.org",
+        username="admin",
+        roles=[Role(name="Alpha")],
+    )
+
+    slice = Slice(
+        id=1,
+        datasource_id=1,
+        datasource_type="table",
+        datasource_name="tmp_perm_table",
+        slice_name="slice_name",
+        owners=[alpha],
+    )
+    session.add(slice)
+    session.flush()
+
+    with override_user(alpha):
+        sm.raise_for_access(
+            chart=slice,
+        )

From 534e8f394e96667a04a9f31e3fa2865b0786b2ce Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Wed, 7 Feb 2024 15:58:19 +0000
Subject: [PATCH 046/114] fix: bump FAB to 4.3.11 (#27039)

---
 requirements/base.txt | 9 ++++-----
 setup.py              | 2 +-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index da95b8c571dcb..95eeaa450c65d 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -88,7 +88,7 @@ dnspython==2.1.0
     # via email-validator
 email-validator==1.1.3
     # via flask-appbuilder
-exceptiongroup==1.1.1
+exceptiongroup==1.2.0
     # via cattrs
 flask==2.2.5
     # via
@@ -104,7 +104,7 @@ flask==2.2.5
     #   flask-session
     #   flask-sqlalchemy
     #   flask-wtf
-flask-appbuilder==4.3.10
+flask-appbuilder==4.3.11
     # via apache-superset
 flask-babel==1.0.0
     # via flask-appbuilder
@@ -141,9 +141,7 @@ geographiclib==1.52
 geopy==2.2.0
     # via apache-superset
 greenlet==2.0.2
-    # via
-    #   shillelagh
-    #   sqlalchemy
+    # via shillelagh
 gunicorn==21.2.0
     # via apache-superset
 hashids==1.3.1
@@ -345,6 +343,7 @@ typing-extensions==4.4.0
     #   apache-superset
     #   cattrs
     #   flask-limiter
+    #   kombu
     #   limits
     #   shillelagh
 tzdata==2023.3
diff --git a/setup.py b/setup.py
index 4307b51c870c0..423a21d887a3f 100644
--- a/setup.py
+++ b/setup.py
@@ -83,7 +83,7 @@ def get_git_sha() -> str:
         "cryptography>=41.0.2, <41.1.0",
         "deprecation>=2.1.0, <2.2.0",
         "flask>=2.2.5, <3.0.0",
-        "flask-appbuilder>=4.3.10, <5.0.0",
+        "flask-appbuilder>=4.3.11, <5.0.0",
         "flask-caching>=2.1.0, <3",
         "flask-compress>=1.13, <2.0",
         "flask-talisman>=1.0.0, <2.0",

From 4f839ef2d182486ea49a5da74fe2f44c1451fa4d Mon Sep 17 00:00:00 2001
From: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Date: Fri, 9 Feb 2024 21:49:33 +0100
Subject: [PATCH 047/114] fix: Drill by with GLOBAL_ASYNC_QUERIES (#27066)

---
 superset-frontend/package-lock.json           | 44 ++++++++++++----
 .../components/Chart/DrillBy/DrillByModal.tsx | 11 ++--
 .../src/components/Chart/chartAction.js       | 52 ++++++++++---------
 .../src/components/Chart/chartActions.test.js | 43 ++++++++++++++-
 superset/security/manager.py                  |  6 ++-
 5 files changed, 115 insertions(+), 41 deletions(-)

diff --git a/superset-frontend/package-lock.json b/superset-frontend/package-lock.json
index 6cacdb3a0bc71..8b371df9626a9 100644
--- a/superset-frontend/package-lock.json
+++ b/superset-frontend/package-lock.json
@@ -5346,6 +5346,11 @@
         "csstype": "^2.5.7"
       }
     },
+    "node_modules/@emotion/serialize/node_modules/csstype": {
+      "version": "2.6.21",
+      "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.21.tgz",
+      "integrity": "sha512-Z1PhmomIfypOpoMjRQB70jfvy/wxT50qW08YXO5lMIJkrdq4yOTR+AW7FqutScmB9NkLwxo+jU+kZLbofZZq/w=="
+    },
     "node_modules/@emotion/sheet": {
       "version": "0.9.4",
       "resolved": "https://registry.npmjs.org/@emotion/sheet/-/sheet-0.9.4.tgz",
@@ -19773,6 +19778,11 @@
         "@types/react": "*"
       }
     },
+    "node_modules/@types/react/node_modules/csstype": {
+      "version": "2.6.21",
+      "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.21.tgz",
+      "integrity": "sha512-Z1PhmomIfypOpoMjRQB70jfvy/wxT50qW08YXO5lMIJkrdq4yOTR+AW7FqutScmB9NkLwxo+jU+kZLbofZZq/w=="
+    },
     "node_modules/@types/redux-localstorage": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/@types/redux-localstorage/-/redux-localstorage-1.0.8.tgz",
@@ -28067,11 +28077,6 @@
       "integrity": "sha512-b0tGHbfegbhPJpxpiBPU2sCkigAqtM9O121le6bbOlgyV+NyGyCmVfJ6QW9eRjz8CpNfWEOYBIMIGRYkLwsIYg==",
       "dev": true
     },
-    "node_modules/csstype": {
-      "version": "2.6.9",
-      "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.9.tgz",
-      "integrity": "sha512-xz39Sb4+OaTsULgUERcCk+TJj8ylkL4aSVDQiX/ksxbELSqwkgt4d4RD7fovIdgJGSuNYqwZEiVjYY5l0ask+Q=="
-    },
     "node_modules/currencyformatter.js": {
       "version": "1.0.5",
       "resolved": "https://registry.npmjs.org/currencyformatter.js/-/currencyformatter.js-1.0.5.tgz",
@@ -52126,6 +52131,11 @@
         "@emotion/weak-memoize": "0.2.5"
       }
     },
+    "node_modules/react-select/node_modules/csstype": {
+      "version": "2.6.21",
+      "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.21.tgz",
+      "integrity": "sha512-Z1PhmomIfypOpoMjRQB70jfvy/wxT50qW08YXO5lMIJkrdq4yOTR+AW7FqutScmB9NkLwxo+jU+kZLbofZZq/w=="
+    },
     "node_modules/react-select/node_modules/dom-helpers": {
       "version": "5.1.4",
       "resolved": "https://registry.npmjs.org/dom-helpers/-/dom-helpers-5.1.4.tgz",
@@ -67639,6 +67649,13 @@
         "@emotion/unitless": "0.7.5",
         "@emotion/utils": "0.11.3",
         "csstype": "^2.5.7"
+      },
+      "dependencies": {
+        "csstype": {
+          "version": "2.6.21",
+          "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.21.tgz",
+          "integrity": "sha512-Z1PhmomIfypOpoMjRQB70jfvy/wxT50qW08YXO5lMIJkrdq4yOTR+AW7FqutScmB9NkLwxo+jU+kZLbofZZq/w=="
+        }
       }
     },
     "@emotion/sheet": {
@@ -79607,6 +79624,13 @@
       "requires": {
         "@types/prop-types": "*",
         "csstype": "^2.2.0"
+      },
+      "dependencies": {
+        "csstype": {
+          "version": "2.6.21",
+          "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.21.tgz",
+          "integrity": "sha512-Z1PhmomIfypOpoMjRQB70jfvy/wxT50qW08YXO5lMIJkrdq4yOTR+AW7FqutScmB9NkLwxo+jU+kZLbofZZq/w=="
+        }
       }
     },
     "@types/react-dom": {
@@ -86171,11 +86195,6 @@
         }
       }
     },
-    "csstype": {
-      "version": "2.6.9",
-      "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.9.tgz",
-      "integrity": "sha512-xz39Sb4+OaTsULgUERcCk+TJj8ylkL4aSVDQiX/ksxbELSqwkgt4d4RD7fovIdgJGSuNYqwZEiVjYY5l0ask+Q=="
-    },
     "currencyformatter.js": {
       "version": "1.0.5",
       "resolved": "https://registry.npmjs.org/currencyformatter.js/-/currencyformatter.js-1.0.5.tgz",
@@ -104616,6 +104635,11 @@
             "@emotion/weak-memoize": "0.2.5"
           }
         },
+        "csstype": {
+          "version": "2.6.21",
+          "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.21.tgz",
+          "integrity": "sha512-Z1PhmomIfypOpoMjRQB70jfvy/wxT50qW08YXO5lMIJkrdq4yOTR+AW7FqutScmB9NkLwxo+jU+kZLbofZZq/w=="
+        },
         "dom-helpers": {
           "version": "5.1.4",
           "resolved": "https://registry.npmjs.org/dom-helpers/-/dom-helpers-5.1.4.tgz",
diff --git a/superset-frontend/src/components/Chart/DrillBy/DrillByModal.tsx b/superset-frontend/src/components/Chart/DrillBy/DrillByModal.tsx
index d1e8b39e0c963..5053a7671135c 100644
--- a/superset-frontend/src/components/Chart/DrillBy/DrillByModal.tsx
+++ b/superset-frontend/src/components/Chart/DrillBy/DrillByModal.tsx
@@ -54,11 +54,12 @@ import {
   LOG_ACTIONS_DRILL_BY_MODAL_OPENED,
   LOG_ACTIONS_FURTHER_DRILL_BY,
 } from 'src/logger/LogUtils';
+import { getQuerySettings } from 'src/explore/exploreUtils';
 import { Dataset, DrillByType } from '../types';
 import DrillByChart from './DrillByChart';
 import { ContextMenuItem } from '../ChartContextMenu/ChartContextMenu';
 import { useContextMenu } from '../ChartContextMenu/useContextMenu';
-import { getChartDataRequest } from '../chartAction';
+import { getChartDataRequest, handleChartDataResponse } from '../chartAction';
 import { useDisplayModeToggle } from './useDisplayModeToggle';
 import {
   DrillByBreadcrumb,
@@ -390,13 +391,17 @@ export default function DrillByModal({
 
   useEffect(() => {
     if (drilledFormData) {
+      const [useLegacyApi] = getQuerySettings(drilledFormData);
       setIsChartDataLoading(true);
       setChartDataResult(undefined);
       getChartDataRequest({
         formData: drilledFormData,
       })
-        .then(({ json }) => {
-          setChartDataResult(json.result);
+        .then(({ response, json }) =>
+          handleChartDataResponse(response, json, useLegacyApi),
+        )
+        .then(queriesResponse => {
+          setChartDataResult(queriesResponse);
         })
         .catch(() => {
           addDangerToast(t('Failed to load chart data.'));
diff --git a/superset-frontend/src/components/Chart/chartAction.js b/superset-frontend/src/components/Chart/chartAction.js
index 8cd3785ae5156..9e7f961abdf52 100644
--- a/superset-frontend/src/components/Chart/chartAction.js
+++ b/superset-frontend/src/components/Chart/chartAction.js
@@ -374,6 +374,29 @@ export function addChart(chart, key) {
   return { type: ADD_CHART, chart, key };
 }
 
+export function handleChartDataResponse(response, json, useLegacyApi) {
+  if (isFeatureEnabled(FeatureFlag.GlobalAsyncQueries)) {
+    // deal with getChartDataRequest transforming the response data
+    const result = 'result' in json ? json.result : json;
+    switch (response.status) {
+      case 200:
+        // Query results returned synchronously, meaning query was already cached.
+        return Promise.resolve(result);
+      case 202:
+        // Query is running asynchronously and we must await the results
+        if (useLegacyApi) {
+          return waitForAsyncData(result[0]);
+        }
+        return waitForAsyncData(result);
+      default:
+        throw new Error(
+          `Received unexpected response status (${response.status}) while fetching chart data`,
+        );
+    }
+  }
+  return json.result;
+}
+
 export function exploreJSON(
   formData,
   force = false,
@@ -409,31 +432,11 @@ export function exploreJSON(
 
     dispatch(chartUpdateStarted(controller, formData, key));
 
+    const [useLegacyApi] = getQuerySettings(formData);
     const chartDataRequestCaught = chartDataRequest
-      .then(({ response, json }) => {
-        if (isFeatureEnabled(FeatureFlag.GLOBAL_ASYNC_QUERIES)) {
-          // deal with getChartDataRequest transforming the response data
-          const result = 'result' in json ? json.result : json;
-          const [useLegacyApi] = getQuerySettings(formData);
-          switch (response.status) {
-            case 200:
-              // Query results returned synchronously, meaning query was already cached.
-              return Promise.resolve(result);
-            case 202:
-              // Query is running asynchronously and we must await the results
-              if (useLegacyApi) {
-                return waitForAsyncData(result[0]);
-              }
-              return waitForAsyncData(result);
-            default:
-              throw new Error(
-                `Received unexpected response status (${response.status}) while fetching chart data`,
-              );
-          }
-        }
-
-        return json.result;
-      })
+      .then(({ response, json }) =>
+        handleChartDataResponse(response, json, useLegacyApi),
+      )
       .then(queriesResponse => {
         queriesResponse.forEach(resultItem =>
           dispatch(
@@ -492,7 +495,6 @@ export function exploreJSON(
       });
 
     // only retrieve annotations when calling the legacy API
-    const [useLegacyApi] = getQuerySettings(formData);
     const annotationLayers = useLegacyApi
       ? formData.annotation_layers || []
       : [];
diff --git a/superset-frontend/src/components/Chart/chartActions.test.js b/superset-frontend/src/components/Chart/chartActions.test.js
index b3a6fed9f5c15..c2a58e6094404 100644
--- a/superset-frontend/src/components/Chart/chartActions.test.js
+++ b/superset-frontend/src/components/Chart/chartActions.test.js
@@ -21,10 +21,12 @@ import fetchMock from 'fetch-mock';
 import sinon from 'sinon';
 
 import * as chartlib from '@superset-ui/core';
-import { SupersetClient } from '@superset-ui/core';
+import { FeatureFlag, SupersetClient } from '@superset-ui/core';
 import { LOG_EVENT } from 'src/logger/actions';
 import * as exploreUtils from 'src/explore/exploreUtils';
 import * as actions from 'src/components/Chart/chartAction';
+import * as asyncEvent from 'src/middleware/asyncEvent';
+import { handleChartDataResponse } from 'src/components/Chart/chartAction';
 
 describe('chart actions', () => {
   const MOCK_URL = '/mockURL';
@@ -33,6 +35,7 @@ describe('chart actions', () => {
   let getChartDataUriStub;
   let metadataRegistryStub;
   let buildQueryRegistryStub;
+  let waitForAsyncDataStub;
   let fakeMetadata;
 
   const setupDefaultFetchMock = () => {
@@ -66,6 +69,9 @@ describe('chart actions', () => {
           result_format: 'json',
         }),
       }));
+    waitForAsyncDataStub = sinon
+      .stub(asyncEvent, 'waitForAsyncData')
+      .callsFake(data => Promise.resolve(data));
   });
 
   afterEach(() => {
@@ -74,6 +80,11 @@ describe('chart actions', () => {
     fetchMock.resetHistory();
     metadataRegistryStub.restore();
     buildQueryRegistryStub.restore();
+    waitForAsyncDataStub.restore();
+
+    global.featureFlags = {
+      [FeatureFlag.GlobalAsyncQueries]: false,
+    };
   });
 
   describe('v1 API', () => {
@@ -114,6 +125,36 @@ describe('chart actions', () => {
       expect(fetchMock.calls(mockBigIntUrl)).toHaveLength(1);
       expect(json.value.toString()).toEqual(expectedBigNumber);
     });
+
+    it('handleChartDataResponse should return result if GlobalAsyncQueries flag is disabled', async () => {
+      const result = await handleChartDataResponse(
+        { status: 200 },
+        { result: [1, 2, 3] },
+      );
+      expect(result).toEqual([1, 2, 3]);
+    });
+
+    it('handleChartDataResponse should handle responses when GlobalAsyncQueries flag is enabled and results are returned synchronously', async () => {
+      global.featureFlags = {
+        [FeatureFlag.GlobalAsyncQueries]: true,
+      };
+      const result = await handleChartDataResponse(
+        { status: 200 },
+        { result: [1, 2, 3] },
+      );
+      expect(result).toEqual([1, 2, 3]);
+    });
+
+    it('handleChartDataResponse should handle responses when GlobalAsyncQueries flag is enabled and query is running asynchronously', async () => {
+      global.featureFlags = {
+        [FeatureFlag.GlobalAsyncQueries]: true,
+      };
+      const result = await handleChartDataResponse(
+        { status: 202 },
+        { result: [1, 2, 3] },
+      );
+      expect(result).toEqual([1, 2, 3]);
+    });
   });
 
   describe('legacy API', () => {
diff --git a/superset/security/manager.py b/superset/security/manager.py
index 1cc289f877d81..e6eb77e645d80 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -453,7 +453,7 @@ def get_dashboard_access_error_object(  # pylint: disable=invalid-name
             level=ErrorLevel.ERROR,
         )
 
-    def get_chart_access_error_object(  # pylint: disable=invalid-name
+    def get_chart_access_error_object(
         self,
         dashboard: "Dashboard",  # pylint: disable=unused-argument
     ) -> SupersetError:
@@ -2088,7 +2088,9 @@ def raise_for_access(
 
             raise SupersetSecurityException(self.get_chart_access_error_object(chart))
 
-    def get_user_by_username(self, username: str, session: Session = None) -> Optional[User]:
+    def get_user_by_username(
+        self, username: str, session: Session = None
+    ) -> Optional[User]:
         """
         Retrieves a user by it's username case sensitive. Optional session parameter
         utility method normally useful for celery tasks where the session

From 24e7be605b225e893371b2c205863459e30c31e5 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <michael.s.molina@gmail.com>
Date: Wed, 14 Feb 2024 10:53:29 -0500
Subject: [PATCH 048/114] chore: Adds 3.1.1 RC1 data to CHANGELOG.md

---
 CHANGELOG.md                   | 56 ++++++++++++++++++++++++++++++++++
 superset-frontend/package.json |  2 +-
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7ff5192163300..f4f52e605e693 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ under the License.
 
 ## Change Log
 
+- [3.1.1](#311-fri-feb-9-214933-2024-0100)
 - [3.1.0](#310-tue-jan-9-150500-2023--0800)
 - [3.0.3](#303-fri-dec-8-054009-2023--0800)
 - [3.0.2](#302-mon-nov-20-073838-2023--0500)
@@ -37,6 +38,61 @@ under the License.
 - [1.4.2](#142-sat-mar-19-000806-2022-0200)
 - [1.4.1](#141)
 
+### 3.1.1 (Fri Feb 9 21:49:33 2024 +0100)
+
+**Fixes**
+
+- [#27066](https://github.com/apache/superset/pull/27066) fix: Drill by with GLOBAL_ASYNC_QUERIES (@kgabryje)
+- [#27039](https://github.com/apache/superset/pull/27039) fix: bump FAB to 4.3.11 (@dpgaspar)
+- [#26993](https://github.com/apache/superset/pull/26993) fix: chart import validation (@dpgaspar)
+- [#27096](https://github.com/apache/superset/pull/27096) fix(big_number): white-space: nowrap to prevent wrapping (@mistercrunch)
+- [#27073](https://github.com/apache/superset/pull/27073) fix(drill): no rows returned (@betodealmeida)
+- [#27069](https://github.com/apache/superset/pull/27069) fix: Filters sidebar stretching dashboard height (@kgabryje)
+- [#27068](https://github.com/apache/superset/pull/27068) fix: Exclude header controls from dashboard PDF export (@kgabryje)
+- [#27041](https://github.com/apache/superset/pull/27041) fix(plugins): missing currency on small number format in table chart (@justinpark)
+- [#27023](https://github.com/apache/superset/pull/27023) fix(explore): allow free-form d3 format on custom column formatting (@justinpark)
+- [#27019](https://github.com/apache/superset/pull/27019) fix: safer error message in alerts (@betodealmeida)
+- [#27015](https://github.com/apache/superset/pull/27015) fix(security manager): Users should not have access to all draft dashboards (@Vitor-Avila)
+- [#26965](https://github.com/apache/superset/pull/26965) fix(tags): Improve support for tags with colons (@Vitor-Avila)
+- [#26946](https://github.com/apache/superset/pull/26946) fix: column values with NaN (@betodealmeida)
+- [#26964](https://github.com/apache/superset/pull/26964) fix(plugin-chart-table): Prevent misalignment of totals and headers when scrollbar is visible (@kgabryje)
+- [#26332](https://github.com/apache/superset/pull/26332) fix(embedded+async queries): support async queries to work with embedded guest user (@zephyring)
+- [#22849](https://github.com/apache/superset/pull/22849) fix(cache): remove unused webserver config & handle trailing slashes (@Usiel)
+- [#26889](https://github.com/apache/superset/pull/26889) fix: Allow exporting saved queries without schema information (@sbernauer)
+- [#26887](https://github.com/apache/superset/pull/26887) fix: dashboard import validation (@dpgaspar)
+- [#26911](https://github.com/apache/superset/pull/26911) fix: handle CRLF endings causing sqlglot failure (@mapledan)
+- [#26906](https://github.com/apache/superset/pull/26906) fix(pinot): typo in the name for epoch_ms_to_dttm (@ege-st)
+- [#26817](https://github.com/apache/superset/pull/26817) fix: Bar charts horizontal margin adjustment error (@michael-s-molina)
+- [#26749](https://github.com/apache/superset/pull/26749) fix: prevent guest user from modifying metrics (@betodealmeida)
+- [#25923](https://github.com/apache/superset/pull/25923) fix(deck.gl Multiple Layer Chart): Add Contour and Heatmap Layer as options (@Mattc1221)
+- [#26476](https://github.com/apache/superset/pull/26476) fix(sqlparse): improve table parsing (@betodealmeida)
+- [#26922](https://github.com/apache/superset/pull/26922) fix(sqllab): autosync fail on migrated queryEditor (@justinpark)
+- [#26814](https://github.com/apache/superset/pull/26814) fix(time-series table): Can't compare from the beginning of the time range (@michael-s-molina)
+- [#26701](https://github.com/apache/superset/pull/26701) fix(tags): Filter system tags from the tags list (@Vitor-Avila)
+- [#26807](https://github.com/apache/superset/pull/26807) fix: Row limit hardcoded (@michael-s-molina)
+- [#26674](https://github.com/apache/superset/pull/26674) fix: helm chart comment on SECRET_KEY (@dpgaspar)
+- [#26652](https://github.com/apache/superset/pull/26652) fix(import): only import FORMULA annotations (@mistercrunch)
+- [#26314](https://github.com/apache/superset/pull/26314) fix(logging): Filter out undefined columns (@john-bodley)
+- [#26461](https://github.com/apache/superset/pull/26461) fix(BigQuery): Support special characters in column/metric names used in ORDER BY (@Vitor-Avila)
+- [#26744](https://github.com/apache/superset/pull/26744) fix(db2): Improving support for ibm db2 connections (@Vitor-Avila)
+- [#26705](https://github.com/apache/superset/pull/26705) fix(legacy-charts): Show Time Grain control for legacy charts (@Vitor-Avila)
+- [#26709](https://github.com/apache/superset/pull/26709) fix: do not use lodash/memoize (@rusackas)
+- [#25550](https://github.com/apache/superset/pull/25550) fix: Catch ImportErrors for Google SDKs (@skion)
+- [#26645](https://github.com/apache/superset/pull/26645) fix(translation): correct translation errors for Chinese(zh) (@Waterkin)
+- [#26638](https://github.com/apache/superset/pull/26638) fix: Avoid 500 if end users write bad SQL (@Khrol)
+- [#26644](https://github.com/apache/superset/pull/26644) fix: unnecessary logic on CI ephemeral (@dpgaspar)
+- [#26625](https://github.com/apache/superset/pull/26625) fix: create virtual dataset validation (@dpgaspar)
+- [#26634](https://github.com/apache/superset/pull/26634) fix: RLS modal styling (@geido)
+- [#26469](https://github.com/apache/superset/pull/26469) fix(database): allow filtering by UUID (@betodealmeida)
+- [#26412](https://github.com/apache/superset/pull/26412) fix(embedded): Hide dashboard fullscreen option for embedded context (@Vitor-Avila)
+- [#26355](https://github.com/apache/superset/pull/26355) fix: Trino - handle table not found in SQLLab (@Khrol)
+
+**Others**
+
+- [#26716](https://github.com/apache/superset/pull/26716) build(deps): bump csstype from 2.6.9 to 3.1.3 in /superset-frontend (@dependabot[bot])
+- [#26707](https://github.com/apache/superset/pull/26707) chore(helm): Upgrade default Superset version to 3.1.0 (@dnskr)
+- [#26431](https://github.com/apache/superset/pull/26431) chore: bump prophet to 1.1.5 (@villebro)
+
 ### 3.1.0 (Tue Jan 9 15:05:00 2023 -0800)
 
 **Database Migrations**
diff --git a/superset-frontend/package.json b/superset-frontend/package.json
index 153cdfce68a99..a43f110abc8b8 100644
--- a/superset-frontend/package.json
+++ b/superset-frontend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "superset",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "description": "Superset is a data exploration platform designed to be visual, intuitive, and interactive.",
   "keywords": [
     "big",

From a57358ec4961325cbf726204a43d95d47498fd5c Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Wed, 14 Feb 2024 09:41:22 -0500
Subject: [PATCH 049/114] fix: Timeseries Y-axis format with contribution mode
 (#27106)

(cherry picked from commit af577d64b17a9730e28e9021376318326fe31437)
---
 .../src/number-format/NumberFormats.ts        |  6 +--
 .../src/Heatmap.js                            |  2 +-
 .../src/MixedTimeseries/transformProps.ts     |  2 +
 .../src/Timeseries/transformProps.ts          |  4 +-
 .../src/utils/formatters.ts                   | 11 +++++-
 .../test/utils/formatters.test.ts             | 37 +++++++++++++++++++
 6 files changed, 56 insertions(+), 6 deletions(-)
 create mode 100644 superset-frontend/plugins/plugin-chart-echarts/test/utils/formatters.test.ts

diff --git a/superset-frontend/packages/superset-ui-core/src/number-format/NumberFormats.ts b/superset-frontend/packages/superset-ui-core/src/number-format/NumberFormats.ts
index 605da5d30e7b7..3825430ca0b3d 100644
--- a/superset-frontend/packages/superset-ui-core/src/number-format/NumberFormats.ts
+++ b/superset-frontend/packages/superset-ui-core/src/number-format/NumberFormats.ts
@@ -35,20 +35,20 @@ const FLOAT_SIGNED = FLOAT_SIGNED_2_POINT;
 const INTEGER = ',d';
 const INTEGER_SIGNED = '+,d';
 
+const PERCENT = ',.0%';
 const PERCENT_1_POINT = ',.1%';
 const PERCENT_2_POINT = ',.2%';
 const PERCENT_3_POINT = ',.3%';
-const PERCENT = PERCENT_2_POINT;
 
+const PERCENT_SIGNED = '+,.0%';
 const PERCENT_SIGNED_1_POINT = '+,.1%';
 const PERCENT_SIGNED_2_POINT = '+,.2%';
 const PERCENT_SIGNED_3_POINT = '+,.3%';
-const PERCENT_SIGNED = PERCENT_SIGNED_2_POINT;
 
+const SI = '.0s';
 const SI_1_DIGIT = '.1s';
 const SI_2_DIGIT = '.2s';
 const SI_3_DIGIT = '.3s';
-const SI = SI_3_DIGIT;
 
 const SMART_NUMBER = 'SMART_NUMBER';
 const SMART_NUMBER_SIGNED = 'SMART_NUMBER_SIGNED';
diff --git a/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/Heatmap.js b/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/Heatmap.js
index a6967301c6a6b..18493f0602ef7 100644
--- a/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/Heatmap.js
+++ b/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/Heatmap.js
@@ -250,7 +250,7 @@ function Heatmap(element, props) {
     hideYLabel();
   }
 
-  const fp = getNumberFormatter(NumberFormats.PERCENT);
+  const fp = getNumberFormatter(NumberFormats.PERCENT_2_POINT);
 
   const xScale = ordScale('x', null, sortXAxis);
   const yScale = ordScale('y', null, sortYAxis);
diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/MixedTimeseries/transformProps.ts b/superset-frontend/plugins/plugin-chart-echarts/src/MixedTimeseries/transformProps.ts
index 1d4eceb33f3b6..ce6969213a88f 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/MixedTimeseries/transformProps.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/MixedTimeseries/transformProps.ts
@@ -531,6 +531,7 @@ export default function transformProps(
             !!contributionMode,
             customFormatters,
             formatter,
+            yAxisFormat,
           ),
         },
         scale: truncateYAxis,
@@ -553,6 +554,7 @@ export default function transformProps(
             !!contributionMode,
             customFormattersSecondary,
             formatterSecondary,
+            yAxisFormatSecondary,
           ),
         },
         scale: truncateYAxis,
diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
index a5c380c5ffb36..451685ec0a116 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
@@ -95,6 +95,7 @@ import {
 } from '../constants';
 import { getDefaultTooltip } from '../utils/tooltip';
 import {
+  getPercentFormatter,
   getTooltipTimeFormatter,
   getXAxisFormatter,
   getYAxisFormatter,
@@ -253,7 +254,7 @@ export default function transformProps(
   const series: SeriesOption[] = [];
 
   const forcePercentFormatter = Boolean(contributionMode || isAreaExpand);
-  const percentFormatter = getNumberFormatter(',.0%');
+  const percentFormatter = getPercentFormatter(yAxisFormat);
   const defaultFormatter = currencyFormat?.symbol
     ? new CurrencyFormatter({ d3Format: yAxisFormat, currency: currencyFormat })
     : getNumberFormatter(yAxisFormat);
@@ -486,6 +487,7 @@ export default function transformProps(
         forcePercentFormatter,
         customFormatters,
         defaultFormatter,
+        yAxisFormat,
       ),
     },
     scale: truncateYAxis,
diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/utils/formatters.ts b/superset-frontend/plugins/plugin-chart-echarts/src/utils/formatters.ts
index 5416fa1577635..a8f9d2aa31d5a 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/utils/formatters.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/utils/formatters.ts
@@ -23,6 +23,7 @@ import {
   getNumberFormatter,
   getTimeFormatter,
   isSavedMetric,
+  NumberFormats,
   QueryFormMetric,
   smartDateDetailedFormatter,
   smartDateFormatter,
@@ -30,14 +31,22 @@ import {
   ValueFormatter,
 } from '@superset-ui/core';
 
+export const getPercentFormatter = (format?: string) =>
+  getNumberFormatter(
+    !format || format === NumberFormats.SMART_NUMBER
+      ? NumberFormats.PERCENT
+      : format,
+  );
+
 export const getYAxisFormatter = (
   metrics: QueryFormMetric[],
   forcePercentFormatter: boolean,
   customFormatters: Record<string, ValueFormatter>,
   defaultFormatter: ValueFormatter,
+  format?: string,
 ) => {
   if (forcePercentFormatter) {
-    return getNumberFormatter(',.0%');
+    return getPercentFormatter(format);
   }
   const metricsArray = ensureIsArray(metrics);
   if (
diff --git a/superset-frontend/plugins/plugin-chart-echarts/test/utils/formatters.test.ts b/superset-frontend/plugins/plugin-chart-echarts/test/utils/formatters.test.ts
new file mode 100644
index 0000000000000..f8d40a5bd136c
--- /dev/null
+++ b/superset-frontend/plugins/plugin-chart-echarts/test/utils/formatters.test.ts
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { NumberFormats } from '@superset-ui/core';
+import { getPercentFormatter } from '../../src/utils/formatters';
+
+describe('getPercentFormatter', () => {
+  const value = 0.6;
+  it('should format as percent if no format is specified', () => {
+    expect(getPercentFormatter().format(value)).toEqual('60%');
+  });
+  it('should format as percent if SMART_NUMBER is specified', () => {
+    expect(
+      getPercentFormatter(NumberFormats.SMART_NUMBER).format(value),
+    ).toEqual('60%');
+  });
+  it('should format using a provided format', () => {
+    expect(
+      getPercentFormatter(NumberFormats.PERCENT_2_POINT).format(value),
+    ).toEqual('60.00%');
+  });
+});

From 88191573364c72806609a3052750661981da34d1 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Wed, 14 Feb 2024 19:11:51 +0000
Subject: [PATCH 050/114] fix: upgrade cryptography to major 42 (#27113)

(cherry picked from commit 152cd70b5f77828f1f63c5c40f7a2cb2bcfa156e)
---
 requirements/base.txt | 2 +-
 setup.py              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index 95eeaa450c65d..e134f367e2d5d 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -76,7 +76,7 @@ cron-descriptor==1.2.24
     # via apache-superset
 croniter==1.0.15
     # via apache-superset
-cryptography==41.0.2
+cryptography==42.0.2
     # via
     #   apache-superset
     #   paramiko
diff --git a/setup.py b/setup.py
index 423a21d887a3f..32c68d025c309 100644
--- a/setup.py
+++ b/setup.py
@@ -80,7 +80,7 @@ def get_git_sha() -> str:
         "colorama",
         "croniter>=0.3.28",
         "cron-descriptor",
-        "cryptography>=41.0.2, <41.1.0",
+        "cryptography>=42.0.0, <43.0.0",
         "deprecation>=2.1.0, <2.2.0",
         "flask>=2.2.5, <3.0.0",
         "flask-appbuilder>=4.3.11, <5.0.0",

From f5dc821f3d520f0e2f9a8a76ea853031134c52af Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Thu, 15 Feb 2024 13:02:25 +0000
Subject: [PATCH 051/114] fix: bump grpcio, urllib3 and paramiko (#27124)

(cherry picked from commit e43097329ff16f0661f275382f780165e4dad3ec)
---
 requirements/base.txt    | 4 ++--
 requirements/testing.txt | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index e134f367e2d5d..e97e52fe54ebf 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -232,7 +232,7 @@ packaging==23.1
     #   shillelagh
 pandas[performance]==2.0.3
     # via apache-superset
-paramiko==2.11.0
+paramiko==3.4.0
     # via sshtunnel
 parsedatetime==2.6
     # via apache-superset
@@ -350,7 +350,7 @@ tzdata==2023.3
     # via pandas
 url-normalize==1.4.3
     # via requests-cache
-urllib3==1.26.6
+urllib3==1.26.18
     # via
     #   requests
     #   requests-cache
diff --git a/requirements/testing.txt b/requirements/testing.txt
index b40497c8fc130..e7095b7f72804 100644
--- a/requirements/testing.txt
+++ b/requirements/testing.txt
@@ -68,12 +68,12 @@ googleapis-common-protos==1.59.0
     # via
     #   google-api-core
     #   grpcio-status
-grpcio==1.54.0
+grpcio==1.60.1
     # via
     #   google-api-core
     #   google-cloud-bigquery
     #   grpcio-status
-grpcio-status==1.54.0
+grpcio-status==1.60.1
     # via google-api-core
 iniconfig==2.0.0
     # via pytest

From 02d754e7c8e52bd7727715401ccd7db01a00af86 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Thu, 15 Feb 2024 16:20:30 +0000
Subject: [PATCH 052/114] fix: gevent upgrade to 23.9.1 (#27112)

---
 requirements/docker.txt | 2 +-
 setup.py                | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/requirements/docker.txt b/requirements/docker.txt
index 1c6009b9446df..be65b7d36b1bf 100644
--- a/requirements/docker.txt
+++ b/requirements/docker.txt
@@ -10,7 +10,7 @@
     # via
     #   -r requirements/base.in
     #   -r requirements/docker.in
-gevent==22.10.2
+gevent==23.9.1
     # via -r requirements/docker.in
 psycopg2-binary==2.9.6
     # via apache-superset
diff --git a/setup.py b/setup.py
index 32c68d025c309..5488a3d761db8 100644
--- a/setup.py
+++ b/setup.py
@@ -164,6 +164,7 @@ def get_git_sha() -> str:
         "excel": ["xlrd>=1.2.0, <1.3"],
         "firebird": ["sqlalchemy-firebird>=0.7.0, <0.8"],
         "firebolt": ["firebolt-sqlalchemy>=0.0.1"],
+        "gevent": ["gevent>=23.9.1"],
         "gsheets": ["shillelagh[gsheetsapi]>=1.2.10, <2"],
         "hana": ["hdbcli==2.4.162", "sqlalchemy_hana==0.4.0"],
         "hive": [

From c743822031dafd16920331089373d8268f760e99 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Thu, 15 Feb 2024 11:46:35 -0500
Subject: [PATCH 053/114] fix: RLS modal overflow (#27128)

(cherry picked from commit 506ea756ad858f7325adecc73e4969f4476c642d)
---
 .../features/rls/RowLevelSecurityModal.tsx    | 88 +++++++++----------
 .../src/features/rls/constants.ts             |  2 +-
 2 files changed, 42 insertions(+), 48 deletions(-)

diff --git a/superset-frontend/src/features/rls/RowLevelSecurityModal.tsx b/superset-frontend/src/features/rls/RowLevelSecurityModal.tsx
index 7e4143e5827f6..9997de5da7e9b 100644
--- a/superset-frontend/src/features/rls/RowLevelSecurityModal.tsx
+++ b/superset-frontend/src/features/rls/RowLevelSecurityModal.tsx
@@ -28,12 +28,13 @@ import Modal from 'src/components/Modal';
 import React, { useCallback, useEffect, useMemo, useState } from 'react';
 import Icons from 'src/components/Icons';
 import Select from 'src/components/Select/Select';
+import { TextArea } from 'src/components/Input';
 import AsyncSelect from 'src/components/Select/AsyncSelect';
 import rison from 'rison';
 import { LabeledErrorBoundInput } from 'src/components/Form';
 import InfoTooltip from 'src/components/InfoTooltip';
 import { useSingleViewResource } from 'src/views/CRUD/hooks';
-import { FilterOptions } from './constants';
+import { FILTER_OPTIONS } from './constants';
 import { FilterType, RLSObject, RoleObject, TableObject } from './types';
 
 const noMargins = css`
@@ -48,13 +49,11 @@ const StyledModal = styled(Modal)`
   max-width: 1200px;
   min-width: min-content;
   width: 100%;
-  .ant-modal-body {
-    overflow: initial;
-  }
   .ant-modal-footer {
     white-space: nowrap;
   }
 `;
+
 const StyledIcon = (theme: SupersetTheme) => css`
   margin: auto ${theme.gridUnit * 2}px auto 0;
   color: ${theme.colors.grayscale.base};
@@ -106,11 +105,9 @@ const StyledInputContainer = styled.div`
   }
 `;
 
-const StyledTextArea = styled.textarea`
-  height: 100px;
+const StyledTextArea = styled(TextArea)`
   resize: none;
   margin-top: ${({ theme }) => theme.gridUnit}px;
-  border: 1px solid ${({ theme }) => theme.colors.secondary.light3};
 `;
 
 export interface RowLevelSecurityModalProps {
@@ -155,23 +152,25 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
     addDangerToast,
   );
 
-  // initialize
-  useEffect(() => {
-    if (!isEditMode) {
-      setCurrentRule({ ...DEAFULT_RULE });
-    } else if (rule?.id !== null && !loading && !fetchError) {
-      fetchResource(rule.id as number);
-    }
-  }, [rule]);
+  const updateRuleState = (name: string, value: any) => {
+    setCurrentRule(currentRuleData => ({
+      ...currentRuleData,
+      [name]: value,
+    }));
+  };
 
-  useEffect(() => {
-    if (resource) {
-      setCurrentRule({ ...resource, id: rule?.id });
-      const selectedTableAndRoles = getSelectedData();
-      updateRuleState('tables', selectedTableAndRoles?.tables || []);
-      updateRuleState('roles', selectedTableAndRoles?.roles || []);
+  // * state validators *
+  const validate = () => {
+    if (
+      currentRule?.name &&
+      currentRule?.clause &&
+      currentRule.tables?.length
+    ) {
+      setDisableSave(false);
+    } else {
+      setDisableSave(true);
     }
-  }, [resource]);
+  };
 
   // find selected tables and roles
   const getSelectedData = useCallback(() => {
@@ -202,6 +201,24 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
     return { tables, roles };
   }, [resource?.tables, resource?.roles]);
 
+  // initialize
+  useEffect(() => {
+    if (!isEditMode) {
+      setCurrentRule({ ...DEAFULT_RULE });
+    } else if (rule?.id !== null && !loading && !fetchError) {
+      fetchResource(rule.id as number);
+    }
+  }, [rule]);
+
+  useEffect(() => {
+    if (resource) {
+      setCurrentRule({ ...resource, id: rule?.id });
+      const selectedTableAndRoles = getSelectedData();
+      updateRuleState('tables', selectedTableAndRoles?.tables || []);
+      updateRuleState('roles', selectedTableAndRoles?.roles || []);
+    }
+  }, [resource]);
+
   // validate
   const currentRuleSafe = currentRule || {};
   useEffect(() => {
@@ -214,13 +231,6 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
     label: string;
   };
 
-  const updateRuleState = (name: string, value: any) => {
-    setCurrentRule(currentRuleData => ({
-      ...currentRuleData,
-      [name]: value,
-    }));
-  };
-
   const onTextChange = (target: HTMLInputElement | HTMLTextAreaElement) => {
     updateRuleState(target.name, target.value);
   };
@@ -318,19 +328,6 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
     [],
   );
 
-  // * state validators *
-  const validate = () => {
-    if (
-      currentRule?.name &&
-      currentRule?.clause &&
-      currentRule.tables?.length
-    ) {
-      setDisableSave(false);
-    } else {
-      setDisableSave(true);
-    }
-  };
-
   return (
     <StyledModal
       className="no-content-padding"
@@ -373,7 +370,6 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
               hasTooltip
             />
           </StyledInputContainer>
-
           <StyledInputContainer>
             <div className="control-label">
               {t('Filter Type')}{' '}
@@ -390,12 +386,11 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
                 placeholder={t('Filter Type')}
                 onChange={onFilterChange}
                 value={currentRule?.filter_type}
-                options={FilterOptions}
+                options={FILTER_OPTIONS}
                 data-test="rule-filter-type-test"
               />
             </div>
           </StyledInputContainer>
-
           <StyledInputContainer>
             <div className="control-label">
               {t('Datasets')} <span className="required">*</span>
@@ -455,7 +450,6 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
               data-test="group-key-test"
             />
           </StyledInputContainer>
-
           <StyledInputContainer>
             <div className="control-label">
               <LabeledErrorBoundInput
@@ -477,11 +471,11 @@ function RowLevelSecurityModal(props: RowLevelSecurityModalProps) {
               />
             </div>
           </StyledInputContainer>
-
           <StyledInputContainer>
             <div className="control-label">{t('Description')}</div>
             <div className="input-container">
               <StyledTextArea
+                rows={4}
                 name="description"
                 value={currentRule ? currentRule.description : ''}
                 onChange={event => onTextChange(event.target)}
diff --git a/superset-frontend/src/features/rls/constants.ts b/superset-frontend/src/features/rls/constants.ts
index ceb0982c5f223..9bb0ca3e6cb43 100644
--- a/superset-frontend/src/features/rls/constants.ts
+++ b/superset-frontend/src/features/rls/constants.ts
@@ -19,7 +19,7 @@
 
 import { t } from '@superset-ui/core';
 
-export const FilterOptions = [
+export const FILTER_OPTIONS = [
   {
     label: t('Regular'),
     value: 'Regular',

From c94a4609bbac4ab74ff751162ba2b26f9c27a4e8 Mon Sep 17 00:00:00 2001
From: Stepan <66589759+Always-prog@users.noreply.github.com>
Date: Thu, 15 Feb 2024 20:16:02 +0300
Subject: [PATCH 054/114] fix(pivot-table-v2): Added forgotten translation
 pivot table v2 (#22840)

(cherry picked from commit 60fe58196a6e8dd1ea7a2e6aaf8401d0a718bc41)
---
 .../src/react-pivottable/TableRenderers.jsx                 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/superset-frontend/plugins/plugin-chart-pivot-table/src/react-pivottable/TableRenderers.jsx b/superset-frontend/plugins/plugin-chart-pivot-table/src/react-pivottable/TableRenderers.jsx
index 760ff90c15d8f..41063c290f3fa 100644
--- a/superset-frontend/plugins/plugin-chart-pivot-table/src/react-pivottable/TableRenderers.jsx
+++ b/superset-frontend/plugins/plugin-chart-pivot-table/src/react-pivottable/TableRenderers.jsx
@@ -24,7 +24,11 @@ import { PivotData, flatKey } from './utilities';
 import { Styles } from './Styles';
 
 const parseLabel = value => {
-  if (typeof value === 'number' || typeof value === 'string') {
+  if (typeof value === 'string') {
+    if (value === 'metric') return t('metric');
+    return value;
+  }
+  if (typeof value === 'number') {
     return value;
   }
   return String(value);

From 0308095a223ec046b142e43fb366062f422d770a Mon Sep 17 00:00:00 2001
From: Joe Li <joe@preset.io>
Date: Thu, 15 Feb 2024 10:27:30 -0800
Subject: [PATCH 055/114] chore: lower cryptography min version to 41.0.2
 (#27129)

(cherry picked from commit d2910b0b87232b88be1f8199a3501df99e108468)
---
 setup.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 5488a3d761db8..998b134dc73d9 100644
--- a/setup.py
+++ b/setup.py
@@ -80,7 +80,8 @@ def get_git_sha() -> str:
         "colorama",
         "croniter>=0.3.28",
         "cron-descriptor",
-        "cryptography>=42.0.0, <43.0.0",
+        # snowflake-connector-python as of 3.7.0 doesn't support >=42.* therefore lowering the min to 41.0.2
+        "cryptography>=41.0.2, <43.0.0",
         "deprecation>=2.1.0, <2.2.0",
         "flask>=2.2.5, <3.0.0",
         "flask-appbuilder>=4.3.11, <5.0.0",

From 7ab62e1aaa03b01f8ecb2a5accf9e31b4566359a Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Thu, 15 Feb 2024 16:26:33 -0500
Subject: [PATCH 056/114] fix: Plain error message when visiting a dashboard
 via permalink without permissions (#27132)

---
 superset/views/core.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/superset/views/core.py b/superset/views/core.py
index 9ad2f63fdc680..3e895e6b4b465 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -47,6 +47,7 @@
 from superset.commands.chart.exceptions import ChartNotFoundError
 from superset.commands.chart.warm_up_cache import ChartWarmUpCacheCommand
 from superset.commands.dashboard.importers.v0 import ImportDashboardsCommand
+from superset.commands.dashboard.exceptions import DashboardAccessDeniedError
 from superset.commands.dashboard.permalink.get import GetDashboardPermalinkCommand
 from superset.commands.dataset.exceptions import DatasetNotFoundError
 from superset.commands.explore.form_data.create import CreateFormDataCommand
@@ -880,6 +881,9 @@ def dashboard_permalink(
         except DashboardPermalinkGetFailedError as ex:
             flash(__("Error: %(msg)s", msg=ex.message), "danger")
             return redirect("/dashboard/list/")
+        except DashboardAccessDeniedError as ex:
+            flash(__("Error: %(msg)s", msg=ex.message), "danger")
+            return redirect("/dashboard/list/")
         if not value:
             return json_error_response(_("permalink state not found"), status=404)
         dashboard_id, state = value["dashboardId"], value.get("state", {})

From c839c5734a8fc0ad2e564ad625ee35adec2a4193 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Fri, 16 Feb 2024 08:13:34 -0500
Subject: [PATCH 057/114] fix: Duplicated toast messages (#27135)

---
 .../src/SqlLab/reducers/getInitialState.ts    |  4 --
 .../getToastsFromPyFlashMessages.js           | 40 ----------------
 .../getToastsFromPyFlashMessages.test.js      | 48 -------------------
 .../src/dashboard/components/Dashboard.jsx    |  2 -
 .../dashboard/components/Dashboard.test.jsx   |  1 -
 .../FilterBarSettings.test.tsx                |  1 -
 .../src/dashboard/containers/Dashboard.ts     |  1 -
 superset-frontend/src/dashboard/types.ts      |  1 -
 8 files changed, 98 deletions(-)
 delete mode 100644 superset-frontend/src/components/MessageToasts/getToastsFromPyFlashMessages.js
 delete mode 100644 superset-frontend/src/components/MessageToasts/getToastsFromPyFlashMessages.test.js

diff --git a/superset-frontend/src/SqlLab/reducers/getInitialState.ts b/superset-frontend/src/SqlLab/reducers/getInitialState.ts
index 8d72a313b2716..02bb5b45fc58f 100644
--- a/superset-frontend/src/SqlLab/reducers/getInitialState.ts
+++ b/superset-frontend/src/SqlLab/reducers/getInitialState.ts
@@ -17,7 +17,6 @@
  * under the License.
  */
 import { t } from '@superset-ui/core';
-import getToastsFromPyFlashMessages from 'src/components/MessageToasts/getToastsFromPyFlashMessages';
 import type { BootstrapData } from 'src/types/bootstrapTypes';
 import type { InitialState } from 'src/hooks/apiResources/sqlLab';
 import {
@@ -244,9 +243,6 @@ export default function getInitialState({
       queryCostEstimates: {},
       unsavedQueryEditor,
     },
-    messageToasts: getToastsFromPyFlashMessages(
-      (common || {})?.flash_messages || [],
-    ),
     localStorageUsageInKilobytes: 0,
     common,
     ...otherBootstrapData,
diff --git a/superset-frontend/src/components/MessageToasts/getToastsFromPyFlashMessages.js b/superset-frontend/src/components/MessageToasts/getToastsFromPyFlashMessages.js
deleted file mode 100644
index 982df17100792..0000000000000
--- a/superset-frontend/src/components/MessageToasts/getToastsFromPyFlashMessages.js
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-import { addToast } from './actions';
-import { ToastType } from './types';
-
-export default function toastsFromPyFlashMessages(flashMessages = []) {
-  const toasts = [];
-
-  flashMessages.forEach(([messageType, message]) => {
-    const toastType =
-      messageType === 'danger'
-        ? ToastType.DANGER
-        : (messageType === 'success' && ToastType.SUCCESS) || ToastType.INFO;
-
-    const toast = addToast({
-      text: message,
-      toastType,
-    }).payload;
-
-    toasts.push(toast);
-  });
-
-  return toasts;
-}
diff --git a/superset-frontend/src/components/MessageToasts/getToastsFromPyFlashMessages.test.js b/superset-frontend/src/components/MessageToasts/getToastsFromPyFlashMessages.test.js
deleted file mode 100644
index d19ac0c5d5ee2..0000000000000
--- a/superset-frontend/src/components/MessageToasts/getToastsFromPyFlashMessages.test.js
+++ /dev/null
@@ -1,48 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-import { ToastType } from 'src/components/MessageToasts/types';
-import getToastsFromPyFlashMessages from 'src/components/MessageToasts/getToastsFromPyFlashMessages';
-
-describe('getToastsFromPyFlashMessages', () => {
-  it('should return an info toast', () => {
-    const toast = getToastsFromPyFlashMessages([['info', 'info test']])[0];
-    expect(toast).toMatchObject({
-      toastType: ToastType.INFO,
-      text: 'info test',
-    });
-  });
-
-  it('should return a success toast', () => {
-    const toast = getToastsFromPyFlashMessages([
-      ['success', 'success test'],
-    ])[0];
-    expect(toast).toMatchObject({
-      toastType: ToastType.SUCCESS,
-      text: 'success test',
-    });
-  });
-
-  it('should return a danger toast', () => {
-    const toast = getToastsFromPyFlashMessages([['danger', 'danger test']])[0];
-    expect(toast).toMatchObject({
-      toastType: ToastType.DANGER,
-      text: 'danger test',
-    });
-  });
-});
diff --git a/superset-frontend/src/dashboard/components/Dashboard.jsx b/superset-frontend/src/dashboard/components/Dashboard.jsx
index 6e909f3b1527f..45a1e3046f40f 100644
--- a/superset-frontend/src/dashboard/components/Dashboard.jsx
+++ b/superset-frontend/src/dashboard/components/Dashboard.jsx
@@ -59,13 +59,11 @@ const propTypes = {
   ownDataCharts: PropTypes.object.isRequired,
   layout: PropTypes.object.isRequired,
   impressionId: PropTypes.string.isRequired,
-  initMessages: PropTypes.array,
   timeout: PropTypes.number,
   userId: PropTypes.string,
 };
 
 const defaultProps = {
-  initMessages: [],
   timeout: 60,
   userId: '',
 };
diff --git a/superset-frontend/src/dashboard/components/Dashboard.test.jsx b/superset-frontend/src/dashboard/components/Dashboard.test.jsx
index a66eab37e37d7..d75bda27dc2e0 100644
--- a/superset-frontend/src/dashboard/components/Dashboard.test.jsx
+++ b/superset-frontend/src/dashboard/components/Dashboard.test.jsx
@@ -47,7 +47,6 @@ describe('Dashboard', () => {
       triggerQuery() {},
       logEvent() {},
     },
-    initMessages: [],
     dashboardState,
     dashboardInfo,
     charts: chartQueries,
diff --git a/superset-frontend/src/dashboard/components/nativeFilters/FilterBar/FilterBarSettings/FilterBarSettings.test.tsx b/superset-frontend/src/dashboard/components/nativeFilters/FilterBar/FilterBarSettings/FilterBarSettings.test.tsx
index 8c236c2714841..e2d198c3e96ae 100644
--- a/superset-frontend/src/dashboard/components/nativeFilters/FilterBar/FilterBarSettings/FilterBarSettings.test.tsx
+++ b/superset-frontend/src/dashboard/components/nativeFilters/FilterBar/FilterBarSettings/FilterBarSettings.test.tsx
@@ -50,7 +50,6 @@ const initialState: { dashboardInfo: DashboardInfo } = {
     filterBarOrientation: FilterBarOrientation.VERTICAL,
     common: {
       conf: {},
-      flash_messages: [],
     },
     crossFiltersEnabled: true,
   },
diff --git a/superset-frontend/src/dashboard/containers/Dashboard.ts b/superset-frontend/src/dashboard/containers/Dashboard.ts
index 5f9b29b95dd46..15de5c255c4b3 100644
--- a/superset-frontend/src/dashboard/containers/Dashboard.ts
+++ b/superset-frontend/src/dashboard/containers/Dashboard.ts
@@ -48,7 +48,6 @@ function mapStateToProps(state: RootState) {
   } = state;
 
   return {
-    initMessages: dashboardInfo.common?.flash_messages,
     timeout: dashboardInfo.common?.conf?.SUPERSET_WEBSERVER_TIMEOUT,
     userId: dashboardInfo.userId,
     dashboardInfo,
diff --git a/superset-frontend/src/dashboard/types.ts b/superset-frontend/src/dashboard/types.ts
index 4f28e721868db..604f264540286 100644
--- a/superset-frontend/src/dashboard/types.ts
+++ b/superset-frontend/src/dashboard/types.ts
@@ -117,7 +117,6 @@ export type DashboardState = {
 export type DashboardInfo = {
   id: number;
   common: {
-    flash_messages: string[];
     conf: JsonObject;
   };
   userId: string;

From 4b56670aa2f151deebffa131a8050da58d18915c Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Mon, 19 Feb 2024 21:06:27 +0000
Subject: [PATCH 058/114] feat: bump FAB to 4.4.0 (#27159)

(cherry picked from commit f7c5773a97bdea7ee767912d58a5cfdf23a5be87)
---
 requirements/base.txt | 3 +--
 setup.py              | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index e97e52fe54ebf..c6c2c086da94e 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -104,7 +104,7 @@ flask==2.2.5
     #   flask-session
     #   flask-sqlalchemy
     #   flask-wtf
-flask-appbuilder==4.3.11
+flask-appbuilder==4.4.0
     # via apache-superset
 flask-babel==1.0.0
     # via flask-appbuilder
@@ -310,7 +310,6 @@ six==1.16.0
     # via
     #   click-repl
     #   isodate
-    #   paramiko
     #   prison
     #   python-dateutil
     #   url-normalize
diff --git a/setup.py b/setup.py
index 998b134dc73d9..25c547f2460f4 100644
--- a/setup.py
+++ b/setup.py
@@ -84,7 +84,7 @@ def get_git_sha() -> str:
         "cryptography>=41.0.2, <43.0.0",
         "deprecation>=2.1.0, <2.2.0",
         "flask>=2.2.5, <3.0.0",
-        "flask-appbuilder>=4.3.11, <5.0.0",
+        "flask-appbuilder>=4.4.0, <5.0.0",
         "flask-caching>=2.1.0, <3",
         "flask-compress>=1.13, <2.0",
         "flask-talisman>=1.0.0, <2.0",

From 9a842dc1eabbb5469f421b6a4f8566ee167d379f Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Mon, 19 Feb 2024 16:29:20 +0000
Subject: [PATCH 059/114] fix(ci): mypy pre-commit issues (#27161)

(cherry picked from commit 8dc6cbe206b4a4e5da365f66c3d2fcfec7dd9c6b)
---
 superset/sqllab/api.py                         | 4 +++-
 superset/sqllab/execution_context_convertor.py | 1 -
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/superset/sqllab/api.py b/superset/sqllab/api.py
index 6be378a9b5117..eeb95e6aadb4e 100644
--- a/superset/sqllab/api.py
+++ b/superset/sqllab/api.py
@@ -343,7 +343,9 @@ def get_results(self, **kwargs: Any) -> FlaskResponse:
         # return the result without special encoding
         return json_success(
             json.dumps(
-                result, default=utils.json_iso_dttm_ser, ignore_nan=True, encoding=None
+                result,
+                default=utils.json_iso_dttm_ser,
+                ignore_nan=True,
             ),
             200,
         )
diff --git a/superset/sqllab/execution_context_convertor.py b/superset/sqllab/execution_context_convertor.py
index 430db0d52ff9c..a1e7a86d0af99 100644
--- a/superset/sqllab/execution_context_convertor.py
+++ b/superset/sqllab/execution_context_convertor.py
@@ -60,7 +60,6 @@ def serialize_payload(self) -> str:
                 ),
                 default=utils.pessimistic_json_iso_dttm_ser,
                 ignore_nan=True,
-                encoding=None,
             )
 
         return json.dumps(

From fc28da0a7b569ef90af6f58ae8d6491376657276 Mon Sep 17 00:00:00 2001
From: "JUST.in DO IT" <justin.park@airbnb.com>
Date: Wed, 21 Feb 2024 06:03:41 -0800
Subject: [PATCH 060/114] fix(sqllab): typeahead search is broken in db
 selector (#27181)

(cherry picked from commit 8fbaf84f66585146c17c23ec3e530d59902efd75)
---
 .../DatabaseSelector.test.tsx                 | 26 +++++++++++++++++++
 .../src/components/DatabaseSelector/index.tsx |  4 +--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/superset-frontend/src/components/DatabaseSelector/DatabaseSelector.test.tsx b/superset-frontend/src/components/DatabaseSelector/DatabaseSelector.test.tsx
index 874d22ea6bb2b..18e676991261b 100644
--- a/superset-frontend/src/components/DatabaseSelector/DatabaseSelector.test.tsx
+++ b/superset-frontend/src/components/DatabaseSelector/DatabaseSelector.test.tsx
@@ -229,6 +229,32 @@ test('Should database select display options', async () => {
   expect(await screen.findByText('test-mysql')).toBeInTheDocument();
 });
 
+test('Should fetch the search keyword when total count exceeds initial options', async () => {
+  fetchMock.get(
+    databaseApiRoute,
+    {
+      ...fakeDatabaseApiResult,
+      count: fakeDatabaseApiResult.result.length + 1,
+    },
+    { overwriteRoutes: true },
+  );
+
+  const props = createProps();
+  render(<DatabaseSelector {...props} />, { useRedux: true, store });
+  const select = screen.getByRole('combobox', {
+    name: 'Select database or type to search databases',
+  });
+  await waitFor(() =>
+    expect(fetchMock.calls(databaseApiRoute)).toHaveLength(1),
+  );
+  expect(select).toBeInTheDocument();
+  userEvent.type(select, 'keywordtest');
+  await waitFor(() =>
+    expect(fetchMock.calls(databaseApiRoute)).toHaveLength(2),
+  );
+  expect(fetchMock.calls(databaseApiRoute)[1][0]).toContain('keywordtest');
+});
+
 test('should show empty state if there are no options', async () => {
   fetchMock.reset();
   fetchMock.get(databaseApiRoute, { result: [] });
diff --git a/superset-frontend/src/components/DatabaseSelector/index.tsx b/superset-frontend/src/components/DatabaseSelector/index.tsx
index 7b4afd9af05aa..0c0268db5c9e6 100644
--- a/superset-frontend/src/components/DatabaseSelector/index.tsx
+++ b/superset-frontend/src/components/DatabaseSelector/index.tsx
@@ -167,7 +167,7 @@ export default function DatabaseSelector({
         });
         const endpoint = `/api/v1/database/?q=${queryParams}`;
         return SupersetClient.get({ endpoint }).then(({ json }) => {
-          const { result } = json;
+          const { result, count } = json;
           if (getDbList) {
             getDbList(result);
           }
@@ -189,7 +189,7 @@ export default function DatabaseSelector({
 
           return {
             data: options,
-            totalCount: options.length,
+            totalCount: count ?? options.length,
           };
         });
       },

From 8706879755f8443f726e65b87fae3fd5b9869cfc Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Wed, 21 Feb 2024 13:01:26 -0500
Subject: [PATCH 061/114] fix: Failed to execute importScripts on worker-css
 (#27191)

(cherry picked from commit 983a1646c439116d0f65b7f2e9907ebb5046d672)
---
 .../src/components/AsyncAceEditor/index.tsx   |  4 ++++
 superset-frontend/src/types/ace-builds.ts     | 19 +++++++++++++++++++
 superset-frontend/webpack.config.js           |  4 ++++
 superset/views/core.py                        |  4 ++--
 4 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 superset-frontend/src/types/ace-builds.ts

diff --git a/superset-frontend/src/components/AsyncAceEditor/index.tsx b/superset-frontend/src/components/AsyncAceEditor/index.tsx
index 2e499e150bb40..1b755f50ef3d1 100644
--- a/superset-frontend/src/components/AsyncAceEditor/index.tsx
+++ b/superset-frontend/src/components/AsyncAceEditor/index.tsx
@@ -24,11 +24,15 @@ import {
   TextMode as OrigTextMode,
 } from 'brace';
 import AceEditor, { IAceEditorProps } from 'react-ace';
+import { config } from 'ace-builds';
 import { acequire } from 'ace-builds/src-noconflict/ace';
 import AsyncEsmComponent, {
   PlaceholderProps,
 } from 'src/components/AsyncEsmComponent';
 import useEffectEvent from 'src/hooks/useEffectEvent';
+import cssWorkerUrl from 'ace-builds/src-noconflict/worker-css';
+
+config.setModuleUrl('ace/mode/css_worker', cssWorkerUrl);
 
 export interface AceCompleterKeywordData {
   name: string;
diff --git a/superset-frontend/src/types/ace-builds.ts b/superset-frontend/src/types/ace-builds.ts
new file mode 100644
index 0000000000000..0c34a854034e7
--- /dev/null
+++ b/superset-frontend/src/types/ace-builds.ts
@@ -0,0 +1,19 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+declare module 'ace-builds/src-noconflict/worker-css';
diff --git a/superset-frontend/webpack.config.js b/superset-frontend/webpack.config.js
index dea99be2cffe4..2fa922873eca3 100644
--- a/superset-frontend/webpack.config.js
+++ b/superset-frontend/webpack.config.js
@@ -346,6 +346,10 @@ const config = {
         ],
         use: [babelLoader],
       },
+      {
+        test: /ace-builds.*\/worker-.*$/,
+        type: 'asset/resource',
+      },
       // react-hot-loader use "ProxyFacade", which is a wrapper for react Component
       // see https://github.com/gaearon/react-hot-loader/issues/1311
       // TODO: refactor recurseReactClone
diff --git a/superset/views/core.py b/superset/views/core.py
index 3e895e6b4b465..613ea89b34b1b 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -14,7 +14,7 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-# pylint: disable=invalid-name
+# pylint: disable=invalid-name,too-many-lines
 from __future__ import annotations
 
 import contextlib
@@ -46,8 +46,8 @@
 from superset.async_events.async_query_manager import AsyncQueryTokenException
 from superset.commands.chart.exceptions import ChartNotFoundError
 from superset.commands.chart.warm_up_cache import ChartWarmUpCacheCommand
-from superset.commands.dashboard.importers.v0 import ImportDashboardsCommand
 from superset.commands.dashboard.exceptions import DashboardAccessDeniedError
+from superset.commands.dashboard.importers.v0 import ImportDashboardsCommand
 from superset.commands.dashboard.permalink.get import GetDashboardPermalinkCommand
 from superset.commands.dataset.exceptions import DatasetNotFoundError
 from superset.commands.explore.form_data.create import CreateFormDataCommand

From ee7eec60ea9854773400361088f5f792e7135664 Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Thu, 22 Feb 2024 17:01:29 -0500
Subject: [PATCH 062/114] fix: no limit in SELECT * for TOP dbs (#27215)

(cherry picked from commit c54fbe6e969fe57cddc69759796e4df1f603430e)
---
 superset/db_engine_specs/base.py              |  2 +-
 tests/unit_tests/db_engine_specs/test_base.py | 75 ++++++++++++++++++-
 2 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/superset/db_engine_specs/base.py b/superset/db_engine_specs/base.py
index 5edd4b7c06ea7..66293ccf52bbc 100644
--- a/superset/db_engine_specs/base.py
+++ b/superset/db_engine_specs/base.py
@@ -1441,7 +1441,7 @@ def select_star(  # pylint: disable=too-many-arguments,too-many-locals
 
         qry = select(fields).select_from(text(full_table_name))
 
-        if limit:
+        if limit and cls.allow_limit_clause:
             qry = qry.limit(limit)
         if latest_partition:
             partition_query = cls.where_latest_partition(
diff --git a/tests/unit_tests/db_engine_specs/test_base.py b/tests/unit_tests/db_engine_specs/test_base.py
index 7b1977ff14d01..e4cf4dfc1f9c0 100644
--- a/tests/unit_tests/db_engine_specs/test_base.py
+++ b/tests/unit_tests/db_engine_specs/test_base.py
@@ -14,13 +14,16 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-# pylint: disable=unused-argument, import-outside-toplevel, protected-access
+# pylint: disable=import-outside-toplevel, protected-access
 
 from textwrap import dedent
 from typing import Any, Optional
 
 import pytest
+from pytest_mock import MockFixture
 from sqlalchemy import types
+from sqlalchemy.dialects import sqlite
+from sqlalchemy.sql import sqltypes
 
 from superset.superset_typing import ResultSetColumnType, SQLAColumnType
 from superset.utils.core import GenericDataType
@@ -168,3 +171,73 @@ def test_convert_inspector_columns(
     from superset.db_engine_specs.base import convert_inspector_columns
 
     assert convert_inspector_columns(cols) == expected_result
+
+
+def test_select_star(mocker: MockFixture) -> None:
+    """
+    Test the ``select_star`` method.
+    """
+    from superset.db_engine_specs.base import BaseEngineSpec
+
+    class NoLimitDBEngineSpec(BaseEngineSpec):
+        allow_limit_clause = False
+
+    cols: list[ResultSetColumnType] = [
+        {
+            "column_name": "a",
+            "name": "a",
+            "type": sqltypes.String(),
+            "nullable": True,
+            "comment": None,
+            "default": None,
+            "precision": None,
+            "scale": None,
+            "max_length": None,
+            "is_dttm": False,
+        },
+    ]
+
+    # mock the database so we can compile the query
+    database = mocker.MagicMock()
+    database.compile_sqla_query = lambda query: str(
+        query.compile(dialect=sqlite.dialect())
+    )
+
+    engine = mocker.MagicMock()
+    engine.dialect = sqlite.dialect()
+
+    sql = BaseEngineSpec.select_star(
+        database=database,
+        table_name="my_table",
+        engine=engine,
+        schema=None,
+        limit=100,
+        show_cols=True,
+        indent=True,
+        latest_partition=False,
+        cols=cols,
+    )
+    assert (
+        sql
+        == """SELECT a
+FROM my_table
+LIMIT ?
+OFFSET ?"""
+    )
+
+    sql = NoLimitDBEngineSpec.select_star(
+        database=database,
+        table_name="my_table",
+        engine=engine,
+        schema=None,
+        limit=100,
+        show_cols=True,
+        indent=True,
+        latest_partition=False,
+        cols=cols,
+    )
+    assert (
+        sql
+        == """SELECT a
+FROM my_table"""
+    )

From 303b654a6067f411599120b68bb1b21327e5133d Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Fri, 23 Feb 2024 10:09:56 +0000
Subject: [PATCH 063/114] fix: setting important lower bounds versions on
 requirements (#27167)

---
 requirements/base.in     | 1 +
 requirements/base.txt    | 7 +++++--
 requirements/docker.in   | 3 +--
 requirements/docker.txt  | 4 ++--
 requirements/testing.in  | 1 +
 requirements/testing.txt | 3 ++-
 setup.py                 | 1 +
 7 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/requirements/base.in b/requirements/base.in
index 9d8313823765a..dc632a096af58 100644
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -17,3 +17,4 @@
 # under the License.
 #
 -e file:.
+urllib3>=1.26.18
diff --git a/requirements/base.txt b/requirements/base.txt
index c6c2c086da94e..4b607cf72562a 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -1,4 +1,4 @@
-# SHA1:a9dde048f1ee1f00586264d726d0e89f16e56183
+# SHA1:89ce10cd392b720033db86b747e77633711a8b5f
 #
 # This file is autogenerated by pip-compile-multi
 # To update, run:
@@ -233,7 +233,9 @@ packaging==23.1
 pandas[performance]==2.0.3
     # via apache-superset
 paramiko==3.4.0
-    # via sshtunnel
+    # via
+    #   apache-superset
+    #   sshtunnel
 parsedatetime==2.6
     # via apache-superset
 pgsanity==0.2.9
@@ -351,6 +353,7 @@ url-normalize==1.4.3
     # via requests-cache
 urllib3==1.26.18
     # via
+    #   -r requirements/base.in
     #   requests
     #   requests-cache
     #   selenium
diff --git a/requirements/docker.in b/requirements/docker.in
index b7e893f3e9c31..5b65cc68718f3 100644
--- a/requirements/docker.in
+++ b/requirements/docker.in
@@ -15,6 +15,5 @@
 # limitations under the License.
 #
 -r base.in
--e .[postgres]
-gevent
+-e .[postgres,gevent]
 greenlet>=2.0.2
diff --git a/requirements/docker.txt b/requirements/docker.txt
index be65b7d36b1bf..27c135e04c757 100644
--- a/requirements/docker.txt
+++ b/requirements/docker.txt
@@ -1,4 +1,4 @@
-# SHA1:439e3ee196ce81f342c935117ba5e0eeee8c385b
+# SHA1:f00a57c70a52607d638c19f64f426f887382927e
 #
 # This file is autogenerated by pip-compile-multi
 # To update, run:
@@ -11,7 +11,7 @@
     #   -r requirements/base.in
     #   -r requirements/docker.in
 gevent==23.9.1
-    # via -r requirements/docker.in
+    # via apache-superset
 psycopg2-binary==2.9.6
     # via apache-superset
 zope-event==4.5.0
diff --git a/requirements/testing.in b/requirements/testing.in
index 5b498bb09005d..3245886ec854d 100644
--- a/requirements/testing.in
+++ b/requirements/testing.in
@@ -20,6 +20,7 @@
 docker
 flask-testing
 freezegun
+grpcio>=1.55.3
 openapi-spec-validator
 parameterized
 pyfakefs
diff --git a/requirements/testing.txt b/requirements/testing.txt
index e7095b7f72804..e044f3ffab5af 100644
--- a/requirements/testing.txt
+++ b/requirements/testing.txt
@@ -1,4 +1,4 @@
-# SHA1:95300275481abb1413eb98a5c79fb7cf96814cdd
+# SHA1:a37a1037f359c1101162ef43288178fbf00c487d
 #
 # This file is autogenerated by pip-compile-multi
 # To update, run:
@@ -70,6 +70,7 @@ googleapis-common-protos==1.59.0
     #   grpcio-status
 grpcio==1.60.1
     # via
+    #   -r requirements/testing.in
     #   google-api-core
     #   google-cloud-bigquery
     #   grpcio-status
diff --git a/setup.py b/setup.py
index 25c547f2460f4..99e7499e6877c 100644
--- a/setup.py
+++ b/setup.py
@@ -108,6 +108,7 @@ def get_git_sha() -> str:
         "packaging",
         "pandas[performance]>=2.0.3, <2.1",
         "parsedatetime",
+        "paramiko>=3.4.0",
         "pgsanity",
         "polyline>=2.0.0, <3.0",
         "pyparsing>=3.0.6, <4",

From 465bce1480578a2919a5c25b2b0fa885b6120ce5 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Fri, 23 Feb 2024 17:57:49 +0000
Subject: [PATCH 064/114] fix: bump FAB to 4.4.1 (perf issue) (#27233)

(cherry picked from commit 62cf0365e9176e0ac0c68c64000ae2eca2104889)
---
 requirements/base.txt | 2 +-
 setup.py              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index 4b607cf72562a..3b871a688d93e 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -104,7 +104,7 @@ flask==2.2.5
     #   flask-session
     #   flask-sqlalchemy
     #   flask-wtf
-flask-appbuilder==4.4.0
+flask-appbuilder==4.4.1
     # via apache-superset
 flask-babel==1.0.0
     # via flask-appbuilder
diff --git a/setup.py b/setup.py
index 99e7499e6877c..baf0e8d6c2f1b 100644
--- a/setup.py
+++ b/setup.py
@@ -84,7 +84,7 @@ def get_git_sha() -> str:
         "cryptography>=41.0.2, <43.0.0",
         "deprecation>=2.1.0, <2.2.0",
         "flask>=2.2.5, <3.0.0",
-        "flask-appbuilder>=4.4.0, <5.0.0",
+        "flask-appbuilder>=4.4.1, <5.0.0",
         "flask-caching>=2.1.0, <3",
         "flask-compress>=1.13, <2.0",
         "flask-talisman>=1.0.0, <2.0",

From 51f359113919220871e86a9d5ddd520964f6a9ce Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Fri, 23 Feb 2024 13:31:58 -0500
Subject: [PATCH 065/114] chore: Removes Chromatic workflow and dependencies
 (#27232)

---
 .github/workflows/chromatic-master.yml        | 72 -------------------
 superset-frontend/package-lock.json           | 30 +-------
 superset-frontend/package.json                |  3 -
 .../shared/components/createQueryStory.tsx    |  3 -
 .../ConnectionStories.tsx                     |  6 +-
 5 files changed, 3 insertions(+), 111 deletions(-)
 delete mode 100644 .github/workflows/chromatic-master.yml

diff --git a/.github/workflows/chromatic-master.yml b/.github/workflows/chromatic-master.yml
deleted file mode 100644
index efdbfec2f65bb..0000000000000
--- a/.github/workflows/chromatic-master.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-# .github/workflows/chromatic.yml
-# see https://www.chromatic.com/docs/github-actions
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Workflow name
-name: 'Chromatic Storybook Master'
-
-# Event for the workflow
-# Only run if changes were made in superset-frontend folder of repo on merge to Master
-on:
-  # This will trigger when a branch merges to master when the PR has changes in the frontend folder updating the chromatic baseline
-  push:
-    branches:
-      - master
-    paths:
-      - "superset-frontend/**"
-
-# List of jobs
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.CHROMATIC_PROJECT_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  chromatic-deployment:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    # Operating System
-    runs-on: ubuntu-latest
-    # Job steps
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0 # 👈 Required to retrieve git history
-      - name: Install dependencies
-        run: npm ci
-        working-directory: superset-frontend
-      # 👇 Build and publish Storybook to Chromatic
-      - name: Build and publish Storybook to Chromatic
-        id: chromatic-master
-        uses: chromaui/action@v1
-        # Required options for the Chromatic GitHub Action
-        with:
-          # 👇 Location of package.json from root of mono-repo
-          workingDir: superset-frontend
-          # 👇 Chromatic projectToken, refer to the manage page to obtain it.
-          projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
-          exitZeroOnChanges: true # 👈 Option to prevent the workflow from failing
-          autoAcceptChanges: true # 👈 Option to accept all changes when merging to master
diff --git a/superset-frontend/package-lock.json b/superset-frontend/package-lock.json
index 8b371df9626a9..0a4ed84d6cd18 100644
--- a/superset-frontend/package-lock.json
+++ b/superset-frontend/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "superset",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "superset",
-      "version": "3.1.0",
+      "version": "3.1.1",
       "license": "Apache-2.0",
       "workspaces": [
         "packages/*",
@@ -221,7 +221,6 @@
         "babel-plugin-dynamic-import-node": "^2.3.3",
         "babel-plugin-jsx-remove-data-test-id": "^2.1.3",
         "babel-plugin-lodash": "^3.3.4",
-        "chromatic": "^6.7.4",
         "copy-webpack-plugin": "^9.1.0",
         "cross-env": "^5.2.1",
         "css-loader": "^6.8.1",
@@ -25322,21 +25321,6 @@
       "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz",
       "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg=="
     },
-    "node_modules/chromatic": {
-      "version": "6.7.4",
-      "resolved": "https://registry.npmjs.org/chromatic/-/chromatic-6.7.4.tgz",
-      "integrity": "sha512-QW4i8RQsON0JVnFnRf+8y70aIJptvC0Oi/26YJ669Dl03WmJRpobNO5qWFPTiv3KFKMc1Qf6/qFsRVZCtn+bfA==",
-      "dev": true,
-      "dependencies": {
-        "@discoveryjs/json-ext": "^0.5.7",
-        "@types/webpack-env": "^1.17.0"
-      },
-      "bin": {
-        "chroma": "bin/main.cjs",
-        "chromatic": "bin/main.cjs",
-        "chromatic-cli": "bin/main.cjs"
-      }
-    },
     "node_modules/chrome-trace-event": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/chrome-trace-event/-/chrome-trace-event-1.0.2.tgz",
@@ -84097,16 +84081,6 @@
       "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz",
       "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg=="
     },
-    "chromatic": {
-      "version": "6.7.4",
-      "resolved": "https://registry.npmjs.org/chromatic/-/chromatic-6.7.4.tgz",
-      "integrity": "sha512-QW4i8RQsON0JVnFnRf+8y70aIJptvC0Oi/26YJ669Dl03WmJRpobNO5qWFPTiv3KFKMc1Qf6/qFsRVZCtn+bfA==",
-      "dev": true,
-      "requires": {
-        "@discoveryjs/json-ext": "^0.5.7",
-        "@types/webpack-env": "^1.17.0"
-      }
-    },
     "chrome-trace-event": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/chrome-trace-event/-/chrome-trace-event-1.0.2.tgz",
diff --git a/superset-frontend/package.json b/superset-frontend/package.json
index a43f110abc8b8..5d7c711bbe9a2 100644
--- a/superset-frontend/package.json
+++ b/superset-frontend/package.json
@@ -44,7 +44,6 @@
     "build-instrumented": "cross-env NODE_ENV=production BABEL_ENV=instrumented webpack --mode=production --color",
     "build-storybook": "build-storybook",
     "check-translation": "prettier --check ../superset/translations/**/LC_MESSAGES/*.json",
-    "chromatic": "npx chromatic --skip 'dependabot/**'  --only-changed",
     "clean-translation": "prettier --write ../superset/translations/**/LC_MESSAGES/*.json",
     "core:cover": "cross-env NODE_ENV=test jest --coverage --coverageThreshold='{\"global\":{\"statements\":100,\"branches\":100,\"functions\":100,\"lines\":100}}' --collectCoverageFrom='[\"packages/**/src/**/*.{js,ts}\", \"!packages/superset-ui-demo/**/*\"]' packages",
     "cover": "cross-env NODE_ENV=test jest --coverage",
@@ -56,7 +55,6 @@
     "plugins:build": "node ./scripts/build.js",
     "plugins:build-assets": "node ./scripts/copyAssets.js",
     "plugins:build-storybook": "cd packages/superset-ui-demo && npm run build-storybook",
-    "plugins:chromatic": "cd packages/superset-ui-demo && npm run chromatic",
     "plugins:create-conventional-version": "npm run prune && lerna version --conventional-commits --create-release github --no-private --yes",
     "plugins:create-minor-version": "npm run prune && lerna version minor --no-private --yes",
     "plugins:create-patch-version": "npm run prune && lerna version patch --no-private --yes",
@@ -286,7 +284,6 @@
     "babel-plugin-dynamic-import-node": "^2.3.3",
     "babel-plugin-jsx-remove-data-test-id": "^2.1.3",
     "babel-plugin-lodash": "^3.3.4",
-    "chromatic": "^6.7.4",
     "copy-webpack-plugin": "^9.1.0",
     "cross-env": "^5.2.1",
     "css-loader": "^6.8.1",
diff --git a/superset-frontend/packages/superset-ui-demo/storybook/shared/components/createQueryStory.tsx b/superset-frontend/packages/superset-ui-demo/storybook/shared/components/createQueryStory.tsx
index eb1d39e41a441..d6396d1320736 100644
--- a/superset-frontend/packages/superset-ui-demo/storybook/shared/components/createQueryStory.tsx
+++ b/superset-frontend/packages/superset-ui-demo/storybook/shared/components/createQueryStory.tsx
@@ -96,8 +96,5 @@ export default function createQueryStory({
       </div>
     );
   };
-  story.parameters = {
-    chromatic: { disable: true },
-  };
   return story;
 }
diff --git a/superset-frontend/packages/superset-ui-demo/storybook/stories/superset-ui-connection/ConnectionStories.tsx b/superset-frontend/packages/superset-ui-demo/storybook/stories/superset-ui-connection/ConnectionStories.tsx
index 3f75837e91aa7..4a31d8de35664 100644
--- a/superset-frontend/packages/superset-ui-demo/storybook/stories/superset-ui-connection/ConnectionStories.tsx
+++ b/superset-frontend/packages/superset-ui-demo/storybook/stories/superset-ui-connection/ConnectionStories.tsx
@@ -41,7 +41,7 @@ export default {
   ],
 };
 
-export const configureCORS = () => {
+export const ConfigureCORS = () => {
   const host = text('Superset App host for CORS request', 'localhost:8088');
   const selectEndpoint = select('Endpoint', ENDPOINTS, '');
   const customEndpoint = text('Custom Endpoint (override above)', '');
@@ -80,7 +80,3 @@ export const configureCORS = () => {
     </div>
   );
 };
-
-configureCORS.parameters = {
-  chromatic: { disable: true },
-};

From e687525524d406aa0a08a35af9a9fe6a02bf1167 Mon Sep 17 00:00:00 2001
From: John Bodley <4567245+john-bodley@users.noreply.github.com>
Date: Sat, 24 Feb 2024 08:47:36 +1300
Subject: [PATCH 066/114] fix(sqlglot): Address regressions introduced in
 #26476 (#27217)

(cherry picked from commit 2c564817f1978e34770e02034a7a4c02e1bfdc9f)
---
 superset/sql_parse.py               | 17 +++++++++++------
 tests/unit_tests/sql_parse_tests.py | 10 ++++++----
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/superset/sql_parse.py b/superset/sql_parse.py
index 7b89ab8f0e2cb..c85afc9460f12 100644
--- a/superset/sql_parse.py
+++ b/superset/sql_parse.py
@@ -28,7 +28,7 @@
 from sqlalchemy import and_
 from sqlglot import exp, parse, parse_one
 from sqlglot.dialects import Dialects
-from sqlglot.errors import ParseError
+from sqlglot.errors import SqlglotError
 from sqlglot.optimizer.scope import Scope, ScopeType, traverse_scope
 from sqlparse import keywords
 from sqlparse.lexer import Lexer
@@ -287,7 +287,7 @@ def _extract_tables_from_sql(self) -> set[Table]:
         """
         try:
             statements = parse(self.stripped(), dialect=self._dialect)
-        except ParseError:
+        except SqlglotError:
             logger.warning("Unable to parse SQL (%s): %s", self._dialect, self.sql)
             return set()
 
@@ -319,12 +319,17 @@ def _extract_tables_from_statement(self, statement: exp.Expression) -> set[Table
         elif isinstance(statement, exp.Command):
             # Commands, like `SHOW COLUMNS FROM foo`, have to be converted into a
             # `SELECT` statetement in order to extract tables.
-            literal = statement.find(exp.Literal)
-            if not literal:
+            if not (literal := statement.find(exp.Literal)):
                 return set()
 
-            pseudo_query = parse_one(f"SELECT {literal.this}", dialect=self._dialect)
-            sources = pseudo_query.find_all(exp.Table)
+            try:
+                pseudo_query = parse_one(
+                    f"SELECT {literal.this}",
+                    dialect=self._dialect,
+                )
+                sources = pseudo_query.find_all(exp.Table)
+            except SqlglotError:
+                return set()
         else:
             sources = [
                 source
diff --git a/tests/unit_tests/sql_parse_tests.py b/tests/unit_tests/sql_parse_tests.py
index f650b77734f36..2d2448c2fad90 100644
--- a/tests/unit_tests/sql_parse_tests.py
+++ b/tests/unit_tests/sql_parse_tests.py
@@ -271,6 +271,7 @@ def test_extract_tables_illdefined() -> None:
     assert extract_tables("SELECT * FROM catalogname..tbname") == {
         Table(table="tbname", schema=None, catalog="catalogname")
     }
+    assert extract_tables('SELECT * FROM "tbname') == set()
 
 
 def test_extract_tables_show_tables_from() -> None:
@@ -558,6 +559,10 @@ def test_extract_tables_multistatement() -> None:
         Table("t1"),
         Table("t2"),
     }
+    assert extract_tables(
+        "ADD JAR file:///hive.jar; SELECT * FROM t1;",
+        engine="hive",
+    ) == {Table("t1")}
 
 
 def test_extract_tables_complex() -> None:
@@ -1816,10 +1821,7 @@ def test_extract_table_references(mocker: MockerFixture) -> None:
     # test falling back to sqlparse
     logger = mocker.patch("superset.sql_parse.logger")
     sql = "SELECT * FROM table UNION ALL SELECT * FROM other_table"
-    assert extract_table_references(
-        sql,
-        "trino",
-    ) == {
+    assert extract_table_references(sql, "trino") == {
         Table(table="table", schema=None, catalog=None),
         Table(table="other_table", schema=None, catalog=None),
     }

From a1ebdd70b1dd573941f045509f96419804621529 Mon Sep 17 00:00:00 2001
From: Jack <41238731+fisjac@users.noreply.github.com>
Date: Fri, 23 Feb 2024 14:05:05 -0600
Subject: [PATCH 067/114] fix(reports): fixing unit test  (#27236)

(cherry picked from commit 62783150727d5239eb7588728c941d9df8283120)
---
 superset-frontend/src/types/dom-to-pdf.d.ts | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/superset-frontend/src/types/dom-to-pdf.d.ts b/superset-frontend/src/types/dom-to-pdf.d.ts
index bc884fd43ad63..0d45ac5afd54a 100644
--- a/superset-frontend/src/types/dom-to-pdf.d.ts
+++ b/superset-frontend/src/types/dom-to-pdf.d.ts
@@ -12,9 +12,7 @@ declare module 'dom-to-pdf' {
     excludeClassNames?: string[];
   }
 
-  const domToPdf = (
-    elementToPrint: Element,
-    options?: Options,
-  ): Promise<any> => {};
+  function domToPdf(elementToPrint: Element, options?: Options): Promise<any>;
+
   export default domToPdf;
 }

From 744e403b0cac72c0c52d2dbf88fe7c107c786fe3 Mon Sep 17 00:00:00 2001
From: Evan Rusackas <evan@preset.io>
Date: Fri, 23 Feb 2024 13:25:21 -0700
Subject: [PATCH 068/114] fix(trino): bumping trino to fix hudi schema fetching
 (#27213)

---
 requirements/base.txt        |  4 +++-
 requirements/development.txt | 11 +----------
 requirements/testing.txt     |  2 +-
 setup.py                     |  2 +-
 4 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index 3b871a688d93e..09b81ec61a49d 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -141,7 +141,9 @@ geographiclib==1.52
 geopy==2.2.0
     # via apache-superset
 greenlet==2.0.2
-    # via shillelagh
+    # via
+    #   shillelagh
+    #   sqlalchemy
 gunicorn==21.2.0
     # via apache-superset
 hashids==1.3.1
diff --git a/requirements/development.txt b/requirements/development.txt
index ca80cd60ede93..58dd97a75329c 100644
--- a/requirements/development.txt
+++ b/requirements/development.txt
@@ -82,10 +82,6 @@ ptyprocess==0.7.0
     # via pexpect
 pure-eval==0.2.2
     # via stack-data
-pure-sasl==0.6.2
-    # via
-    #   pyhive
-    #   thrift-sasl
 pyasn1==0.5.0
     # via
     #   pyasn1-modules
@@ -115,12 +111,7 @@ tableschema==1.20.2
 tabulator==1.53.5
     # via tableschema
 thrift==0.16.0
-    # via
-    #   apache-superset
-    #   pyhive
-    #   thrift-sasl
-thrift-sasl==0.4.3
-    # via pyhive
+    # via apache-superset
 tomli==2.0.1
     # via pylint
 tomlkit==0.11.8
diff --git a/requirements/testing.txt b/requirements/testing.txt
index e044f3ffab5af..382e3bee4b8ee 100644
--- a/requirements/testing.txt
+++ b/requirements/testing.txt
@@ -145,7 +145,7 @@ tqdm==4.65.0
     # via
     #   cmdstanpy
     #   prophet
-trino==0.324.0
+trino==0.328.0
     # via apache-superset
 tzlocal==4.3
     # via trino
diff --git a/setup.py b/setup.py
index baf0e8d6c2f1b..cb6be9ec12edb 100644
--- a/setup.py
+++ b/setup.py
@@ -191,7 +191,7 @@ def get_git_sha() -> str:
         "playwright": ["playwright>=1.37.0, <2"],
         "postgres": ["psycopg2-binary==2.9.6"],
         "presto": ["pyhive[presto]>=0.6.5"],
-        "trino": ["trino>=0.324.0"],
+        "trino": ["trino>=0.328.0"],
         "prophet": ["prophet>=1.1.5, <2"],
         "redshift": ["sqlalchemy-redshift>=0.8.1, <0.9"],
         "rockset": ["rockset-sqlalchemy>=0.0.1, <1"],

From 0d2cf7c93807950d8c705fc6120714de5337fddc Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Tue, 27 Feb 2024 08:20:42 -0500
Subject: [PATCH 069/114] fix: Sorting charts/dashboards makes the applied
 filters ineffective (#27258)

(cherry picked from commit 8b4dce71d6cbe3b48c8847c2f641bd7dd5de3e3c)
---
 .../cypress/e2e/chart_list/list.test.ts        |  7 +++++++
 .../cypress/e2e/dashboard_list/list.test.ts    |  7 +++++++
 .../src/components/ListView/CardSortSelect.tsx | 18 +++++++++---------
 .../src/components/ListView/ListView.tsx       |  9 ++++-----
 .../src/components/ListView/types.ts           |  4 +---
 .../src/components/ListView/utils.ts           |  4 +++-
 6 files changed, 31 insertions(+), 18 deletions(-)

diff --git a/superset-frontend/cypress-base/cypress/e2e/chart_list/list.test.ts b/superset-frontend/cypress-base/cypress/e2e/chart_list/list.test.ts
index 44f348edc50f5..3cd1f91b49003 100644
--- a/superset-frontend/cypress-base/cypress/e2e/chart_list/list.test.ts
+++ b/superset-frontend/cypress-base/cypress/e2e/chart_list/list.test.ts
@@ -173,6 +173,13 @@ describe('Charts list', () => {
       orderAlphabetical();
       cy.getBySel('styled-card').first().contains('% Rural');
     });
+
+    it('should preserve other filters when sorting', () => {
+      cy.getBySel('styled-card').should('have.length', 25);
+      setFilter('Type', 'Big Number');
+      setFilter('Sort', 'Least recently modified');
+      cy.getBySel('styled-card').should('have.length', 3);
+    });
   });
 
   describe('common actions', () => {
diff --git a/superset-frontend/cypress-base/cypress/e2e/dashboard_list/list.test.ts b/superset-frontend/cypress-base/cypress/e2e/dashboard_list/list.test.ts
index 7dfb7cd673d7f..917ca104550d2 100644
--- a/superset-frontend/cypress-base/cypress/e2e/dashboard_list/list.test.ts
+++ b/superset-frontend/cypress-base/cypress/e2e/dashboard_list/list.test.ts
@@ -117,6 +117,13 @@ describe('Dashboards list', () => {
       orderAlphabetical();
       cy.getBySel('styled-card').first().contains('Supported Charts Dashboard');
     });
+
+    it('should preserve other filters when sorting', () => {
+      cy.getBySel('styled-card').should('have.length', 5);
+      setFilter('Status', 'Published');
+      setFilter('Sort', 'Least recently modified');
+      cy.getBySel('styled-card').should('have.length', 3);
+    });
   });
 
   describe('common actions', () => {
diff --git a/superset-frontend/src/components/ListView/CardSortSelect.tsx b/superset-frontend/src/components/ListView/CardSortSelect.tsx
index 479355881f900..2a77d51cfb94e 100644
--- a/superset-frontend/src/components/ListView/CardSortSelect.tsx
+++ b/superset-frontend/src/components/ListView/CardSortSelect.tsx
@@ -21,7 +21,7 @@ import { styled, t } from '@superset-ui/core';
 import { Select } from 'src/components';
 import { FormLabel } from 'src/components/Form';
 import { SELECT_WIDTH } from './utils';
-import { CardSortSelectOption, FetchDataConfig, SortColumn } from './types';
+import { CardSortSelectOption, SortColumn } from './types';
 
 const SortContainer = styled.div`
   display: inline-flex;
@@ -32,22 +32,22 @@ const SortContainer = styled.div`
 `;
 
 interface CardViewSelectSortProps {
-  onChange: (conf: FetchDataConfig) => any;
+  onChange: (value: SortColumn[]) => void;
   options: Array<CardSortSelectOption>;
   initialSort?: SortColumn[];
-  pageIndex: number;
-  pageSize: number;
 }
 
 export const CardSortSelect = ({
   initialSort,
   onChange,
   options,
-  pageIndex,
-  pageSize,
 }: CardViewSelectSortProps) => {
   const defaultSort =
-    (initialSort && options.find(({ id }) => id === initialSort[0].id)) ||
+    (initialSort &&
+      options.find(
+        ({ id, desc }) =>
+          id === initialSort[0].id && desc === initialSort[0].desc,
+      )) ||
     options[0];
 
   const [value, setValue] = useState({
@@ -72,7 +72,7 @@ export const CardSortSelect = ({
           desc: originalOption.desc,
         },
       ];
-      onChange({ pageIndex, pageSize, sortBy, filters: [] });
+      onChange(sortBy);
     }
   };
 
@@ -82,7 +82,7 @@ export const CardSortSelect = ({
         ariaLabel={t('Sort')}
         header={<FormLabel>{t('Sort')}</FormLabel>}
         labelInValue
-        onChange={(value: CardSortSelectOption) => handleOnChange(value)}
+        onChange={handleOnChange}
         options={formattedOptions}
         showSearch
         value={value}
diff --git a/superset-frontend/src/components/ListView/ListView.tsx b/superset-frontend/src/components/ListView/ListView.tsx
index 82cf6b187846a..93847ca5d879d 100644
--- a/superset-frontend/src/components/ListView/ListView.tsx
+++ b/superset-frontend/src/components/ListView/ListView.tsx
@@ -271,10 +271,11 @@ function ListView<T extends object = any>({
     pageCount = 1,
     gotoPage,
     applyFilterValue,
+    setSortBy,
     selectedFlatRows,
     toggleAllRowsSelected,
     setViewMode,
-    state: { pageIndex, pageSize, internalFilters, viewMode },
+    state: { pageIndex, pageSize, internalFilters, sortBy, viewMode },
     query,
   } = useListViewState({
     bulkSelectColumnConfig,
@@ -350,11 +351,9 @@ function ListView<T extends object = any>({
             )}
             {viewMode === 'card' && cardSortSelectOptions && (
               <CardSortSelect
-                initialSort={initialSort}
-                onChange={fetchData}
+                initialSort={sortBy}
+                onChange={(value: SortColumn[]) => setSortBy(value)}
                 options={cardSortSelectOptions}
-                pageIndex={pageIndex}
-                pageSize={pageSize}
               />
             )}
           </div>
diff --git a/superset-frontend/src/components/ListView/types.ts b/superset-frontend/src/components/ListView/types.ts
index 0c1314f2637c6..a526d6870d4cc 100644
--- a/superset-frontend/src/components/ListView/types.ts
+++ b/superset-frontend/src/components/ListView/types.ts
@@ -23,8 +23,6 @@ export interface SortColumn {
   desc?: boolean;
 }
 
-export type SortColumns = SortColumn[];
-
 export interface SelectOption {
   label: string;
   value: any;
@@ -84,7 +82,7 @@ export interface FilterValue {
 export interface FetchDataConfig {
   pageIndex: number;
   pageSize: number;
-  sortBy: SortColumns;
+  sortBy: SortColumn[];
   filters: FilterValue[];
 }
 
diff --git a/superset-frontend/src/components/ListView/utils.ts b/superset-frontend/src/components/ListView/utils.ts
index 8a8c57cb6234e..ec80e4cff52d0 100644
--- a/superset-frontend/src/components/ListView/utils.ts
+++ b/superset-frontend/src/components/ListView/utils.ts
@@ -221,7 +221,7 @@ export function useListViewState({
       query.sortColumn && query.sortOrder
         ? [{ id: query.sortColumn, desc: query.sortOrder === 'desc' }]
         : initialSort,
-    [query.sortColumn, query.sortOrder],
+    [initialSort, query.sortColumn, query.sortOrder],
   );
 
   const initialState = {
@@ -257,6 +257,7 @@ export function useListViewState({
     pageCount,
     gotoPage,
     setAllFilters,
+    setSortBy,
     selectedFlatRows,
     toggleAllRowsSelected,
     state: { pageIndex, pageSize, sortBy, filters },
@@ -374,6 +375,7 @@ export function useListViewState({
     rows,
     selectedFlatRows,
     setAllFilters,
+    setSortBy,
     state: { pageIndex, pageSize, sortBy, filters, internalFilters, viewMode },
     toggleAllRowsSelected,
     applyFilterValue,

From dc493fe7afeab11464c435b09b6da8b6e1caaf32 Mon Sep 17 00:00:00 2001
From: James O'Claire <jamesoclaire@gmail.com>
Date: Tue, 27 Feb 2024 23:32:04 +0800
Subject: [PATCH 070/114] fix(import-datasources): Use "admin" user as default
 for importing datasources (#27154)

---
 superset/cli/importexport.py | 39 ++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 15 deletions(-)

diff --git a/superset/cli/importexport.py b/superset/cli/importexport.py
index 5b19cc9ffc0d4..56abcc31fea14 100755
--- a/superset/cli/importexport.py
+++ b/superset/cli/importexport.py
@@ -29,6 +29,7 @@
 from superset import security_manager
 from superset.cli.lib import feature_flags
 from superset.extensions import db
+from superset.utils.core import override_user
 
 logger = logging.getLogger(__name__)
 
@@ -174,26 +175,34 @@ def import_dashboards(path: str, username: Optional[str]) -> None:
         "-p",
         help="Path to a single ZIP file",
     )
-    def import_datasources(path: str) -> None:
+    @click.option(
+        "--username",
+        "-u",
+        required=False,
+        default="admin",
+        help="Specify the user name to assign datasources to",
+    )
+    def import_datasources(path: str, username: Optional[str] = "admin") -> None:
         """Import datasources from ZIP file"""
         # pylint: disable=import-outside-toplevel
         from superset.commands.dataset.importers.dispatcher import ImportDatasetsCommand
         from superset.commands.importers.v1.utils import get_contents_from_bundle
 
-        if is_zipfile(path):
-            with ZipFile(path) as bundle:
-                contents = get_contents_from_bundle(bundle)
-        else:
-            with open(path) as file:
-                contents = {path: file.read()}
-        try:
-            ImportDatasetsCommand(contents, overwrite=True).run()
-        except Exception:  # pylint: disable=broad-except
-            logger.exception(
-                "There was an error when importing the dataset(s), please check the "
-                "exception traceback in the log"
-            )
-            sys.exit(1)
+        with override_user(user=security_manager.find_user(username=username)):
+            if is_zipfile(path):
+                with ZipFile(path) as bundle:
+                    contents = get_contents_from_bundle(bundle)
+            else:
+                with open(path) as file:
+                    contents = {path: file.read()}
+            try:
+                ImportDatasetsCommand(contents, overwrite=True).run()
+            except Exception:  # pylint: disable=broad-except
+                logger.exception(
+                    "There was an error when importing the dataset(s), please check the "
+                    "exception traceback in the log"
+                )
+                sys.exit(1)
 
 else:
 

From 38bc2d3b02aabdf2599d6b29fb56c728b7decaa8 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Tue, 27 Feb 2024 11:38:18 -0500
Subject: [PATCH 071/114] fix: Inoperable dashboard filter slider when range is
 <= 1 (#27271)

Co-authored-by: Justin Francos <jfrancos@manifold.ai>
(cherry picked from commit ce9e4b4b776ba8071aab2ede538b51828250bb2b)
---
 .../filters/components/Range/RangeFilterPlugin.tsx | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/superset-frontend/src/filters/components/Range/RangeFilterPlugin.tsx b/superset-frontend/src/filters/components/Range/RangeFilterPlugin.tsx
index 5c8533dd1e5ad..9b30cd4824768 100644
--- a/superset-frontend/src/filters/components/Range/RangeFilterPlugin.tsx
+++ b/superset-frontend/src/filters/components/Range/RangeFilterPlugin.tsx
@@ -300,6 +300,16 @@ export default function RangeFilterPlugin(props: PluginFilterRangeProps) {
     }
   }, [enableSingleExactValue]);
 
+  const MIN_NUM_STEPS = 20;
+  const stepHeuristic = (min: number, max: number) => {
+    const maxStepSize = (max - min) / MIN_NUM_STEPS;
+    // normalizedStepSize: .06 -> .01, .003 -> .001
+    const normalizedStepSize = `1E${Math.floor(Math.log10(maxStepSize))}`;
+    return Math.min(1, parseFloat(normalizedStepSize));
+  };
+
+  const step = max - min <= 1 ? stepHeuristic(min, max) : 1;
+
   return (
     <FilterPluginStyle height={height} width={width}>
       {Number.isNaN(Number(min)) || Number.isNaN(Number(max)) ? (
@@ -323,6 +333,7 @@ export default function RangeFilterPlugin(props: PluginFilterRangeProps) {
               <AntdSlider
                 min={min}
                 max={max}
+                step={step}
                 value={minMax[maxIndex]}
                 tipFormatter={tipFormatter}
                 marks={marks}
@@ -335,6 +346,7 @@ export default function RangeFilterPlugin(props: PluginFilterRangeProps) {
                 validateStatus={filterState.validateStatus}
                 min={min}
                 max={max}
+                step={step}
                 value={minMax[minIndex]}
                 tipFormatter={tipFormatter}
                 marks={marks}
@@ -346,6 +358,7 @@ export default function RangeFilterPlugin(props: PluginFilterRangeProps) {
               <AntdSlider
                 min={min}
                 max={max}
+                step={step}
                 included={false}
                 value={minMax[minIndex]}
                 tipFormatter={tipFormatter}
@@ -359,6 +372,7 @@ export default function RangeFilterPlugin(props: PluginFilterRangeProps) {
                 range
                 min={min}
                 max={max}
+                step={step}
                 value={minMax}
                 onAfterChange={handleAfterChange}
                 onChange={handleChange}

From 254f1ae512b91112c74378b80199801cb2a9aeca Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Wed, 28 Feb 2024 10:15:28 -0500
Subject: [PATCH 072/114] fix: Navigating to an invalid page index in lists
 (#27273)

---
 .../src/components/ListView/ListView.test.tsx | 74 +++++++++++++++++++
 .../src/components/ListView/ListView.tsx      |  8 +-
 2 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 superset-frontend/src/components/ListView/ListView.test.tsx

diff --git a/superset-frontend/src/components/ListView/ListView.test.tsx b/superset-frontend/src/components/ListView/ListView.test.tsx
new file mode 100644
index 0000000000000..9f4da16140f2c
--- /dev/null
+++ b/superset-frontend/src/components/ListView/ListView.test.tsx
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import React from 'react';
+import { render, waitFor } from 'spec/helpers/testing-library';
+import ListView from './ListView';
+
+const mockedProps = {
+  title: 'Data Table',
+  columns: [
+    {
+      accessor: 'id',
+      Header: 'ID',
+      sortable: true,
+    },
+    {
+      accessor: 'age',
+      Header: 'Age',
+    },
+    {
+      accessor: 'name',
+      Header: 'Name',
+    },
+    {
+      accessor: 'time',
+      Header: 'Time',
+    },
+  ],
+  data: [
+    { id: 1, name: 'data 1', age: 10, time: '2020-11-18T07:53:45.354Z' },
+    { id: 2, name: 'data 2', age: 1, time: '2020-11-18T07:53:45.354Z' },
+  ],
+  count: 2,
+  pageSize: 1,
+  loading: false,
+  refreshData: jest.fn(),
+  addSuccessToast: jest.fn(),
+  addDangerToast: jest.fn(),
+};
+
+test('redirects to first page when page index is invalid', async () => {
+  const fetchData = jest.fn();
+  window.history.pushState({}, '', '/?pageIndex=9');
+  render(<ListView {...mockedProps} fetchData={fetchData} />, {
+    useRouter: true,
+    useQueryParams: true,
+  });
+  await waitFor(() => {
+    expect(window.location.search).toEqual('?pageIndex=0');
+    expect(fetchData).toBeCalledTimes(2);
+    expect(fetchData).toHaveBeenCalledWith(
+      expect.objectContaining({ pageIndex: 9 }),
+    );
+    expect(fetchData).toHaveBeenCalledWith(
+      expect.objectContaining({ pageIndex: 0 }),
+    );
+  });
+  fetchData.mockClear();
+});
diff --git a/superset-frontend/src/components/ListView/ListView.tsx b/superset-frontend/src/components/ListView/ListView.tsx
index 93847ca5d879d..0cdb4ba034d44 100644
--- a/superset-frontend/src/components/ListView/ListView.tsx
+++ b/superset-frontend/src/components/ListView/ListView.tsx
@@ -322,6 +322,12 @@ function ListView<T extends object = any>({
     if (!bulkSelectEnabled) toggleAllRowsSelected(false);
   }, [bulkSelectEnabled, toggleAllRowsSelected]);
 
+  useEffect(() => {
+    if (!loading && pageIndex > pageCount - 1 && pageCount > 0) {
+      gotoPage(0);
+    }
+  }, [gotoPage, loading, pageCount, pageIndex]);
+
   return (
     <ListViewStyles>
       {allowBulkTagActions && (
@@ -463,7 +469,7 @@ function ListView<T extends object = any>({
         <div className="pagination-container">
           <Pagination
             totalPages={pageCount || 0}
-            currentPage={pageCount ? pageIndex + 1 : 0}
+            currentPage={pageCount && pageIndex < pageCount ? pageIndex + 1 : 0}
             onChange={(p: number) => gotoPage(p - 1)}
             hideFirstAndLastPageLinks
           />

From e80179a056d3bbf4617fe2eb9b619614f39c554f Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Thu, 29 Feb 2024 08:53:09 -0500
Subject: [PATCH 073/114] fix: Data zoom with horizontal orientation (#27291)

(cherry picked from commit 7854b622a34c9a9674e2c916acb8acbc63714fb8)
---
 .../plugin-chart-echarts/src/Timeseries/transformProps.ts  | 2 +-
 .../plugin-chart-echarts/src/Timeseries/transformers.ts    | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
index 451685ec0a116..78245cc9d9d52 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformProps.ts
@@ -575,7 +575,6 @@ export default function transformProps(
       right: TIMESERIES_CONSTANTS.toolboxRight,
       feature: {
         dataZoom: {
-          yAxisIndex: false,
           title: {
             zoom: t('zoom area'),
             back: t('restore zoom'),
@@ -590,6 +589,7 @@ export default function transformProps(
             start: TIMESERIES_CONSTANTS.dataZoomStart,
             end: TIMESERIES_CONSTANTS.dataZoomEnd,
             bottom: TIMESERIES_CONSTANTS.zoomBottom,
+            yAxisIndex: isHorizontal ? 0 : undefined,
           },
         ]
       : [],
diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformers.ts b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformers.ts
index 5b9fa43047a3c..be89fdfc74c96 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformers.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/Timeseries/transformers.ts
@@ -570,9 +570,10 @@ export function getPadding(
         yAxisTitlePosition && yAxisTitlePosition === 'Top'
           ? TIMESERIES_CONSTANTS.gridOffsetTop + (Number(yAxisTitleMargin) || 0)
           : TIMESERIES_CONSTANTS.gridOffsetTop + yAxisOffset,
-      bottom: zoomable
-        ? TIMESERIES_CONSTANTS.gridOffsetBottomZoomable + xAxisOffset
-        : TIMESERIES_CONSTANTS.gridOffsetBottom + xAxisOffset,
+      bottom:
+        zoomable && !isHorizontal
+          ? TIMESERIES_CONSTANTS.gridOffsetBottomZoomable + xAxisOffset
+          : TIMESERIES_CONSTANTS.gridOffsetBottom + xAxisOffset,
       left:
         yAxisTitlePosition === 'Left'
           ? TIMESERIES_CONSTANTS.gridOffsetLeft +

From 22e3419e369976a4d2d98df0e1e52beaf07444d3 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Thu, 29 Feb 2024 10:03:20 -0500
Subject: [PATCH 074/114] fix: Incorrect data type on import page (#27307)

(cherry picked from commit fa04eec2d5cdd2698e8a3f28926ab70d17358e86)
---
 superset/views/database/forms.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/superset/views/database/forms.py b/superset/views/database/forms.py
index f8e528c4e3b63..6b39765bed1e3 100644
--- a/superset/views/database/forms.py
+++ b/superset/views/database/forms.py
@@ -146,7 +146,8 @@ class CsvToDatabaseForm(UploadToDatabaseForm):
         description=_(
             "A dictionary with column names and their data types"
             " if you need to change the defaults."
-            ' Example: {"user_id":"integer"}'
+            ' Example: {"user_id":"int"}. '
+            "Check Python's Pandas library for supported data types."
         ),
         validators=[Optional()],
         widget=BS3TextFieldWidget(),

From c39e16e624d3156a07a57ba3611c7b6bf0df2e9a Mon Sep 17 00:00:00 2001
From: goto-loop <102797966+goto-loop@users.noreply.github.com>
Date: Thu, 29 Feb 2024 17:41:23 +0100
Subject: [PATCH 075/114] fix(plugin-chart-echarts): calculate Gauge Chart
 intervals correctly when min value is set (#27285)

(cherry picked from commit d65f64d1ceacb69226fa1907343405b5571bc6a8)
---
 .../src/Gauge/transformProps.ts               | 13 ++---
 .../test/Gauge/transformProps.test.ts         | 54 +++++++++++++++++--
 2 files changed, 58 insertions(+), 9 deletions(-)

diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/Gauge/transformProps.ts b/superset-frontend/plugins/plugin-chart-echarts/src/Gauge/transformProps.ts
index f32993b1dfc25..231b0d65dac20 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/Gauge/transformProps.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/Gauge/transformProps.ts
@@ -48,11 +48,12 @@ import { getDefaultTooltip } from '../utils/tooltip';
 import { Refs } from '../types';
 import { getColtypesMapping } from '../utils/series';
 
-const setIntervalBoundsAndColors = (
+export const getIntervalBoundsAndColors = (
   intervals: string,
   intervalColorIndices: string,
   colorFn: CategoricalColorScale,
-  normalizer: number,
+  min: number,
+  max: number,
 ): Array<[number, string]> => {
   let intervalBoundsNonNormalized;
   let intervalColorIndicesArray;
@@ -65,7 +66,7 @@ const setIntervalBoundsAndColors = (
   }
 
   const intervalBounds = intervalBoundsNonNormalized.map(
-    bound => bound / normalizer,
+    bound => (bound - min) / (max - min),
   );
   const intervalColors = intervalColorIndicesArray.map(
     ind => colorFn.colors[(ind - 1) % colorFn.colors.length],
@@ -221,12 +222,12 @@ export default function transformProps(
   const axisLabelLength = Math.max(
     ...axisLabels.map(label => numberFormatter(label).length).concat([1]),
   );
-  const normalizer = max;
-  const intervalBoundsAndColors = setIntervalBoundsAndColors(
+  const intervalBoundsAndColors = getIntervalBoundsAndColors(
     intervals,
     intervalColorIndices,
     colorFn,
-    normalizer,
+    min,
+    max,
   );
   const splitLineDistance =
     axisLineWidth + splitLineLength + OFFSETS.ticksFromLine;
diff --git a/superset-frontend/plugins/plugin-chart-echarts/test/Gauge/transformProps.test.ts b/superset-frontend/plugins/plugin-chart-echarts/test/Gauge/transformProps.test.ts
index 915a8b9e9dd37..760e3ff93c2b4 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/test/Gauge/transformProps.test.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/test/Gauge/transformProps.test.ts
@@ -16,8 +16,15 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import { ChartProps, SqlaFormData, supersetTheme } from '@superset-ui/core';
-import transformProps from '../../src/Gauge/transformProps';
+import {
+  CategoricalColorNamespace,
+  ChartProps,
+  SqlaFormData,
+  supersetTheme,
+} from '@superset-ui/core';
+import transformProps, {
+  getIntervalBoundsAndColors,
+} from '../../src/Gauge/transformProps';
 import { EchartsGaugeChartProps } from '../../src/Gauge/types';
 
 describe('Echarts Gauge transformProps', () => {
@@ -256,8 +263,9 @@ describe('Echarts Gauge transformProps', () => {
     const formData: SqlaFormData = {
       ...baseFormData,
       groupby: ['year', 'platform'],
-      intervals: '50,100',
+      intervals: '60,100',
       intervalColorIndices: '1,2',
+      minVal: 20,
     };
     const queriesData = [
       {
@@ -342,3 +350,43 @@ describe('Echarts Gauge transformProps', () => {
     );
   });
 });
+
+describe('getIntervalBoundsAndColors', () => {
+  it('should generate correct interval bounds and colors', () => {
+    const colorFn = CategoricalColorNamespace.getScale(
+      'supersetColors' as string,
+    );
+    expect(getIntervalBoundsAndColors('', '', colorFn, 0, 10)).toEqual([]);
+    expect(getIntervalBoundsAndColors('4, 10', '1, 2', colorFn, 0, 10)).toEqual(
+      [
+        [0.4, '#1f77b4'],
+        [1, '#ff7f0e'],
+      ],
+    );
+    expect(
+      getIntervalBoundsAndColors('4, 8, 10', '9, 8, 7', colorFn, 0, 10),
+    ).toEqual([
+      [0.4, '#bcbd22'],
+      [0.8, '#7f7f7f'],
+      [1, '#e377c2'],
+    ]);
+    expect(getIntervalBoundsAndColors('4, 10', '1, 2', colorFn, 2, 10)).toEqual(
+      [
+        [0.25, '#1f77b4'],
+        [1, '#ff7f0e'],
+      ],
+    );
+    expect(
+      getIntervalBoundsAndColors('-4, 0', '1, 2', colorFn, -10, 0),
+    ).toEqual([
+      [0.6, '#1f77b4'],
+      [1, '#ff7f0e'],
+    ]);
+    expect(
+      getIntervalBoundsAndColors('-4, -2', '1, 2', colorFn, -10, -2),
+    ).toEqual([
+      [0.75, '#1f77b4'],
+      [1, '#ff7f0e'],
+    ]);
+  });
+});

From da6a25780ef157bfb1e94d647f2e1c734b95ac94 Mon Sep 17 00:00:00 2001
From: "JUST.in DO IT" <justin.park@airbnb.com>
Date: Thu, 29 Feb 2024 09:57:30 -0800
Subject: [PATCH 076/114] fix(sqllab): invalid dump sql shown after closing tab
 (#27295)

---
 .../components/SqlEditor/SqlEditor.test.tsx   | 43 ++++++++++++++++++-
 .../src/SqlLab/components/SqlEditor/index.tsx | 28 ++++++++++--
 .../src/SqlLab/reducers/getInitialState.ts    |  2 +-
 .../src/SqlLab/reducers/sqlLab.js             |  5 ++-
 .../src/SqlLab/reducers/sqlLab.test.js        | 19 ++++++++
 5 files changed, 91 insertions(+), 6 deletions(-)

diff --git a/superset-frontend/src/SqlLab/components/SqlEditor/SqlEditor.test.tsx b/superset-frontend/src/SqlLab/components/SqlEditor/SqlEditor.test.tsx
index 63f67170d05ff..d491330443322 100644
--- a/superset-frontend/src/SqlLab/components/SqlEditor/SqlEditor.test.tsx
+++ b/superset-frontend/src/SqlLab/components/SqlEditor/SqlEditor.test.tsx
@@ -17,6 +17,7 @@
  * under the License.
  */
 import React from 'react';
+import * as uiCore from '@superset-ui/core';
 import { act } from 'react-dom/test-utils';
 import { fireEvent, render, waitFor } from 'spec/helpers/testing-library';
 import fetchMock from 'fetch-mock';
@@ -31,7 +32,7 @@ import {
 import SqlEditorLeftBar from 'src/SqlLab/components/SqlEditorLeftBar';
 import ResultSet from 'src/SqlLab/components/ResultSet';
 import { api } from 'src/hooks/apiResources/queryApi';
-import { getExtensionsRegistry } from '@superset-ui/core';
+import { getExtensionsRegistry, FeatureFlag } from '@superset-ui/core';
 import setupExtensions from 'src/setup/setupExtensions';
 import type { Action, Middleware, Store } from 'redux';
 import SqlEditor, { Props } from '.';
@@ -63,6 +64,7 @@ fetchMock.get('glob:*/api/v1/database/*/function_names/', {
 });
 fetchMock.get('glob:*/api/v1/database/*', { result: [] });
 fetchMock.get('glob:*/api/v1/database/*/tables/*', { options: [] });
+fetchMock.get('glob:*/tabstateview/*', defaultQueryEditor);
 fetchMock.post('glob:*/sqllab/execute/*', { result: [] });
 
 let store: Store;
@@ -290,4 +292,43 @@ describe('SqlEditor', () => {
       await findByText('sqleditor.extension.form extension component'),
     ).toBeInTheDocument();
   });
+
+  describe('with SqllabBackendPersistence enabled', () => {
+    let isFeatureEnabledMock: jest.MockInstance<
+      boolean,
+      [feature: FeatureFlag]
+    >;
+    beforeEach(() => {
+      isFeatureEnabledMock = jest
+        .spyOn(uiCore, 'isFeatureEnabled')
+        .mockImplementation(
+          featureFlag =>
+            featureFlag === uiCore.FeatureFlag.SqllabBackendPersistence,
+        );
+    });
+    afterEach(() => {
+      isFeatureEnabledMock.mockClear();
+    });
+
+    it('should render loading state when its Editor is not loaded', async () => {
+      const switchTabApi = `glob:*/tabstateview/${defaultQueryEditor.id}/activate`;
+      fetchMock.post(switchTabApi, {});
+      const { getByTestId } = setup(
+        {
+          ...mockedProps,
+          queryEditor: {
+            ...mockedProps.queryEditor,
+            loaded: false,
+          },
+        },
+        store,
+      );
+      const indicator = getByTestId('sqlEditor-loading');
+      expect(indicator).toBeInTheDocument();
+      await waitFor(() =>
+        expect(fetchMock.calls('glob:*/tabstateview/*').length).toBe(1),
+      );
+      expect(fetchMock.calls(switchTabApi).length).toBe(1);
+    });
+  });
 });
diff --git a/superset-frontend/src/SqlLab/components/SqlEditor/index.tsx b/superset-frontend/src/SqlLab/components/SqlEditor/index.tsx
index 088143448731a..3970eae513eec 100644
--- a/superset-frontend/src/SqlLab/components/SqlEditor/index.tsx
+++ b/superset-frontend/src/SqlLab/components/SqlEditor/index.tsx
@@ -51,7 +51,7 @@ import Mousetrap from 'mousetrap';
 import Button from 'src/components/Button';
 import Timer from 'src/components/Timer';
 import ResizableSidebar from 'src/components/ResizableSidebar';
-import { AntdDropdown, AntdSwitch } from 'src/components';
+import { AntdDropdown, AntdSwitch, Skeleton } from 'src/components';
 import { Input } from 'src/components/Input';
 import { Menu } from 'src/components/Menu';
 import Icons from 'src/components/Icons';
@@ -73,6 +73,7 @@ import {
   setActiveSouthPaneTab,
   updateSavedQuery,
   formatQuery,
+  switchQueryEditor,
 } from 'src/SqlLab/actions/sqlLab';
 import {
   STATE_TYPE_MAP,
@@ -489,6 +490,16 @@ const SqlEditor: React.FC<Props> = ({
     }
   });
 
+  const shouldLoadQueryEditor =
+    isFeatureEnabled(FeatureFlag.SQLLAB_BACKEND_PERSISTENCE) &&
+    !queryEditor.loaded;
+
+  const loadQueryEditor = useEffectEvent(() => {
+    if (shouldLoadQueryEditor) {
+      dispatch(switchQueryEditor(queryEditor, displayLimit));
+    }
+  });
+
   useEffect(() => {
     // We need to measure the height of the sql editor post render to figure the height of
     // the south pane so it gets rendered properly
@@ -498,6 +509,7 @@ const SqlEditor: React.FC<Props> = ({
       WINDOW_RESIZE_THROTTLE_MS,
     );
 
+    loadQueryEditor();
     window.addEventListener('resize', handleWindowResizeWithThrottle);
     window.addEventListener('beforeunload', onBeforeUnload);
 
@@ -506,7 +518,7 @@ const SqlEditor: React.FC<Props> = ({
       window.removeEventListener('beforeunload', onBeforeUnload);
     };
     // TODO: Remove useEffectEvent deps once https://github.com/facebook/react/pull/25881 is released
-  }, [onBeforeUnload]);
+  }, [onBeforeUnload, loadQueryEditor]);
 
   useEffect(() => {
     if (!database || isEmpty(database)) {
@@ -841,7 +853,17 @@ const SqlEditor: React.FC<Props> = ({
           )}
         </ResizableSidebar>
       </CSSTransition>
-      {showEmptyState ? (
+      {shouldLoadQueryEditor ? (
+        <div
+          data-test="sqlEditor-loading"
+          css={css`
+            flex: 1;
+            padding: ${theme.gridUnit * 4}px;
+          `}
+        >
+          <Skeleton active />
+        </div>
+      ) : showEmptyState ? (
         <EmptyStateBig
           image="vector.svg"
           title={t('Select a database to write a query')}
diff --git a/superset-frontend/src/SqlLab/reducers/getInitialState.ts b/superset-frontend/src/SqlLab/reducers/getInitialState.ts
index 02bb5b45fc58f..e7c6a52c35658 100644
--- a/superset-frontend/src/SqlLab/reducers/getInitialState.ts
+++ b/superset-frontend/src/SqlLab/reducers/getInitialState.ts
@@ -57,7 +57,7 @@ export default function getInitialState({
     version: LatestQueryEditorVersion,
     loaded: true,
     name: t('Untitled query'),
-    sql: 'SELECT *\nFROM\nWHERE',
+    sql: '',
     latestQueryId: null,
     autorun: false,
     dbId: common.conf.SQLLAB_DEFAULT_DBID,
diff --git a/superset-frontend/src/SqlLab/reducers/sqlLab.js b/superset-frontend/src/SqlLab/reducers/sqlLab.js
index 59bd0558a1f1c..d74c2c815b05b 100644
--- a/superset-frontend/src/SqlLab/reducers/sqlLab.js
+++ b/superset-frontend/src/SqlLab/reducers/sqlLab.js
@@ -152,7 +152,10 @@ export default function sqlLabReducer(state = {}, action) {
 
       newState = {
         ...newState,
-        tabHistory,
+        tabHistory:
+          tabHistory.length === 0 && newState.queryEditors.length > 0
+            ? newState.queryEditors.slice(-1).map(qe => qe.id)
+            : tabHistory,
         tables,
         queries,
         unsavedQueryEditor: {
diff --git a/superset-frontend/src/SqlLab/reducers/sqlLab.test.js b/superset-frontend/src/SqlLab/reducers/sqlLab.test.js
index e1a234734bca6..041835d04b8e6 100644
--- a/superset-frontend/src/SqlLab/reducers/sqlLab.test.js
+++ b/superset-frontend/src/SqlLab/reducers/sqlLab.test.js
@@ -75,6 +75,25 @@ describe('sqlLabReducer', () => {
         initialState.queryEditors.length,
       );
     });
+    it('should select the latest query editor when tabHistory is empty', () => {
+      const currentQE = newState.queryEditors[0];
+      newState = {
+        ...initialState,
+        tabHistory: [initialState.queryEditors[0]],
+      };
+      const action = {
+        type: actions.REMOVE_QUERY_EDITOR,
+        queryEditor: currentQE,
+      };
+      newState = sqlLabReducer(newState, action);
+      expect(newState.queryEditors).toHaveLength(
+        initialState.queryEditors.length - 1,
+      );
+      expect(newState.queryEditors.map(qe => qe.id)).not.toContainEqual(
+        currentQE.id,
+      );
+      expect(newState.tabHistory).toEqual([initialState.queryEditors[2].id]);
+    });
     it('should remove a query editor including unsaved changes', () => {
       expect(newState.queryEditors).toHaveLength(
         initialState.queryEditors.length + 1,

From 039afe8c9913271d22fbf2c39ec7c1fb61df5355 Mon Sep 17 00:00:00 2001
From: Joe Li <joe@preset.io>
Date: Thu, 29 Feb 2024 10:28:57 -0800
Subject: [PATCH 077/114] chore: bump cryptography minimum to 42.0.4 (#27281)

(cherry picked from commit 371f2ab851eee46cd4ab3c5428c8061430a288ad)
---
 requirements/base.txt                                          | 2 +-
 setup.py                                                       | 3 +--
 .../src/SqlLab/components/SqlEditor/SqlEditor.test.tsx         | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index 09b81ec61a49d..2df0f876953fd 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -76,7 +76,7 @@ cron-descriptor==1.2.24
     # via apache-superset
 croniter==1.0.15
     # via apache-superset
-cryptography==42.0.2
+cryptography==42.0.4
     # via
     #   apache-superset
     #   paramiko
diff --git a/setup.py b/setup.py
index cb6be9ec12edb..7050d7b497c89 100644
--- a/setup.py
+++ b/setup.py
@@ -80,8 +80,7 @@ def get_git_sha() -> str:
         "colorama",
         "croniter>=0.3.28",
         "cron-descriptor",
-        # snowflake-connector-python as of 3.7.0 doesn't support >=42.* therefore lowering the min to 41.0.2
-        "cryptography>=41.0.2, <43.0.0",
+        "cryptography>=42.0.4, <43.0.0",
         "deprecation>=2.1.0, <2.2.0",
         "flask>=2.2.5, <3.0.0",
         "flask-appbuilder>=4.4.1, <5.0.0",
diff --git a/superset-frontend/src/SqlLab/components/SqlEditor/SqlEditor.test.tsx b/superset-frontend/src/SqlLab/components/SqlEditor/SqlEditor.test.tsx
index d491330443322..152a306ecfde0 100644
--- a/superset-frontend/src/SqlLab/components/SqlEditor/SqlEditor.test.tsx
+++ b/superset-frontend/src/SqlLab/components/SqlEditor/SqlEditor.test.tsx
@@ -303,7 +303,7 @@ describe('SqlEditor', () => {
         .spyOn(uiCore, 'isFeatureEnabled')
         .mockImplementation(
           featureFlag =>
-            featureFlag === uiCore.FeatureFlag.SqllabBackendPersistence,
+            featureFlag === uiCore.FeatureFlag.SQLLAB_BACKEND_PERSISTENCE,
         );
     });
     afterEach(() => {

From d8c4a7a067734c83c61a2e7338c0337500c29fa3 Mon Sep 17 00:00:00 2001
From: Ross Mabbett <92495987+rtexelm@users.noreply.github.com>
Date: Thu, 29 Feb 2024 17:37:55 -0500
Subject: [PATCH 078/114] fix(dashboard): table chart drag preview overflowing
 container (#27308)

(cherry picked from commit ad3995daf62984bc0652c155643e0aca3a2840a0)
---
 .../src/dashboard/components/dnd/DragDroppable.jsx          | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/superset-frontend/src/dashboard/components/dnd/DragDroppable.jsx b/superset-frontend/src/dashboard/components/dnd/DragDroppable.jsx
index 6a49f9887550f..92a3ab5636f31 100644
--- a/superset-frontend/src/dashboard/components/dnd/DragDroppable.jsx
+++ b/superset-frontend/src/dashboard/components/dnd/DragDroppable.jsx
@@ -77,6 +77,12 @@ const defaultProps = {
 const DragDroppableStyles = styled.div`
   ${({ theme }) => css`
     position: relative;
+    /*
+      Next line is a workaround for a bug in react-dnd where the drag
+      preview expands outside of the bounds of the drag source card, see:
+      https://github.com/react-dnd/react-dnd/issues/832#issuecomment-442071628
+    */
+    transform: translate3d(0, 0, 0);
 
     &.dragdroppable--dragging {
       opacity: 0.2;

From 6ddaf1cf023c8cca074a9c4e89b564eda7eb1ca1 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Fri, 1 Mar 2024 13:08:30 -0500
Subject: [PATCH 079/114] fix: Heatmap numeric sorting (#27360)

(cherry picked from commit fe2f5a7be9fb6218aa72ab9173481fd21fa40b20)
---
 .../legacy-plugin-chart-heatmap/src/Heatmap.js    | 15 ++++++---------
 .../src/transformProps.js                         |  8 ++++++--
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/Heatmap.js b/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/Heatmap.js
index 18493f0602ef7..ef2c76ad68a34 100644
--- a/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/Heatmap.js
+++ b/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/Heatmap.js
@@ -177,15 +177,12 @@ function Heatmap(element, props) {
     }
   }
 
-  function ordScale(k, rangeBands, sortMethod) {
+  function ordScale(k, rangeBands, sortMethod, formatter) {
     let domain = {};
-    const actualKeys = {}; // hack to preserve type of keys when number
     records.forEach(d => {
       domain[d[k]] = (domain[d[k]] || 0) + d.v;
-      actualKeys[d[k]] = d[k];
     });
-    // Not using object.keys() as it converts to strings
-    const keys = Object.keys(actualKeys).map(s => actualKeys[s]);
+    const keys = Object.keys(domain).map(k => formatter(k));
     if (sortMethod === 'alpha_asc') {
       domain = keys.sort(cmp);
     } else if (sortMethod === 'alpha_desc') {
@@ -252,10 +249,10 @@ function Heatmap(element, props) {
 
   const fp = getNumberFormatter(NumberFormats.PERCENT_2_POINT);
 
-  const xScale = ordScale('x', null, sortXAxis);
-  const yScale = ordScale('y', null, sortYAxis);
-  const xRbScale = ordScale('x', [0, hmWidth], sortXAxis);
-  const yRbScale = ordScale('y', [hmHeight, 0], sortYAxis);
+  const xScale = ordScale('x', null, sortXAxis, xAxisFormatter);
+  const yScale = ordScale('y', null, sortYAxis, yAxisFormatter);
+  const xRbScale = ordScale('x', [0, hmWidth], sortXAxis, xAxisFormatter);
+  const yRbScale = ordScale('y', [hmHeight, 0], sortYAxis, yAxisFormatter);
   const X = 0;
   const Y = 1;
   const heatmapDim = [xRbScale.domain().length, yRbScale.domain().length];
diff --git a/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/transformProps.js b/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/transformProps.js
index fa531ef9da1d3..f58c58b7243a0 100644
--- a/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/transformProps.js
+++ b/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/transformProps.js
@@ -57,11 +57,15 @@ export default function transformProps(chartProps) {
   const xAxisFormatter =
     coltypes[0] === GenericDataType.TEMPORAL
       ? getTimeFormatter(timeFormat)
-      : String;
+      : coltypes[0] === GenericDataType.Numeric
+        ? Number
+        : String;
   const yAxisFormatter =
     coltypes[1] === GenericDataType.TEMPORAL
       ? getTimeFormatter(timeFormat)
-      : String;
+      : coltypes[1] === GenericDataType.Numeric
+        ? Number
+        : String;
   return {
     width,
     height,

From 16e5eddeb6d648cf4738ca2f0bcf5422d4e6bcb1 Mon Sep 17 00:00:00 2001
From: nigzak <102737855+nigzak@users.noreply.github.com>
Date: Fri, 1 Mar 2024 19:50:17 +0100
Subject: [PATCH 080/114] =?UTF-8?q?chore:=20numexpr=20to=20fix=20CVE-2023-?=
 =?UTF-8?q?39631=E2=81=A0=20(2.8.4=20=3D>=202.9.0)=20(#27187)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Stefan Arnold <stefan.st.arnold@mercedes-benz.com>
---
 requirements/base.in         |  1 +
 requirements/base.txt        |  9 +++++----
 requirements/development.txt | 11 ++++++++++-
 requirements/testing.txt     |  2 --
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/requirements/base.in b/requirements/base.in
index dc632a096af58..b1c67b936ad0b 100644
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -18,3 +18,4 @@
 #
 -e file:.
 urllib3>=1.26.18
+numexpr>=2.9.0
diff --git a/requirements/base.txt b/requirements/base.txt
index 2df0f876953fd..de25938a0166d 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -1,4 +1,4 @@
-# SHA1:89ce10cd392b720033db86b747e77633711a8b5f
+# SHA1:f8f2c882290c71f27b1d9f3263cf0c523cb88ad6
 #
 # This file is autogenerated by pip-compile-multi
 # To update, run:
@@ -211,8 +211,10 @@ nh3==0.2.11
     # via apache-superset
 numba==0.57.1
     # via pandas
-numexpr==2.8.4
-    # via pandas
+numexpr==2.9.0
+    # via
+    #   -r requirements/base.in
+    #   pandas
 numpy==1.23.5
     # via
     #   apache-superset
@@ -346,7 +348,6 @@ typing-extensions==4.4.0
     #   apache-superset
     #   cattrs
     #   flask-limiter
-    #   kombu
     #   limits
     #   shillelagh
 tzdata==2023.3
diff --git a/requirements/development.txt b/requirements/development.txt
index 58dd97a75329c..ca80cd60ede93 100644
--- a/requirements/development.txt
+++ b/requirements/development.txt
@@ -82,6 +82,10 @@ ptyprocess==0.7.0
     # via pexpect
 pure-eval==0.2.2
     # via stack-data
+pure-sasl==0.6.2
+    # via
+    #   pyhive
+    #   thrift-sasl
 pyasn1==0.5.0
     # via
     #   pyasn1-modules
@@ -111,7 +115,12 @@ tableschema==1.20.2
 tabulator==1.53.5
     # via tableschema
 thrift==0.16.0
-    # via apache-superset
+    # via
+    #   apache-superset
+    #   pyhive
+    #   thrift-sasl
+thrift-sasl==0.4.3
+    # via pyhive
 tomli==2.0.1
     # via pylint
 tomlkit==0.11.8
diff --git a/requirements/testing.txt b/requirements/testing.txt
index 382e3bee4b8ee..fce953f8e4125 100644
--- a/requirements/testing.txt
+++ b/requirements/testing.txt
@@ -118,8 +118,6 @@ pyee==9.0.4
     # via playwright
 pyfakefs==5.2.2
     # via -r requirements/testing.in
-pyhive[presto]==0.7.0
-    # via apache-superset
 pytest==7.3.1
     # via
     #   -r requirements/testing.in

From 4972fbe751b2c27d665e1cc5882c19c946a2b282 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Mon, 4 Mar 2024 08:15:55 -0500
Subject: [PATCH 081/114] fix: Results section in Explore shows an infinite
 spinner (#27366)

(cherry picked from commit 231e659b56617fcdefa7534e14ffcfe50a8c084c)
---
 .../legacy-plugin-chart-heatmap/src/transformProps.js     | 8 ++++----
 .../explore/components/DataTablesPane/DataTablesPane.tsx  | 3 ++-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/transformProps.js b/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/transformProps.js
index f58c58b7243a0..ddafe456a6a99 100644
--- a/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/transformProps.js
+++ b/superset-frontend/plugins/legacy-plugin-chart-heatmap/src/transformProps.js
@@ -58,14 +58,14 @@ export default function transformProps(chartProps) {
     coltypes[0] === GenericDataType.TEMPORAL
       ? getTimeFormatter(timeFormat)
       : coltypes[0] === GenericDataType.Numeric
-        ? Number
-        : String;
+      ? Number
+      : String;
   const yAxisFormatter =
     coltypes[1] === GenericDataType.TEMPORAL
       ? getTimeFormatter(timeFormat)
       : coltypes[1] === GenericDataType.Numeric
-        ? Number
-        : String;
+      ? Number
+      : String;
   return {
     width,
     height,
diff --git a/superset-frontend/src/explore/components/DataTablesPane/DataTablesPane.tsx b/superset-frontend/src/explore/components/DataTablesPane/DataTablesPane.tsx
index 726f3ea468998..60b65c6ffc1dd 100644
--- a/superset-frontend/src/explore/components/DataTablesPane/DataTablesPane.tsx
+++ b/superset-frontend/src/explore/components/DataTablesPane/DataTablesPane.tsx
@@ -123,7 +123,8 @@ export const DataTablesPane = ({
     if (
       panelOpen &&
       activeTabKey.startsWith(ResultTypes.Results) &&
-      chartStatus === 'rendered'
+      chartStatus &&
+      chartStatus !== 'loading'
     ) {
       setIsRequest({
         results: true,

From efd305eb8d38e0ade68d152944352e2d11657f48 Mon Sep 17 00:00:00 2001
From: Aleksey Karpov <86011874+alekseyolg@users.noreply.github.com>
Date: Thu, 7 Dec 2023 15:54:59 +0300
Subject: [PATCH 082/114] fix(docker): Remove race condition when building
 image (#26205)

(cherry picked from commit f68dd8293f9c7e798756e90c154d8473d0d1cb49)
---
 Dockerfile | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index b9714d6c69bc6..fc3e66703783e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -61,9 +61,7 @@ ENV LANG=C.UTF-8 \
     SUPERSET_HOME="/app/superset_home" \
     SUPERSET_PORT=8088
 
-RUN --mount=target=/var/lib/apt/lists,type=cache \
-    --mount=target=/var/cache/apt,type=cache \
-    mkdir -p ${PYTHONPATH} superset/static superset-frontend apache_superset.egg-info requirements \
+RUN mkdir -p ${PYTHONPATH} superset/static superset-frontend apache_superset.egg-info requirements \
     && useradd --user-group -d ${SUPERSET_HOME} -m --no-log-init --shell /bin/bash superset \
     && apt-get update -qq && apt-get install -yqq --no-install-recommends \
         build-essential \
@@ -75,7 +73,8 @@ RUN --mount=target=/var/lib/apt/lists,type=cache \
         libecpg-dev \
         libldap2-dev \
     && touch superset/static/version_info.json \
-    && chown -R superset:superset ./*
+    && chown -R superset:superset ./* \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY --chown=superset:superset setup.py MANIFEST.in README.md ./
 # setup.py uses the version information in package.json
@@ -112,9 +111,8 @@ ARG GECKODRIVER_VERSION=v0.33.0 \
 
 USER root
 
-RUN --mount=target=/var/lib/apt/lists,type=cache \
-    --mount=target=/var/cache/apt,type=cache \
-    apt-get install -yqq --no-install-recommends \
+RUN apt-get update -qq \
+    && apt-get install -yqq --no-install-recommends \
         libnss3 \
         libdbus-glib-1-2 \
         libgtk-3-0 \
@@ -127,7 +125,7 @@ RUN --mount=target=/var/lib/apt/lists,type=cache \
     # Install Firefox
     && wget -q https://download-installer.cdn.mozilla.net/pub/firefox/releases/${FIREFOX_VERSION}/linux-x86_64/en-US/firefox-${FIREFOX_VERSION}.tar.bz2 -O - | tar xfj - -C /opt \
     && ln -s /opt/firefox/firefox /usr/local/bin/firefox \
-    && apt-get autoremove -yqq --purge wget && rm -rf /var/[log,tmp]/* /tmp/*
+    && apt-get autoremove -yqq --purge wget && rm -rf /var/[log,tmp]/* /tmp/* /var/lib/apt/lists/*
 # Cache everything for dev purposes...
 RUN --mount=type=bind,target=./requirements/base.txt,src=./requirements/base.txt \
     --mount=type=bind,target=./requirements/docker.txt,src=./requirements/docker.txt \

From 4b5de7d203e4b5bb1bfdc00412a125203a054b6e Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Tue, 5 Mar 2024 17:44:51 +0000
Subject: [PATCH 083/114] fix: improve explore REST api validations (#27395)

(cherry picked from commit a3d2e0bf447fad5d4495eea97529118b562f4e3c)
---
 superset/commands/explore/get.py             | 11 +++++++++--
 tests/integration_tests/explore/api_tests.py | 20 +++++++++++++++++++-
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/superset/commands/explore/get.py b/superset/commands/explore/get.py
index bb8f5a85e9e8a..6c52763d243c8 100644
--- a/superset/commands/explore/get.py
+++ b/superset/commands/explore/get.py
@@ -38,6 +38,7 @@
 from superset.exceptions import SupersetException
 from superset.explore.exceptions import WrongEndpointError
 from superset.explore.permalink.exceptions import ExplorePermalinkGetFailedError
+from superset.extensions import security_manager
 from superset.utils import core as utils
 from superset.views.utils import (
     get_datasource_info,
@@ -62,7 +63,6 @@ def __init__(
     # pylint: disable=too-many-locals,too-many-branches,too-many-statements
     def run(self) -> Optional[dict[str, Any]]:
         initial_form_data = {}
-
         if self._permalink_key is not None:
             command = GetExplorePermalinkCommand(self._permalink_key)
             permalink_value = command.run()
@@ -111,12 +111,19 @@ def run(self) -> Optional[dict[str, Any]]:
             self._datasource_type = SqlaTable.type
 
         datasource: Optional[BaseDatasource] = None
+
         if self._datasource_id is not None:
             with contextlib.suppress(DatasourceNotFound):
                 datasource = DatasourceDAO.get_datasource(
                     db.session, cast(str, self._datasource_type), self._datasource_id
                 )
-        datasource_name = datasource.name if datasource else _("[Missing Dataset]")
+
+        datasource_name = _("[Missing Dataset]")
+
+        if datasource:
+            datasource_name = datasource.name
+            security_manager.can_access_datasource(datasource)
+
         viz_type = form_data.get("viz_type")
         if not viz_type and datasource and datasource.default_endpoint:
             raise WrongEndpointError(redirect=datasource.default_endpoint)
diff --git a/tests/integration_tests/explore/api_tests.py b/tests/integration_tests/explore/api_tests.py
index e37200e310024..7594522af5db3 100644
--- a/tests/integration_tests/explore/api_tests.py
+++ b/tests/integration_tests/explore/api_tests.py
@@ -199,7 +199,7 @@ def test_get_from_permalink_unknown_key(test_client, login_as_admin):
 
 
 @patch("superset.security.SupersetSecurityManager.can_access_datasource")
-def test_get_dataset_access_denied(
+def test_get_dataset_access_denied_with_form_data_key(
     mock_can_access_datasource, test_client, login_as_admin, dataset
 ):
     message = "Dataset access denied"
@@ -216,6 +216,24 @@ def test_get_dataset_access_denied(
     assert data["message"] == message
 
 
+@patch("superset.security.SupersetSecurityManager.can_access_datasource")
+def test_get_dataset_access_denied(
+    mock_can_access_datasource, test_client, login_as_admin, dataset
+):
+    message = "Dataset access denied"
+    mock_can_access_datasource.side_effect = DatasetAccessDeniedError(
+        message=message, datasource_id=dataset.id, datasource_type=dataset.type
+    )
+    resp = test_client.get(
+        f"api/v1/explore/?datasource_id={dataset.id}&datasource_type={dataset.type}"
+    )
+    data = json.loads(resp.data.decode("utf-8"))
+    assert resp.status_code == 403
+    assert data["datasource_id"] == dataset.id
+    assert data["datasource_type"] == dataset.type
+    assert data["message"] == message
+
+
 @patch("superset.daos.datasource.DatasourceDAO.get_datasource")
 def test_wrong_endpoint(mock_get_datasource, test_client, login_as_admin, dataset):
     dataset.default_endpoint = "another_endpoint"

From e84b2a3ba1a39e582407bc1b4cfc673bf5e473c3 Mon Sep 17 00:00:00 2001
From: Vitor Avila <96086495+Vitor-Avila@users.noreply.github.com>
Date: Wed, 6 Mar 2024 13:40:41 -0300
Subject: [PATCH 084/114] fix(API): Updating assets via the API should preserve
 ownership configuration (#27364)

(cherry picked from commit 66bf70172f2cbd24b17b503588f2edbed0a63247)
---
 superset/commands/base.py                     |  20 ++-
 superset/commands/chart/update.py             |   5 +-
 superset/commands/dashboard/update.py         |   9 +-
 superset/commands/dataset/update.py           |   5 +-
 superset/commands/report/update.py            |   7 +-
 superset/commands/utils.py                    |  21 +++-
 superset/views/datasource/views.py            |   4 +-
 tests/integration_tests/charts/api_tests.py   |  53 +++++++-
 .../integration_tests/dashboards/api_tests.py |  37 ++++++
 tests/integration_tests/datasets/api_tests.py |  55 ++++++++
 tests/integration_tests/reports/api_tests.py  |  87 +++++++++++++
 tests/unit_tests/commands/test_utils.py       | 118 ++++++++++++++++++
 12 files changed, 404 insertions(+), 17 deletions(-)
 create mode 100644 tests/unit_tests/commands/test_utils.py

diff --git a/superset/commands/base.py b/superset/commands/base.py
index caca50755de9b..8b330d0669c0b 100644
--- a/superset/commands/base.py
+++ b/superset/commands/base.py
@@ -19,7 +19,7 @@
 
 from flask_appbuilder.security.sqla.models import User
 
-from superset.commands.utils import populate_owners
+from superset.commands.utils import compute_owner_list, populate_owner_list
 
 
 class BaseCommand(ABC):
@@ -55,7 +55,7 @@ def populate_owners(owner_ids: Optional[list[int]] = None) -> list[User]:
         :raises OwnersNotFoundValidationError: if at least one owner can't be resolved
         :returns: Final list of owners
         """
-        return populate_owners(owner_ids, default_to_user=True)
+        return populate_owner_list(owner_ids, default_to_user=True)
 
 
 class UpdateMixin:  # pylint: disable=too-few-public-methods
@@ -69,4 +69,18 @@ def populate_owners(owner_ids: Optional[list[int]] = None) -> list[User]:
         :raises OwnersNotFoundValidationError: if at least one owner can't be resolved
         :returns: Final list of owners
         """
-        return populate_owners(owner_ids, default_to_user=False)
+        return populate_owner_list(owner_ids, default_to_user=False)
+
+    @staticmethod
+    def compute_owners(
+        current_owners: Optional[list[User]],
+        new_owners: Optional[list[int]],
+    ) -> list[User]:
+        """
+        Handle list of owners for update events.
+
+        :param current_owners: list of current owners
+        :param new_owners: list of new owners specified in the update payload
+        :returns: Final list of owners
+        """
+        return compute_owner_list(current_owners, new_owners)
diff --git a/superset/commands/chart/update.py b/superset/commands/chart/update.py
index 40b36ebcc521e..178344634e186 100644
--- a/superset/commands/chart/update.py
+++ b/superset/commands/chart/update.py
@@ -90,7 +90,10 @@ def validate(self) -> None:
         if not is_query_context_update(self._properties):
             try:
                 security_manager.raise_for_ownership(self._model)
-                owners = self.populate_owners(owner_ids)
+                owners = self.compute_owners(
+                    self._model.owners,
+                    owner_ids,
+                )
                 self._properties["owners"] = owners
             except SupersetSecurityException as ex:
                 raise ChartForbiddenError() from ex
diff --git a/superset/commands/dashboard/update.py b/superset/commands/dashboard/update.py
index 22dcad4b2c86b..b2b11e5f6e4e8 100644
--- a/superset/commands/dashboard/update.py
+++ b/superset/commands/dashboard/update.py
@@ -66,7 +66,7 @@ def run(self) -> Model:
 
     def validate(self) -> None:
         exceptions: list[ValidationError] = []
-        owners_ids: Optional[list[int]] = self._properties.get("owners")
+        owner_ids: Optional[list[int]] = self._properties.get("owners")
         roles_ids: Optional[list[int]] = self._properties.get("roles")
         slug: Optional[str] = self._properties.get("slug")
 
@@ -85,10 +85,11 @@ def validate(self) -> None:
             exceptions.append(DashboardSlugExistsValidationError())
 
         # Validate/Populate owner
-        if owners_ids is None:
-            owners_ids = [owner.id for owner in self._model.owners]
         try:
-            owners = self.populate_owners(owners_ids)
+            owners = self.compute_owners(
+                self._model.owners,
+                owner_ids,
+            )
             self._properties["owners"] = owners
         except ValidationError as ex:
             exceptions.append(ex)
diff --git a/superset/commands/dataset/update.py b/superset/commands/dataset/update.py
index 8a72c24fd5f28..5c0d87b230eff 100644
--- a/superset/commands/dataset/update.py
+++ b/superset/commands/dataset/update.py
@@ -100,7 +100,10 @@ def validate(self) -> None:
             exceptions.append(DatabaseChangeValidationError())
         # Validate/Populate owner
         try:
-            owners = self.populate_owners(owner_ids)
+            owners = self.compute_owners(
+                self._model.owners,
+                owner_ids,
+            )
             self._properties["owners"] = owners
         except ValidationError as ex:
             exceptions.append(ex)
diff --git a/superset/commands/report/update.py b/superset/commands/report/update.py
index a33ba6b59a726..cb63ec5011daf 100644
--- a/superset/commands/report/update.py
+++ b/superset/commands/report/update.py
@@ -118,10 +118,11 @@ def validate(self) -> None:
             raise ReportScheduleForbiddenError() from ex
 
         # Validate/Populate owner
-        if owner_ids is None:
-            owner_ids = [owner.id for owner in self._model.owners]
         try:
-            owners = self.populate_owners(owner_ids)
+            owners = self.compute_owners(
+                self._model.owners,
+                owner_ids,
+            )
             self._properties["owners"] = owners
         except ValidationError as ex:
             exceptions.append(ex)
diff --git a/superset/commands/utils.py b/superset/commands/utils.py
index 8cfeab3c1148d..d2a1e38ea0ce1 100644
--- a/superset/commands/utils.py
+++ b/superset/commands/utils.py
@@ -36,7 +36,7 @@
     from superset.connectors.sqla.models import BaseDatasource
 
 
-def populate_owners(
+def populate_owner_list(
     owner_ids: list[int] | None,
     default_to_user: bool,
 ) -> list[User]:
@@ -63,6 +63,25 @@ def populate_owners(
     return owners
 
 
+def compute_owner_list(
+    current_owners: list[User] | None,
+    new_owners: list[int] | None,
+) -> list[User]:
+    """
+    Helper function for update commands, to properly handle the owners list.
+    Preserve the previous configuration unless included in the update payload.
+
+    :param current_owners: list of current owners
+    :param new_owners: list of new owners specified in the update payload
+    :returns: Final list of owners
+    """
+    current_owners = current_owners or []
+    owners_ids = (
+        [owner.id for owner in current_owners] if new_owners is None else new_owners
+    )
+    return populate_owner_list(owners_ids, default_to_user=False)
+
+
 def populate_roles(role_ids: list[int] | None = None) -> list[Role]:
     """
     Helper function for commands, will fetch all roles from roles id's
diff --git a/superset/views/datasource/views.py b/superset/views/datasource/views.py
index a4c158a11f300..08f2c7385519c 100644
--- a/superset/views/datasource/views.py
+++ b/superset/views/datasource/views.py
@@ -32,7 +32,7 @@
     DatasetForbiddenError,
     DatasetNotFoundError,
 )
-from superset.commands.utils import populate_owners
+from superset.commands.utils import populate_owner_list
 from superset.connectors.sqla.models import SqlaTable
 from superset.connectors.sqla.utils import get_physical_table_metadata
 from superset.daos.datasource import DatasourceDAO
@@ -95,7 +95,7 @@ def save(self) -> FlaskResponse:
             except SupersetSecurityException as ex:
                 raise DatasetForbiddenError() from ex
 
-        datasource_dict["owners"] = populate_owners(
+        datasource_dict["owners"] = populate_owner_list(
             datasource_dict["owners"], default_to_user=False
         )
 
diff --git a/tests/integration_tests/charts/api_tests.py b/tests/integration_tests/charts/api_tests.py
index 69888104fa4ef..9dec56fedd4c7 100644
--- a/tests/integration_tests/charts/api_tests.py
+++ b/tests/integration_tests/charts/api_tests.py
@@ -735,10 +735,59 @@ def test_update_chart_new_owner_admin(self):
         db.session.delete(model)
         db.session.commit()
 
+    @pytest.mark.usefixtures("add_dashboard_to_chart")
+    def test_update_chart_preserve_ownership(self):
+        """
+        Chart API: Test update chart preserves owner list (if un-changed)
+        """
+        chart_data = {
+            "slice_name": "title1_changed",
+        }
+        admin = self.get_user("admin")
+        self.login(username="admin")
+        uri = f"api/v1/chart/{self.chart.id}"
+        rv = self.put_assert_metric(uri, chart_data, "put")
+        self.assertEqual(rv.status_code, 200)
+        self.assertEqual([admin], self.chart.owners)
+
+    @pytest.mark.usefixtures("add_dashboard_to_chart")
+    def test_update_chart_clear_owner_list(self):
+        """
+        Chart API: Test update chart admin can clear owner list
+        """
+        chart_data = {"slice_name": "title1_changed", "owners": []}
+        admin = self.get_user("admin")
+        self.login(username="admin")
+        uri = f"api/v1/chart/{self.chart.id}"
+        rv = self.put_assert_metric(uri, chart_data, "put")
+        self.assertEqual(rv.status_code, 200)
+        self.assertEqual([], self.chart.owners)
+
+    def test_update_chart_populate_owner(self):
+        """
+        Chart API: Test update admin can update chart with
+        no owners to a different owner
+        """
+        gamma = self.get_user("gamma")
+        admin = self.get_user("admin")
+        chart_id = self.insert_chart("title", [], 1).id
+        model = db.session.query(Slice).get(chart_id)
+        self.assertEqual(model.owners, [])
+        chart_data = {"owners": [gamma.id]}
+        self.login(username="admin")
+        uri = f"api/v1/chart/{chart_id}"
+        rv = self.put_assert_metric(uri, chart_data, "put")
+        self.assertEqual(rv.status_code, 200)
+        model_updated = db.session.query(Slice).get(chart_id)
+        self.assertNotIn(admin, model_updated.owners)
+        self.assertIn(gamma, model_updated.owners)
+        db.session.delete(model_updated)
+        db.session.commit()
+
     @pytest.mark.usefixtures("add_dashboard_to_chart")
     def test_update_chart_new_dashboards(self):
         """
-        Chart API: Test update set new owner to current user
+        Chart API: Test update chart associating it with new dashboard
         """
         chart_data = {
             "slice_name": "title1_changed",
@@ -754,7 +803,7 @@ def test_update_chart_new_dashboards(self):
     @pytest.mark.usefixtures("add_dashboard_to_chart")
     def test_not_update_chart_none_dashboards(self):
         """
-        Chart API: Test update set new owner to current user
+        Chart API: Test update chart without changing dashboards configuration
         """
         chart_data = {"slice_name": "title1_changed_again"}
         self.login(username="admin")
diff --git a/tests/integration_tests/dashboards/api_tests.py b/tests/integration_tests/dashboards/api_tests.py
index a5c44f9f08764..6023b5b52555f 100644
--- a/tests/integration_tests/dashboards/api_tests.py
+++ b/tests/integration_tests/dashboards/api_tests.py
@@ -1551,6 +1551,43 @@ def test_update_dashboard_new_owner_admin(self):
         db.session.delete(model)
         db.session.commit()
 
+    def test_update_dashboard_clear_owner_list(self):
+        """
+        Dashboard API: Test update admin can clear up owners list
+        """
+        admin = self.get_user("admin")
+        dashboard_id = self.insert_dashboard("title1", "slug1", [admin.id]).id
+        self.login(username="admin")
+        uri = f"api/v1/dashboard/{dashboard_id}"
+        dashboard_data = {"owners": []}
+        rv = self.client.put(uri, json=dashboard_data)
+        self.assertEqual(rv.status_code, 200)
+        model = db.session.query(Dashboard).get(dashboard_id)
+        self.assertEqual([], model.owners)
+        db.session.delete(model)
+        db.session.commit()
+
+    def test_update_dashboard_populate_owner(self):
+        """
+        Dashboard API: Test update admin can update dashboard with
+        no owners to a different owner
+        """
+        self.login(username="admin")
+        gamma = self.get_user("gamma")
+        dashboard = self.insert_dashboard(
+            "title1",
+            "slug1",
+            [],
+        )
+        uri = f"api/v1/dashboard/{dashboard.id}"
+        dashboard_data = {"owners": [gamma.id]}
+        rv = self.client.put(uri, json=dashboard_data)
+        self.assertEqual(rv.status_code, 200)
+        model = db.session.query(Dashboard).get(dashboard.id)
+        self.assertEqual([gamma], model.owners)
+        db.session.delete(model)
+        db.session.commit()
+
     def test_update_dashboard_slug_formatting(self):
         """
         Dashboard API: Test update slug formatting
diff --git a/tests/integration_tests/datasets/api_tests.py b/tests/integration_tests/datasets/api_tests.py
index d969895489d9f..9b264a7eb6477 100644
--- a/tests/integration_tests/datasets/api_tests.py
+++ b/tests/integration_tests/datasets/api_tests.py
@@ -885,6 +885,59 @@ def test_create_dataset_sqlalchemy_error(self, mock_dao_create):
         assert rv.status_code == 422
         assert data == {"message": "Dataset could not be created."}
 
+    def test_update_dataset_preserve_ownership(self):
+        """
+        Dataset API: Test update dataset preserves owner list (if un-changed)
+        """
+
+        dataset = self.insert_default_dataset()
+        current_owners = dataset.owners
+        self.login(username="admin")
+        dataset_data = {"description": "new description"}
+        uri = f"api/v1/dataset/{dataset.id}"
+        rv = self.put_assert_metric(uri, dataset_data, "put")
+        assert rv.status_code == 200
+        model = db.session.query(SqlaTable).get(dataset.id)
+        assert model.owners == current_owners
+
+        db.session.delete(dataset)
+        db.session.commit()
+
+    def test_update_dataset_clear_owner_list(self):
+        """
+        Dataset API: Test update dataset admin can clear ownership config
+        """
+
+        dataset = self.insert_default_dataset()
+        self.login(username="admin")
+        dataset_data = {"owners": []}
+        uri = f"api/v1/dataset/{dataset.id}"
+        rv = self.put_assert_metric(uri, dataset_data, "put")
+        assert rv.status_code == 200
+        model = db.session.query(SqlaTable).get(dataset.id)
+        assert model.owners == []
+
+        db.session.delete(dataset)
+        db.session.commit()
+
+    def test_update_dataset_populate_owner(self):
+        """
+        Dataset API: Test update admin can update dataset with
+        no owners to a different owner
+        """
+        self.login(username="admin")
+        gamma = self.get_user("gamma")
+        dataset = self.insert_dataset("ab_permission", [], get_main_database())
+        dataset_data = {"owners": [gamma.id]}
+        uri = f"api/v1/dataset/{dataset.id}"
+        rv = self.put_assert_metric(uri, dataset_data, "put")
+        assert rv.status_code == 200
+        model = db.session.query(SqlaTable).get(dataset.id)
+        assert model.owners == [gamma]
+
+        db.session.delete(dataset)
+        db.session.commit()
+
     def test_update_dataset_item(self):
         """
         Dataset API: Test update dataset item
@@ -893,6 +946,7 @@ def test_update_dataset_item(self):
             return
 
         dataset = self.insert_default_dataset()
+        current_owners = dataset.owners
         self.login(username="admin")
         dataset_data = {"description": "changed_description"}
         uri = f"api/v1/dataset/{dataset.id}"
@@ -900,6 +954,7 @@ def test_update_dataset_item(self):
         assert rv.status_code == 200
         model = db.session.query(SqlaTable).get(dataset.id)
         assert model.description == dataset_data["description"]
+        assert model.owners == current_owners
 
         db.session.delete(dataset)
         db.session.commit()
diff --git a/tests/integration_tests/reports/api_tests.py b/tests/integration_tests/reports/api_tests.py
index 12d00d59f3a5a..1b74d11f5a0a5 100644
--- a/tests/integration_tests/reports/api_tests.py
+++ b/tests/integration_tests/reports/api_tests.py
@@ -1458,6 +1458,93 @@ def test_update_report_not_owned(self):
         rv = self.put_assert_metric(uri, report_schedule_data, "put")
         self.assertEqual(rv.status_code, 403)
 
+    @pytest.mark.usefixtures("create_report_schedules")
+    def test_update_report_preserve_ownership(self):
+        """
+        ReportSchedule API: Test update report preserves owner list (if un-changed)
+        """
+        self.login(username="admin")
+        existing_report = (
+            db.session.query(ReportSchedule)
+            .filter(ReportSchedule.name == "name1")
+            .one_or_none()
+        )
+        current_owners = existing_report.owners
+        report_schedule_data = {
+            "description": "Updated description",
+        }
+        uri = f"api/v1/report/{existing_report.id}"
+        rv = self.put_assert_metric(uri, report_schedule_data, "put")
+        updated_report = (
+            db.session.query(ReportSchedule)
+            .filter(ReportSchedule.name == "name1")
+            .one_or_none()
+        )
+        assert updated_report.owners == current_owners
+
+    @pytest.mark.usefixtures("create_report_schedules")
+    def test_update_report_clear_owner_list(self):
+        """
+        ReportSchedule API: Test update report admin can clear ownership config
+        """
+        self.login(username="admin")
+        existing_report = (
+            db.session.query(ReportSchedule)
+            .filter(ReportSchedule.name == "name1")
+            .one_or_none()
+        )
+        report_schedule_data = {
+            "owners": [],
+        }
+        uri = f"api/v1/report/{existing_report.id}"
+        rv = self.put_assert_metric(uri, report_schedule_data, "put")
+        updated_report = (
+            db.session.query(ReportSchedule)
+            .filter(ReportSchedule.name == "name1")
+            .one_or_none()
+        )
+        assert updated_report.owners == []
+
+    @pytest.mark.usefixtures("create_report_schedules")
+    def test_update_report_populate_owner(self):
+        """
+        ReportSchedule API: Test update admin can update report with
+        no owners to a different owner
+        """
+        gamma = self.get_user("gamma")
+        self.login(username="admin")
+
+        # Modify an existing report to make remove all owners
+        existing_report = (
+            db.session.query(ReportSchedule)
+            .filter(ReportSchedule.name == "name1")
+            .one_or_none()
+        )
+        report_update_data = {
+            "owners": [],
+        }
+        uri = f"api/v1/report/{existing_report.id}"
+        rv = self.put_assert_metric(uri, report_update_data, "put")
+        updated_report = (
+            db.session.query(ReportSchedule)
+            .filter(ReportSchedule.name == "name1")
+            .one_or_none()
+        )
+        assert updated_report.owners == []
+
+        # Populate the field
+        report_update_data = {
+            "owners": [gamma.id],
+        }
+        uri = f"api/v1/report/{updated_report.id}"
+        rv = self.put_assert_metric(uri, report_update_data, "put")
+        updated_report = (
+            db.session.query(ReportSchedule)
+            .filter(ReportSchedule.name == "name1")
+            .one_or_none()
+        )
+        assert updated_report.owners == [gamma]
+
     @pytest.mark.usefixtures("create_report_schedules")
     def test_delete_report_schedule(self):
         """
diff --git a/tests/unit_tests/commands/test_utils.py b/tests/unit_tests/commands/test_utils.py
new file mode 100644
index 0000000000000..cb99ac37bfa72
--- /dev/null
+++ b/tests/unit_tests/commands/test_utils.py
@@ -0,0 +1,118 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+from superset.commands.utils import compute_owner_list, populate_owner_list, User
+
+
+@patch("superset.commands.utils.g")
+def test_populate_owner_list_default_to_user(mock_user):
+    owner_list = populate_owner_list([], True)
+    assert owner_list == [mock_user.user]
+
+
+@patch("superset.commands.utils.g")
+def test_populate_owner_list_default_to_user_handle_none(mock_user):
+    owner_list = populate_owner_list(None, True)
+    assert owner_list == [mock_user.user]
+
+
+@patch("superset.commands.utils.g")
+@patch("superset.commands.utils.security_manager")
+@patch("superset.commands.utils.get_user_id")
+def test_populate_owner_list_admin_user(mock_user_id, mock_sm, mock_g):
+    test_user = User(id=1, first_name="First", last_name="Last")
+    mock_g.user = User(id=4, first_name="Admin", last_name="User")
+    mock_user_id.return_value = 4
+    mock_sm.is_admin = MagicMock(return_value=True)
+    mock_sm.get_user_by_id = MagicMock(return_value=test_user)
+
+    owner_list = populate_owner_list([1], False)
+    assert owner_list == [test_user]
+
+
+@patch("superset.commands.utils.g")
+@patch("superset.commands.utils.security_manager")
+@patch("superset.commands.utils.get_user_id")
+def test_populate_owner_list_admin_user_empty_list(mock_user_id, mock_sm, mock_g):
+    mock_g.user = User(id=4, first_name="Admin", last_name="User")
+    mock_user_id.return_value = 4
+    mock_sm.is_admin = MagicMock(return_value=True)
+    owner_list = populate_owner_list([], False)
+    assert owner_list == []
+
+
+@patch("superset.commands.utils.g")
+@patch("superset.commands.utils.security_manager")
+@patch("superset.commands.utils.get_user_id")
+def test_populate_owner_list_non_admin(mock_user_id, mock_sm, mock_g):
+    test_user = User(id=1, first_name="First", last_name="Last")
+    mock_g.user = User(id=4, first_name="Non", last_name="admin")
+    mock_user_id.return_value = 4
+    mock_sm.is_admin = MagicMock(return_value=False)
+    mock_sm.get_user_by_id = MagicMock(return_value=test_user)
+
+    owner_list = populate_owner_list([1], False)
+    assert owner_list == [mock_g.user, test_user]
+
+
+@patch("superset.commands.utils.populate_owner_list")
+def test_compute_owner_list_new_owners(mock_populate_owner_list):
+    current_owners = [User(id=1), User(id=2), User(id=3)]
+    new_owners = [4, 5, 6]
+
+    compute_owner_list(current_owners, new_owners)
+    mock_populate_owner_list.assert_called_once_with(new_owners, default_to_user=False)
+
+
+@patch("superset.commands.utils.populate_owner_list")
+def test_compute_owner_list_no_new_owners(mock_populate_owner_list):
+    current_owners = [User(id=1), User(id=2), User(id=3)]
+    new_owners = None
+
+    compute_owner_list(current_owners, new_owners)
+    mock_populate_owner_list.assert_called_once_with([1, 2, 3], default_to_user=False)
+
+
+@patch("superset.commands.utils.populate_owner_list")
+def test_compute_owner_list_new_owner_empty_list(mock_populate_owner_list):
+    current_owners = [User(id=1), User(id=2), User(id=3)]
+    new_owners = []
+
+    compute_owner_list(current_owners, new_owners)
+    mock_populate_owner_list.assert_called_once_with(new_owners, default_to_user=False)
+
+
+@patch("superset.commands.utils.populate_owner_list")
+def test_compute_owner_list_no_owners(mock_populate_owner_list):
+    current_owners = []
+    new_owners = [4, 5, 6]
+
+    compute_owner_list(current_owners, new_owners)
+    mock_populate_owner_list.assert_called_once_with(new_owners, default_to_user=False)
+
+
+@patch("superset.commands.utils.populate_owner_list")
+def test_compute_owner_list_no_owners_handle_none(mock_populate_owner_list):
+    current_owners = None
+    new_owners = [4, 5, 6]
+
+    compute_owner_list(current_owners, new_owners)
+    mock_populate_owner_list.assert_called_once_with(new_owners, default_to_user=False)

From ee8be59fdc5c1e66488455edbfb168ba6177c11b Mon Sep 17 00:00:00 2001
From: "JUST.in DO IT" <justin.park@airbnb.com>
Date: Wed, 6 Mar 2024 08:59:56 -0800
Subject: [PATCH 085/114] fix(sqllab): Close already removed tab (#27391)

(cherry picked from commit 5107cc0fd9134886d7a8eefd51fb242e520a542e)
---
 .../src/SqlLab/actions/sqlLab.js              | 19 +++---
 .../src/hooks/apiResources/queryApi.ts        |  5 +-
 superset/views/sql_lab/views.py               | 20 +++++--
 tests/integration_tests/sql_lab/api_tests.py  | 59 +++++++++++++++++++
 4 files changed, 90 insertions(+), 13 deletions(-)

diff --git a/superset-frontend/src/SqlLab/actions/sqlLab.js b/superset-frontend/src/SqlLab/actions/sqlLab.js
index 97db64fb89ad9..cbab24a21e561 100644
--- a/superset-frontend/src/SqlLab/actions/sqlLab.js
+++ b/superset-frontend/src/SqlLab/actions/sqlLab.js
@@ -742,15 +742,18 @@ export function removeQueryEditor(queryEditor) {
 
     return sync
       .then(() => dispatch({ type: REMOVE_QUERY_EDITOR, queryEditor }))
-      .catch(() =>
-        dispatch(
-          addDangerToast(
-            t(
-              'An error occurred while removing tab. Please contact your administrator.',
+      .catch(({ status }) => {
+        if (status !== 404) {
+          return dispatch(
+            addDangerToast(
+              t(
+                'An error occurred while removing tab. Please contact your administrator.',
+              ),
             ),
-          ),
-        ),
-      );
+          );
+        }
+        return dispatch({ type: REMOVE_QUERY_EDITOR, queryEditor });
+      });
   };
 }
 
diff --git a/superset-frontend/src/hooks/apiResources/queryApi.ts b/superset-frontend/src/hooks/apiResources/queryApi.ts
index b7bf7f5b5d7b3..4099422b5468f 100644
--- a/superset-frontend/src/hooks/apiResources/queryApi.ts
+++ b/superset-frontend/src/hooks/apiResources/queryApi.ts
@@ -64,7 +64,10 @@ export const supersetClientQuery: BaseQueryFn<
     }))
     .catch(response =>
       getClientErrorObject(response).then(errorObj => ({
-        error: errorObj,
+        error: {
+          error: errorObj?.message || errorObj?.error || response.statusText,
+          status: response.status,
+        },
       })),
     );
 
diff --git a/superset/views/sql_lab/views.py b/superset/views/sql_lab/views.py
index 00ba4b8a5f0fc..4b96d0d6c270d 100644
--- a/superset/views/sql_lab/views.py
+++ b/superset/views/sql_lab/views.py
@@ -112,7 +112,10 @@ def post(self) -> FlaskResponse:
     @has_access_api
     @expose("/<int:tab_state_id>", methods=("DELETE",))
     def delete(self, tab_state_id: int) -> FlaskResponse:
-        if _get_owner_id(tab_state_id) != get_user_id():
+        owner_id = _get_owner_id(tab_state_id)
+        if owner_id is None:
+            return Response(status=404)
+        if owner_id != get_user_id():
             return Response(status=403)
 
         db.session.query(TabState).filter(TabState.id == tab_state_id).delete(
@@ -127,7 +130,10 @@ def delete(self, tab_state_id: int) -> FlaskResponse:
     @has_access_api
     @expose("/<int:tab_state_id>", methods=("GET",))
     def get(self, tab_state_id: int) -> FlaskResponse:
-        if _get_owner_id(tab_state_id) != get_user_id():
+        owner_id = _get_owner_id(tab_state_id)
+        if owner_id is None:
+            return Response(status=404)
+        if owner_id != get_user_id():
             return Response(status=403)
 
         tab_state = db.session.query(TabState).filter_by(id=tab_state_id).first()
@@ -157,7 +163,10 @@ def activate(self, tab_state_id: int) -> FlaskResponse:
     @has_access_api
     @expose("<int:tab_state_id>", methods=("PUT",))
     def put(self, tab_state_id: int) -> FlaskResponse:
-        if _get_owner_id(tab_state_id) != get_user_id():
+        owner_id = _get_owner_id(tab_state_id)
+        if owner_id is None:
+            return Response(status=404)
+        if owner_id != get_user_id():
             return Response(status=403)
 
         fields = {k: json.loads(v) for k, v in request.form.to_dict().items()}
@@ -172,7 +181,10 @@ def put(self, tab_state_id: int) -> FlaskResponse:
     @has_access_api
     @expose("<int:tab_state_id>/migrate_query", methods=("POST",))
     def migrate_query(self, tab_state_id: int) -> FlaskResponse:
-        if _get_owner_id(tab_state_id) != get_user_id():
+        owner_id = _get_owner_id(tab_state_id)
+        if owner_id is None:
+            return Response(status=404)
+        if owner_id != get_user_id():
             return Response(status=403)
 
         client_id = json.loads(request.form["queryId"])
diff --git a/tests/integration_tests/sql_lab/api_tests.py b/tests/integration_tests/sql_lab/api_tests.py
index da050c2363d2a..597f961346abb 100644
--- a/tests/integration_tests/sql_lab/api_tests.py
+++ b/tests/integration_tests/sql_lab/api_tests.py
@@ -137,6 +137,65 @@ def test_get_from_bootstrap_data_with_queries(self):
         result = resp["result"]
         self.assertEqual(len(result["queries"]), 1)
 
+    @mock.patch.dict(
+        "superset.extensions.feature_flag_manager._feature_flags",
+        {"SQLLAB_BACKEND_PERSISTENCE": True},
+        clear=True,
+    )
+    def test_deleted_tab(self):
+        username = "admin"
+        self.login(username)
+        data = {
+            "queryEditor": json.dumps(
+                {
+                    "title": "Untitled Query 2",
+                    "dbId": 1,
+                    "schema": None,
+                    "autorun": False,
+                    "sql": "SELECT ...",
+                    "queryLimit": 1000,
+                }
+            )
+        }
+        resp = self.get_json_resp("/tabstateview/", data=data)
+        tab_state_id = resp["id"]
+        resp = self.client.delete("/tabstateview/" + str(tab_state_id))
+        assert resp.status_code == 200
+        resp = self.client.get("/tabstateview/" + str(tab_state_id))
+        assert resp.status_code == 404
+        resp = self.client.put(
+            "/tabstateview/" + str(tab_state_id),
+            json=data,
+        )
+        assert resp.status_code == 404
+
+    @mock.patch.dict(
+        "superset.extensions.feature_flag_manager._feature_flags",
+        {"SQLLAB_BACKEND_PERSISTENCE": True},
+        clear=True,
+    )
+    def test_delete_tab_already_removed(self):
+        username = "admin"
+        self.login(username)
+        data = {
+            "queryEditor": json.dumps(
+                {
+                    "title": "Untitled Query 3",
+                    "dbId": 1,
+                    "schema": None,
+                    "autorun": False,
+                    "sql": "SELECT ...",
+                    "queryLimit": 1000,
+                }
+            )
+        }
+        resp = self.get_json_resp("/tabstateview/", data=data)
+        tab_state_id = resp["id"]
+        resp = self.client.delete("/tabstateview/" + str(tab_state_id))
+        assert resp.status_code == 200
+        resp = self.client.delete("/tabstateview/" + str(tab_state_id))
+        assert resp.status_code == 404
+
     def test_get_access_denied(self):
         new_role = Role(name="Dummy Role", permissions=[])
         db.session.add(new_role)

From 7b3d289a9ff7312df602fb51db85457c7f7d1e84 Mon Sep 17 00:00:00 2001
From: "JUST.in DO IT" <justin.park@airbnb.com>
Date: Thu, 7 Mar 2024 10:04:49 -0800
Subject: [PATCH 086/114] fix: missing shared color in mixed timeseries
 (#27403)

(cherry picked from commit 9ced2552dbeeaf60217b385d4c40cbaf4372c787)
---
 .../src/MixedTimeseries/transformProps.ts                   | 5 +++--
 superset/commands/base.py                                   | 2 +-
 tests/integration_tests/datasets/api_tests.py               | 6 ++++++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/superset-frontend/plugins/plugin-chart-echarts/src/MixedTimeseries/transformProps.ts b/superset-frontend/plugins/plugin-chart-echarts/src/MixedTimeseries/transformProps.ts
index ce6969213a88f..8eecb6de4723c 100644
--- a/superset-frontend/plugins/plugin-chart-echarts/src/MixedTimeseries/transformProps.ts
+++ b/superset-frontend/plugins/plugin-chart-echarts/src/MixedTimeseries/transformProps.ts
@@ -406,8 +406,9 @@ export default function transformProps(
 
   rawSeriesB.forEach(entry => {
     const entryName = String(entry.name || '');
-    const seriesName = `${inverted[entryName] || entryName} (1)`;
-    const colorScaleKey = getOriginalSeries(seriesName, array);
+    const seriesEntry = inverted[entryName] || entryName;
+    const seriesName = `${seriesEntry} (1)`;
+    const colorScaleKey = getOriginalSeries(seriesEntry, array);
 
     const seriesFormatter = getFormatter(
       customFormattersSecondary,
diff --git a/superset/commands/base.py b/superset/commands/base.py
index 8b330d0669c0b..d2efcda4fe838 100644
--- a/superset/commands/base.py
+++ b/superset/commands/base.py
@@ -58,7 +58,7 @@ def populate_owners(owner_ids: Optional[list[int]] = None) -> list[User]:
         return populate_owner_list(owner_ids, default_to_user=True)
 
 
-class UpdateMixin:  # pylint: disable=too-few-public-methods
+class UpdateMixin:
     @staticmethod
     def populate_owners(owner_ids: Optional[list[int]] = None) -> list[User]:
         """
diff --git a/tests/integration_tests/datasets/api_tests.py b/tests/integration_tests/datasets/api_tests.py
index 9b264a7eb6477..8033f2fd9c214 100644
--- a/tests/integration_tests/datasets/api_tests.py
+++ b/tests/integration_tests/datasets/api_tests.py
@@ -889,6 +889,8 @@ def test_update_dataset_preserve_ownership(self):
         """
         Dataset API: Test update dataset preserves owner list (if un-changed)
         """
+        if backend() == "sqlite":
+            return
 
         dataset = self.insert_default_dataset()
         current_owners = dataset.owners
@@ -907,6 +909,8 @@ def test_update_dataset_clear_owner_list(self):
         """
         Dataset API: Test update dataset admin can clear ownership config
         """
+        if backend() == "sqlite":
+            return
 
         dataset = self.insert_default_dataset()
         self.login(username="admin")
@@ -925,6 +929,8 @@ def test_update_dataset_populate_owner(self):
         Dataset API: Test update admin can update dataset with
         no owners to a different owner
         """
+        if backend() == "sqlite":
+            return
         self.login(username="admin")
         gamma = self.get_user("gamma")
         dataset = self.insert_dataset("ab_permission", [], get_main_database())

From 113660645313333cd6751881e2ad15cea0ee86f4 Mon Sep 17 00:00:00 2001
From: Jack <41238731+fisjac@users.noreply.github.com>
Date: Sun, 3 Mar 2024 18:26:17 -0600
Subject: [PATCH 087/114] fix(deps): resolving canvg and html2canvas module not
 found (#27315)

(cherry picked from commit 5915851ba308ce06a914f173fba8b0c47c4e32c0)
---
 superset-frontend/package-lock.json | 40 ++++++++---------------------
 1 file changed, 10 insertions(+), 30 deletions(-)

diff --git a/superset-frontend/package-lock.json b/superset-frontend/package-lock.json
index 0a4ed84d6cd18..0576427e07972 100644
--- a/superset-frontend/package-lock.json
+++ b/superset-frontend/package-lock.json
@@ -19620,8 +19620,7 @@
     "node_modules/@types/raf": {
       "version": "3.4.2",
       "resolved": "https://registry.npmjs.org/@types/raf/-/raf-3.4.2.tgz",
-      "integrity": "sha512-sM4HyDVlDFl4goOXPF+g9nNHJFZQGot+HgySjM4cRjqXzjdatcEvYrtG4Ia8XumR9T6k8G2tW9B7hnUj51Uf0A==",
-      "optional": true
+      "integrity": "sha512-sM4HyDVlDFl4goOXPF+g9nNHJFZQGot+HgySjM4cRjqXzjdatcEvYrtG4Ia8XumR9T6k8G2tW9B7hnUj51Uf0A=="
     },
     "node_modules/@types/range-parser": {
       "version": "1.2.4",
@@ -23903,7 +23902,6 @@
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/base64-arraybuffer/-/base64-arraybuffer-1.0.2.tgz",
       "integrity": "sha512-I3yl4r9QB5ZRY3XuJVEPfc2XhZO6YweFPI+UovAzn+8/hb3oJ6lnysaFcjVpkCPfVWFUDvoZ8kmVDP7WyRtYtQ==",
-      "optional": true,
       "engines": {
         "node": ">= 0.6.0"
       }
@@ -25049,7 +25047,6 @@
       "version": "3.0.10",
       "resolved": "https://registry.npmjs.org/canvg/-/canvg-3.0.10.tgz",
       "integrity": "sha512-qwR2FRNO9NlzTeKIPIKpnTY6fqwuYSequ8Ru8c0YkYU7U0oW+hLUvWadLvAu1Rl72OMNiFhoLu4f8eUjQ7l/+Q==",
-      "optional": true,
       "dependencies": {
         "@babel/runtime": "^7.12.5",
         "@types/raf": "^3.4.0",
@@ -27026,7 +27023,6 @@
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/css-line-break/-/css-line-break-2.1.0.tgz",
       "integrity": "sha512-FHcKFCZcAha3LwfVBhCQbW2nCNbkZXn7KVUJcsT5/P8YmfsVja0FMPJr0B903j/E69HUphKiV9iQArX8SDYA4w==",
-      "optional": true,
       "dependencies": {
         "utrie": "^1.0.2"
       }
@@ -35230,7 +35226,6 @@
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/html2canvas/-/html2canvas-1.4.1.tgz",
       "integrity": "sha512-fPU6BHNpsyIhr8yyMpTLLxAbkaK8ArIBcmZIRiBLiDhjeqvXolaEmDGmELFuX9I4xDcaKKcJl+TKZLqruBbmWA==",
-      "optional": true,
       "dependencies": {
         "css-line-break": "^2.1.0",
         "text-segmentation": "^1.0.3"
@@ -40302,13 +40297,13 @@
         "@babel/runtime": "^7.14.0",
         "atob": "^2.1.2",
         "btoa": "^1.2.1",
-        "fflate": "^0.4.8"
+        "canvg": "^3.0.6",
+        "fflate": "^0.4.8",
+        "html2canvas": "^1.0.0-rc.5"
       },
       "optionalDependencies": {
-        "canvg": "^3.0.6",
         "core-js": "^3.6.0",
-        "dompurify": "^2.2.0",
-        "html2canvas": "^1.0.0-rc.5"
+        "dompurify": "^2.2.0"
       }
     },
     "node_modules/jsprim": {
@@ -54151,7 +54146,6 @@
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/rgbcolor/-/rgbcolor-1.0.1.tgz",
       "integrity": "sha512-9aZLIrhRaD97sgVhtJOW6ckOEh6/GnvQtdVNfdZ6s67+3/XwLS9lBcQYzEEhYVeUowN7pRzMLsyGhK2i/xvWbw==",
-      "optional": true,
       "engines": {
         "node": ">= 0.8.15"
       }
@@ -55553,7 +55547,6 @@
       "version": "2.6.0",
       "resolved": "https://registry.npmjs.org/stackblur-canvas/-/stackblur-canvas-2.6.0.tgz",
       "integrity": "sha512-8S1aIA+UoF6erJYnglGPug6MaHYGo1Ot7h5fuXx4fUPvcvQfcdw2o/ppCse63+eZf8PPidSu4v1JnmEVtEDnpg==",
-      "optional": true,
       "engines": {
         "node": ">=0.1.14"
       }
@@ -56277,7 +56270,6 @@
       "version": "6.0.3",
       "resolved": "https://registry.npmjs.org/svg-pathdata/-/svg-pathdata-6.0.3.tgz",
       "integrity": "sha512-qsjeeq5YjBZ5eMdFuUa4ZosMLxgr5RZ+F+Y1OrDhuOCEInRMA3x74XdBtggJcj9kOeInz0WE+LgCPDkZFlBYJw==",
-      "optional": true,
       "engines": {
         "node": ">=12.0.0"
       }
@@ -57118,7 +57110,6 @@
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/text-segmentation/-/text-segmentation-1.0.3.tgz",
       "integrity": "sha512-iOiPUo/BGnZ6+54OsWxZidGCsdU8YbE4PSpdPinp7DeMtUJNJBoJ/ouUSTJjHkh1KntHaltHl/gDs2FC4i5+Nw==",
-      "optional": true,
       "dependencies": {
         "utrie": "^1.0.2"
       }
@@ -58647,7 +58638,6 @@
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/utrie/-/utrie-1.0.2.tgz",
       "integrity": "sha512-1MLa5ouZiOmQzUbjbu9VmjLzn1QLXBhwpUa7kdLUQK+KQ5KA9I1vk5U4YHe/X2Ch7PYnJfWuWT+VbuxbGwljhw==",
-      "optional": true,
       "dependencies": {
         "base64-arraybuffer": "^1.0.2"
       }
@@ -79592,8 +79582,7 @@
     "@types/raf": {
       "version": "3.4.2",
       "resolved": "https://registry.npmjs.org/@types/raf/-/raf-3.4.2.tgz",
-      "integrity": "sha512-sM4HyDVlDFl4goOXPF+g9nNHJFZQGot+HgySjM4cRjqXzjdatcEvYrtG4Ia8XumR9T6k8G2tW9B7hnUj51Uf0A==",
-      "optional": true
+      "integrity": "sha512-sM4HyDVlDFl4goOXPF+g9nNHJFZQGot+HgySjM4cRjqXzjdatcEvYrtG4Ia8XumR9T6k8G2tW9B7hnUj51Uf0A=="
     },
     "@types/range-parser": {
       "version": "1.2.4",
@@ -83012,8 +83001,7 @@
     "base64-arraybuffer": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/base64-arraybuffer/-/base64-arraybuffer-1.0.2.tgz",
-      "integrity": "sha512-I3yl4r9QB5ZRY3XuJVEPfc2XhZO6YweFPI+UovAzn+8/hb3oJ6lnysaFcjVpkCPfVWFUDvoZ8kmVDP7WyRtYtQ==",
-      "optional": true
+      "integrity": "sha512-I3yl4r9QB5ZRY3XuJVEPfc2XhZO6YweFPI+UovAzn+8/hb3oJ6lnysaFcjVpkCPfVWFUDvoZ8kmVDP7WyRtYtQ=="
     },
     "base64-js": {
       "version": "1.5.1",
@@ -83874,7 +83862,6 @@
       "version": "3.0.10",
       "resolved": "https://registry.npmjs.org/canvg/-/canvg-3.0.10.tgz",
       "integrity": "sha512-qwR2FRNO9NlzTeKIPIKpnTY6fqwuYSequ8Ru8c0YkYU7U0oW+hLUvWadLvAu1Rl72OMNiFhoLu4f8eUjQ7l/+Q==",
-      "optional": true,
       "requires": {
         "@babel/runtime": "^7.12.5",
         "@types/raf": "^3.4.0",
@@ -85477,7 +85464,6 @@
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/css-line-break/-/css-line-break-2.1.0.tgz",
       "integrity": "sha512-FHcKFCZcAha3LwfVBhCQbW2nCNbkZXn7KVUJcsT5/P8YmfsVja0FMPJr0B903j/E69HUphKiV9iQArX8SDYA4w==",
-      "optional": true,
       "requires": {
         "utrie": "^1.0.2"
       }
@@ -91713,7 +91699,6 @@
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/html2canvas/-/html2canvas-1.4.1.tgz",
       "integrity": "sha512-fPU6BHNpsyIhr8yyMpTLLxAbkaK8ArIBcmZIRiBLiDhjeqvXolaEmDGmELFuX9I4xDcaKKcJl+TKZLqruBbmWA==",
-      "optional": true,
       "requires": {
         "css-line-break": "^2.1.0",
         "text-segmentation": "^1.0.3"
@@ -106145,8 +106130,7 @@
     "rgbcolor": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/rgbcolor/-/rgbcolor-1.0.1.tgz",
-      "integrity": "sha512-9aZLIrhRaD97sgVhtJOW6ckOEh6/GnvQtdVNfdZ6s67+3/XwLS9lBcQYzEEhYVeUowN7pRzMLsyGhK2i/xvWbw==",
-      "optional": true
+      "integrity": "sha512-9aZLIrhRaD97sgVhtJOW6ckOEh6/GnvQtdVNfdZ6s67+3/XwLS9lBcQYzEEhYVeUowN7pRzMLsyGhK2i/xvWbw=="
     },
     "rimraf": {
       "version": "3.0.2",
@@ -107303,8 +107287,7 @@
     "stackblur-canvas": {
       "version": "2.6.0",
       "resolved": "https://registry.npmjs.org/stackblur-canvas/-/stackblur-canvas-2.6.0.tgz",
-      "integrity": "sha512-8S1aIA+UoF6erJYnglGPug6MaHYGo1Ot7h5fuXx4fUPvcvQfcdw2o/ppCse63+eZf8PPidSu4v1JnmEVtEDnpg==",
-      "optional": true
+      "integrity": "sha512-8S1aIA+UoF6erJYnglGPug6MaHYGo1Ot7h5fuXx4fUPvcvQfcdw2o/ppCse63+eZf8PPidSu4v1JnmEVtEDnpg=="
     },
     "stackframe": {
       "version": "1.2.1",
@@ -107851,8 +107834,7 @@
     "svg-pathdata": {
       "version": "6.0.3",
       "resolved": "https://registry.npmjs.org/svg-pathdata/-/svg-pathdata-6.0.3.tgz",
-      "integrity": "sha512-qsjeeq5YjBZ5eMdFuUa4ZosMLxgr5RZ+F+Y1OrDhuOCEInRMA3x74XdBtggJcj9kOeInz0WE+LgCPDkZFlBYJw==",
-      "optional": true
+      "integrity": "sha512-qsjeeq5YjBZ5eMdFuUa4ZosMLxgr5RZ+F+Y1OrDhuOCEInRMA3x74XdBtggJcj9kOeInz0WE+LgCPDkZFlBYJw=="
     },
     "svgo": {
       "version": "3.0.2",
@@ -108463,7 +108445,6 @@
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/text-segmentation/-/text-segmentation-1.0.3.tgz",
       "integrity": "sha512-iOiPUo/BGnZ6+54OsWxZidGCsdU8YbE4PSpdPinp7DeMtUJNJBoJ/ouUSTJjHkh1KntHaltHl/gDs2FC4i5+Nw==",
-      "optional": true,
       "requires": {
         "utrie": "^1.0.2"
       }
@@ -109565,7 +109546,6 @@
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/utrie/-/utrie-1.0.2.tgz",
       "integrity": "sha512-1MLa5ouZiOmQzUbjbu9VmjLzn1QLXBhwpUa7kdLUQK+KQ5KA9I1vk5U4YHe/X2Ch7PYnJfWuWT+VbuxbGwljhw==",
-      "optional": true,
       "requires": {
         "base64-arraybuffer": "^1.0.2"
       }

From 09caaca251575042ec4938463c8875f057c4fcff Mon Sep 17 00:00:00 2001
From: Jack <41238731+fisjac@users.noreply.github.com>
Date: Mon, 4 Mar 2024 10:34:31 -0600
Subject: [PATCH 088/114] fix(Alerts & Reports): Fixing bug that resets cron
 value to default when empty   (#27262)

---
 superset-frontend/src/features/alerts/AlertReportModal.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/superset-frontend/src/features/alerts/AlertReportModal.tsx b/superset-frontend/src/features/alerts/AlertReportModal.tsx
index e371efcf1b929..f836599ca4c1e 100644
--- a/superset-frontend/src/features/alerts/AlertReportModal.tsx
+++ b/superset-frontend/src/features/alerts/AlertReportModal.tsx
@@ -1358,7 +1358,7 @@ const AlertReportModal: FunctionComponent<AlertReportModalProps> = ({
               <span className="required">*</span>
             </StyledSectionTitle>
             <AlertReportCronScheduler
-              value={currentAlert?.crontab || ALERT_REPORTS_DEFAULT_CRON_VALUE}
+              value={currentAlert?.crontab || ''}
               onChange={newVal => updateAlertState('crontab', newVal)}
             />
             <div className="control-label">{TRANSLATIONS.TIMEZONE_TEXT}</div>

From a15975d3af99c214d9ae930a9a973a5780e60892 Mon Sep 17 00:00:00 2001
From: Mark Skelton <mark@federato.ai>
Date: Fri, 8 Mar 2024 07:21:36 -0600
Subject: [PATCH 089/114] fix(dashboard): Only fetch CSS templates for
 dashboard header menu when in edit mode (#27411)

Co-authored-by: Michael S. Molina <michael.s.molina@gmail.com>
---
 .../components/CssEditor/CssEditor.test.tsx   | 54 +++++++++++--------
 .../dashboard/components/CssEditor/index.jsx  | 25 +++++++--
 .../Header/HeaderActionsDropdown/index.jsx    | 27 +---------
 3 files changed, 55 insertions(+), 51 deletions(-)

diff --git a/superset-frontend/src/dashboard/components/CssEditor/CssEditor.test.tsx b/superset-frontend/src/dashboard/components/CssEditor/CssEditor.test.tsx
index 16b2a1afbb7c7..28ac7672f691b 100644
--- a/superset-frontend/src/dashboard/components/CssEditor/CssEditor.test.tsx
+++ b/superset-frontend/src/dashboard/components/CssEditor/CssEditor.test.tsx
@@ -21,6 +21,7 @@ import { render, screen, waitFor } from 'spec/helpers/testing-library';
 import { CssEditor as AceCssEditor } from 'src/components/AsyncAceEditor';
 import { IAceEditorProps } from 'react-ace';
 import userEvent from '@testing-library/user-event';
+import fetchMock from 'fetch-mock';
 import CssEditor from '.';
 
 jest.mock('src/components/AsyncAceEditor', () => ({
@@ -33,46 +34,59 @@ jest.mock('src/components/AsyncAceEditor', () => ({
 }));
 
 const templates = [
-  { label: 'Template A', css: 'background-color: red;' },
-  { label: 'Template B', css: 'background-color: blue;' },
-  { label: 'Template C', css: 'background-color: yellow;' },
+  { template_name: 'Template A', css: 'background-color: red;' },
+  { template_name: 'Template B', css: 'background-color: blue;' },
+  { template_name: 'Template C', css: 'background-color: yellow;' },
 ];
 
+fetchMock.get('glob:*/csstemplateasyncmodelview/api/read', {
+  result: templates,
+});
+
 AceCssEditor.preload = () => new Promise(() => {});
 
-test('renders with default props', () => {
-  render(<CssEditor triggerNode={<>Click</>} />);
+const defaultProps = {
+  triggerNode: <>Click</>,
+  addDangerToast: jest.fn(),
+};
+
+test('renders with default props', async () => {
+  await waitFor(() => render(<CssEditor {...defaultProps} />));
   expect(screen.getByRole('button', { name: 'Click' })).toBeInTheDocument();
 });
 
-test('renders with initial CSS', () => {
+test('renders with initial CSS', async () => {
   const initialCss = 'margin: 10px;';
-  render(<CssEditor triggerNode={<>Click</>} initialCss={initialCss} />);
+  await waitFor(() =>
+    render(<CssEditor {...defaultProps} initialCss={initialCss} />),
+  );
   userEvent.click(screen.getByRole('button', { name: 'Click' }));
   expect(screen.getByText(initialCss)).toBeInTheDocument();
 });
 
 test('renders with templates', async () => {
-  render(<CssEditor triggerNode={<>Click</>} templates={templates} />);
+  await waitFor(() => render(<CssEditor {...defaultProps} />));
   userEvent.click(screen.getByRole('button', { name: 'Click' }));
   userEvent.hover(screen.getByText('Load a CSS template'));
   await waitFor(() => {
     templates.forEach(template =>
-      expect(screen.getByText(template.label)).toBeInTheDocument(),
+      expect(screen.getByText(template.template_name)).toBeInTheDocument(),
     );
   });
 });
 
-test('triggers onChange when using the editor', () => {
+test('triggers onChange when using the editor', async () => {
   const onChange = jest.fn();
   const initialCss = 'margin: 10px;';
   const additionalCss = 'color: red;';
-  render(
-    <CssEditor
-      triggerNode={<>Click</>}
-      initialCss={initialCss}
-      onChange={onChange}
-    />,
+  await waitFor(() =>
+    render(
+      <CssEditor
+        {...defaultProps}
+        initialCss={initialCss}
+        onChange={onChange}
+      />,
+    ),
   );
   userEvent.click(screen.getByRole('button', { name: 'Click' }));
   expect(onChange).not.toHaveBeenCalled();
@@ -82,12 +96,8 @@ test('triggers onChange when using the editor', () => {
 
 test('triggers onChange when selecting a template', async () => {
   const onChange = jest.fn();
-  render(
-    <CssEditor
-      triggerNode={<>Click</>}
-      templates={templates}
-      onChange={onChange}
-    />,
+  await waitFor(() =>
+    render(<CssEditor {...defaultProps} onChange={onChange} />),
   );
   userEvent.click(screen.getByRole('button', { name: 'Click' }));
   userEvent.click(screen.getByText('Load a CSS template'));
diff --git a/superset-frontend/src/dashboard/components/CssEditor/index.jsx b/superset-frontend/src/dashboard/components/CssEditor/index.jsx
index ad12cb6c78a9e..9fcd1768a8985 100644
--- a/superset-frontend/src/dashboard/components/CssEditor/index.jsx
+++ b/superset-frontend/src/dashboard/components/CssEditor/index.jsx
@@ -21,7 +21,7 @@ import PropTypes from 'prop-types';
 import { AntdDropdown } from 'src/components';
 import { Menu } from 'src/components/Menu';
 import Button from 'src/components/Button';
-import { t, styled } from '@superset-ui/core';
+import { t, styled, SupersetClient } from '@superset-ui/core';
 import ModalTrigger from 'src/components/ModalTrigger';
 import { CssEditor as AceCssEditor } from 'src/components/AsyncAceEditor';
 
@@ -47,7 +47,7 @@ const propTypes = {
   initialCss: PropTypes.string,
   triggerNode: PropTypes.node.isRequired,
   onChange: PropTypes.func,
-  templates: PropTypes.array,
+  addDangerToast: PropTypes.func.isRequired,
 };
 
 const defaultProps = {
@@ -60,6 +60,7 @@ class CssEditor extends React.PureComponent {
     super(props);
     this.state = {
       css: props.initialCss,
+      templates: [],
     };
     this.changeCss = this.changeCss.bind(this);
     this.changeCssTemplate = this.changeCssTemplate.bind(this);
@@ -67,6 +68,22 @@ class CssEditor extends React.PureComponent {
 
   componentDidMount() {
     AceCssEditor.preload();
+
+    SupersetClient.get({ endpoint: '/csstemplateasyncmodelview/api/read' })
+      .then(({ json }) => {
+        const templates = json.result.map(row => ({
+          value: row.template_name,
+          css: row.css,
+          label: row.template_name,
+        }));
+
+        this.setState({ templates });
+      })
+      .catch(() => {
+        this.props.addDangerToast(
+          t('An error occurred while fetching available CSS templates'),
+        );
+      });
   }
 
   changeCss(css) {
@@ -80,10 +97,10 @@ class CssEditor extends React.PureComponent {
   }
 
   renderTemplateSelector() {
-    if (this.props.templates) {
+    if (this.state.templates) {
       const menu = (
         <Menu onClick={this.changeCssTemplate}>
-          {this.props.templates.map(template => (
+          {this.state.templates.map(template => (
             <Menu.Item key={template.css}>{template.label}</Menu.Item>
           ))}
         </Menu>
diff --git a/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/index.jsx b/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/index.jsx
index b0d3fc251e9d9..9c05b1ec7686d 100644
--- a/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/index.jsx
+++ b/superset-frontend/src/dashboard/components/Header/HeaderActionsDropdown/index.jsx
@@ -19,12 +19,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 import { isEmpty } from 'lodash';
-import {
-  isFeatureEnabled,
-  FeatureFlag,
-  SupersetClient,
-  t,
-} from '@superset-ui/core';
+import { isFeatureEnabled, FeatureFlag, t } from '@superset-ui/core';
 import { Menu } from 'src/components/Menu';
 import { URL_PARAMS } from 'src/constants';
 import ShareMenuItems from 'src/dashboard/components/menu/ShareMenuItems';
@@ -104,7 +99,6 @@ class HeaderActionsDropdown extends React.PureComponent {
     super(props);
     this.state = {
       css: props.customCss,
-      cssTemplates: [],
       showReportSubMenu: null,
     };
 
@@ -114,23 +108,6 @@ class HeaderActionsDropdown extends React.PureComponent {
     this.setShowReportSubMenu = this.setShowReportSubMenu.bind(this);
   }
 
-  UNSAFE_componentWillMount() {
-    SupersetClient.get({ endpoint: '/csstemplateasyncmodelview/api/read' })
-      .then(({ json }) => {
-        const cssTemplates = json.result.map(row => ({
-          value: row.template_name,
-          css: row.css,
-          label: row.template_name,
-        }));
-        this.setState({ cssTemplates });
-      })
-      .catch(() => {
-        this.props.addDangerToast(
-          t('An error occurred while fetching available CSS templates'),
-        );
-      });
-  }
-
   UNSAFE_componentWillReceiveProps(nextProps) {
     if (this.props.customCss !== nextProps.customCss) {
       this.setState({ css: nextProps.customCss }, () => {
@@ -262,8 +239,8 @@ class HeaderActionsDropdown extends React.PureComponent {
             <CssEditor
               triggerNode={<span>{t('Edit CSS')}</span>}
               initialCss={this.state.css}
-              templates={this.state.cssTemplates}
               onChange={this.changeCss}
+              addDangerToast={addDangerToast}
             />
           </Menu.Item>
         )}

From 553a469dba6ec10347a39b35c22034a3911cee48 Mon Sep 17 00:00:00 2001
From: Evan Rusackas <evan@preset.io>
Date: Tue, 12 Mar 2024 11:26:49 -0600
Subject: [PATCH 090/114] fix(webpack): remove double-dotted file extensions in
 webpack config (#27471)

(cherry picked from commit 47ae9d4cc3ca94332cb14359fb8a306f91c2da60)
---
 superset-frontend/webpack.config.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/superset-frontend/webpack.config.js b/superset-frontend/webpack.config.js
index 2fa922873eca3..9d67904862f2a 100644
--- a/superset-frontend/webpack.config.js
+++ b/superset-frontend/webpack.config.js
@@ -404,7 +404,7 @@ const config = {
         },
         type: 'asset',
         generator: {
-          filename: '[name].[contenthash:8].[ext]',
+          filename: '[name].[contenthash:8][ext]',
         },
       },
       {
@@ -432,7 +432,7 @@ const config = {
         test: /\.(jpg|gif)$/,
         type: 'asset/resource',
         generator: {
-          filename: '[name].[contenthash:8].[ext]',
+          filename: '[name].[contenthash:8][ext]',
         },
       },
       /* for font-awesome */

From 51f904c42cc1573059976c964a2d5bf945e2912b Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Tue, 12 Mar 2024 21:28:06 -0400
Subject: [PATCH 091/114] fix: check if guest user modified query (#27484)

(cherry picked from commit 735b895dd5e409bfc95406e847a82fd786d93a1d)
---
 superset/security/manager.py              |  85 +++++++++++-----
 tests/unit_tests/security/manager_test.py | 112 ++++++++++++++++++----
 2 files changed, 156 insertions(+), 41 deletions(-)

diff --git a/superset/security/manager.py b/superset/security/manager.py
index e6eb77e645d80..38f4e4bdfa356 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -143,6 +143,56 @@ def __init__(self, **kwargs: Any) -> None:
 RoleModelView.related_views = []
 
 
+def query_context_modified(query_context: "QueryContext") -> bool:
+    """
+    Check if a query context has been modified.
+
+    This is used to ensure guest users don't modify the payload and fetch data
+    different from what was shared with them in dashboards.
+    """
+    form_data = query_context.form_data
+    stored_chart = query_context.slice_
+
+    # sanity checks
+    if form_data is None or stored_chart is None:
+        return True
+
+    # cannot request a different chart
+    if form_data.get("slice_id") != stored_chart.id:
+        return True
+
+    # compare form_data
+    requested_metrics = {
+        frozenset(metric.items()) if isinstance(metric, dict) else metric
+        for metric in form_data.get("metrics") or []
+    }
+    stored_metrics = {
+        frozenset(metric.items()) if isinstance(metric, dict) else metric
+        for metric in stored_chart.params_dict.get("metrics") or []
+    }
+    if not requested_metrics.issubset(stored_metrics):
+        return True
+
+    # compare queries in query_context
+    queries_metrics = {
+        frozenset(metric.items()) if isinstance(metric, dict) else metric
+        for query in query_context.queries
+        for metric in query.metrics or []
+    }
+
+    if stored_chart.query_context:
+        stored_query_context = json.loads(cast(str, stored_chart.query_context))
+        for query in stored_query_context.get("queries") or []:
+            stored_metrics.update(
+                {
+                    frozenset(metric.items()) if isinstance(metric, dict) else metric
+                    for metric in query.get("metrics") or []
+                }
+            )
+
+    return not queries_metrics.issubset(stored_metrics)
+
+
 class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
     SecurityManager
 ):
@@ -1941,29 +1991,20 @@ def raise_for_access(
                     self.get_table_access_error_object(denied)
                 )
 
-        if self.is_guest_user() and query_context:
-            # Guest users MUST not modify the payload so it's requesting a different
-            # chart or different ad-hoc metrics from what's saved.
-            form_data = query_context.form_data
-            stored_chart = query_context.slice_
-
-            if (
-                form_data is None
-                or stored_chart is None
-                or form_data.get("slice_id") != stored_chart.id
-                or form_data.get("metrics", []) != stored_chart.params_dict["metrics"]
-                or any(
-                    query.metrics != stored_chart.params_dict["metrics"]
-                    for query in query_context.queries
-                )
-            ):
-                raise SupersetSecurityException(
-                    SupersetError(
-                        error_type=SupersetErrorType.DASHBOARD_SECURITY_ACCESS_ERROR,
-                        message=_("Guest user cannot modify chart payload"),
-                        level=ErrorLevel.ERROR,
-                    )
+        # Guest users MUST not modify the payload so it's requesting a
+        # different chart or different ad-hoc metrics from what's saved.
+        if (
+            query_context
+            and self.is_guest_user()
+            and query_context_modified(query_context)
+        ):
+            raise SupersetSecurityException(
+                SupersetError(
+                    error_type=SupersetErrorType.DASHBOARD_SECURITY_ACCESS_ERROR,
+                    message=_("Guest user cannot modify chart payload"),
+                    level=ErrorLevel.ERROR,
                 )
+            )
 
         if datasource or query_context or viz:
             form_data = None
diff --git a/tests/unit_tests/security/manager_test.py b/tests/unit_tests/security/manager_test.py
index 7d2b9153a392d..5a06013a683bb 100644
--- a/tests/unit_tests/security/manager_test.py
+++ b/tests/unit_tests/security/manager_test.py
@@ -15,6 +15,8 @@
 # specific language governing permissions and limitations
 # under the License.
 
+# pylint: disable=invalid-name, unused-argument, redefined-outer-name
+
 import pytest
 from flask_appbuilder.security.sqla.models import Role, User
 from pytest_mock import MockFixture
@@ -25,6 +27,7 @@
 from superset.extensions import appbuilder
 from superset.models.slice import Slice
 from superset.security.manager import SupersetSecurityManager
+from superset.superset_typing import AdhocMetric
 from superset.utils.core import override_user
 
 
@@ -36,12 +39,29 @@ def test_security_manager(app_context: None) -> None:
     assert sm
 
 
-def test_raise_for_access_guest_user(
+@pytest.fixture
+def stored_metrics() -> list[AdhocMetric]:
+    """
+    Return a list of metrics.
+    """
+    return [
+        {
+            "column": None,
+            "expressionType": "SQL",
+            "hasCustomLabel": False,
+            "label": "COUNT(*) + 1",
+            "sqlExpression": "COUNT(*) + 1",
+        },
+    ]
+
+
+def test_raise_for_access_guest_user_ok(
     mocker: MockFixture,
     app_context: None,
+    stored_metrics: list[AdhocMetric],
 ) -> None:
     """
-    Test that guest user can't modify chart payload.
+    Test that guest user can submit an unmodified chart payload.
     """
     sm = SupersetSecurityManager(appbuilder)
     mocker.patch.object(sm, "is_guest_user", return_value=True)
@@ -49,23 +69,11 @@ def test_raise_for_access_guest_user(
 
     query_context = mocker.MagicMock()
     query_context.slice_.id = 42
-    stored_metrics = [
-        {
-            "aggregate": None,
-            "column": None,
-            "datasourceWarning": False,
-            "expressionType": "SQL",
-            "hasCustomLabel": False,
-            "label": "COUNT(*) + 1",
-            "optionName": "metric_ssa1gwimio_cxpyjc7vj3s",
-            "sqlExpression": "COUNT(*) + 1",
-        }
-    ]
+    query_context.slice_.query_context = None
     query_context.slice_.params_dict = {
         "metrics": stored_metrics,
     }
 
-    # normal request
     query_context.form_data = {
         "slice_id": 42,
         "metrics": stored_metrics,
@@ -73,7 +81,26 @@ def test_raise_for_access_guest_user(
     query_context.queries = [QueryObject(metrics=stored_metrics)]  # type: ignore
     sm.raise_for_access(query_context=query_context)
 
-    # tampered requests
+
+def test_raise_for_access_guest_user_tampered_id(
+    mocker: MockFixture,
+    app_context: None,
+    stored_metrics: list[AdhocMetric],
+) -> None:
+    """
+    Test that guest user cannot modify the chart ID.
+    """
+    sm = SupersetSecurityManager(appbuilder)
+    mocker.patch.object(sm, "is_guest_user", return_value=True)
+    mocker.patch.object(sm, "can_access", return_value=True)
+
+    query_context = mocker.MagicMock()
+    query_context.slice_.id = 42
+    query_context.slice_.query_context = None
+    query_context.slice_.params_dict = {
+        "metrics": stored_metrics,
+    }
+
     query_context.form_data = {
         "slice_id": 43,
         "metrics": stored_metrics,
@@ -82,15 +109,32 @@ def test_raise_for_access_guest_user(
     with pytest.raises(SupersetSecurityException):
         sm.raise_for_access(query_context=query_context)
 
+
+def test_raise_for_access_guest_user_tampered_form_data(
+    mocker: MockFixture,
+    app_context: None,
+    stored_metrics: list[AdhocMetric],
+) -> None:
+    """
+    Test that guest user cannot modify metrics in the form data.
+    """
+    sm = SupersetSecurityManager(appbuilder)
+    mocker.patch.object(sm, "is_guest_user", return_value=True)
+    mocker.patch.object(sm, "can_access", return_value=True)
+
+    query_context = mocker.MagicMock()
+    query_context.slice_.id = 42
+    query_context.slice_.query_context = None
+    query_context.slice_.params_dict = {
+        "metrics": stored_metrics,
+    }
+
     tampered_metrics = [
         {
-            "aggregate": None,
             "column": None,
-            "datasourceWarning": False,
             "expressionType": "SQL",
             "hasCustomLabel": False,
             "label": "COUNT(*) + 2",
-            "optionName": "metric_ssa1gwimio_cxpyjc7vj3s",
             "sqlExpression": "COUNT(*) + 2",
         }
     ]
@@ -102,6 +146,36 @@ def test_raise_for_access_guest_user(
     with pytest.raises(SupersetSecurityException):
         sm.raise_for_access(query_context=query_context)
 
+
+def test_raise_for_access_guest_user_tampered_queries(
+    mocker: MockFixture,
+    app_context: None,
+    stored_metrics: list[AdhocMetric],
+) -> None:
+    """
+    Test that guest user cannot modify metrics in the queries.
+    """
+    sm = SupersetSecurityManager(appbuilder)
+    mocker.patch.object(sm, "is_guest_user", return_value=True)
+    mocker.patch.object(sm, "can_access", return_value=True)
+
+    query_context = mocker.MagicMock()
+    query_context.slice_.id = 42
+    query_context.slice_.query_context = None
+    query_context.slice_.params_dict = {
+        "metrics": stored_metrics,
+    }
+
+    tampered_metrics = [
+        {
+            "column": None,
+            "expressionType": "SQL",
+            "hasCustomLabel": False,
+            "label": "COUNT(*) + 2",
+            "sqlExpression": "COUNT(*) + 2",
+        }
+    ]
+
     query_context.form_data = {
         "slice_id": 42,
         "metrics": stored_metrics,

From f1f20e436c1cfc305c7c1e5e4295ce448d5a1149 Mon Sep 17 00:00:00 2001
From: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
Date: Thu, 14 Mar 2024 12:02:01 -0700
Subject: [PATCH 092/114] fix(postprocessing): resample with holes (#27487)

(cherry picked from commit 7f19d296b16d8463931b42c8258600b210b56475)
---
 .../utils/pandas_postprocessing/resample.py   |  5 +-
 .../pandas_postprocessing/test_resample.py    | 54 ++++++++++++++++++-
 2 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/superset/utils/pandas_postprocessing/resample.py b/superset/utils/pandas_postprocessing/resample.py
index a82d7031e9c12..a689895bd6283 100644
--- a/superset/utils/pandas_postprocessing/resample.py
+++ b/superset/utils/pandas_postprocessing/resample.py
@@ -43,13 +43,16 @@ def resample(
         raise InvalidPostProcessingError(_("Resample operation requires DatetimeIndex"))
     if method not in RESAMPLE_METHOD:
         raise InvalidPostProcessingError(
-            _("Resample method should in ") + ", ".join(RESAMPLE_METHOD) + "."
+            _("Resample method should be in ") + ", ".join(RESAMPLE_METHOD) + "."
         )
 
     if method == "asfreq" and fill_value is not None:
         _df = df.resample(rule).asfreq(fill_value=fill_value)
+        _df = _df.fillna(fill_value)
     elif method == "linear":
         _df = df.resample(rule).interpolate()
     else:
         _df = getattr(df.resample(rule), method)()
+        if method in ("ffill", "bfill"):
+            _df = _df.fillna(method=method)
     return _df
diff --git a/tests/unit_tests/pandas_postprocessing/test_resample.py b/tests/unit_tests/pandas_postprocessing/test_resample.py
index b1414c5fe8fdc..207863ab87946 100644
--- a/tests/unit_tests/pandas_postprocessing/test_resample.py
+++ b/tests/unit_tests/pandas_postprocessing/test_resample.py
@@ -21,7 +21,11 @@
 
 from superset.exceptions import InvalidPostProcessingError
 from superset.utils import pandas_postprocessing as pp
-from tests.unit_tests.fixtures.dataframes import categories_df, timeseries_df
+from tests.unit_tests.fixtures.dataframes import (
+    categories_df,
+    timeseries_df,
+    timeseries_with_gap_df,
+)
 
 
 def test_resample_should_not_side_effect():
@@ -63,6 +67,29 @@ def test_resample():
     )
 
 
+def test_resample_ffill_with_gaps():
+    post_df = pp.resample(df=timeseries_with_gap_df, rule="1D", method="ffill")
+    assert post_df.equals(
+        pd.DataFrame(
+            index=pd.to_datetime(
+                [
+                    "2019-01-01",
+                    "2019-01-02",
+                    "2019-01-03",
+                    "2019-01-04",
+                    "2019-01-05",
+                    "2019-01-06",
+                    "2019-01-07",
+                ]
+            ),
+            data={
+                "label": ["x", "y", "y", "y", "z", "z", "q"],
+                "y": [1.0, 2.0, 2.0, 2.0, 2.0, 2.0, 4.0],
+            },
+        )
+    )
+
+
 def test_resample_zero_fill():
     post_df = pp.resample(df=timeseries_df, rule="1D", method="asfreq", fill_value=0)
     assert post_df.equals(
@@ -86,6 +113,31 @@ def test_resample_zero_fill():
     )
 
 
+def test_resample_zero_fill_with_gaps():
+    post_df = pp.resample(
+        df=timeseries_with_gap_df, rule="1D", method="asfreq", fill_value=0
+    )
+    assert post_df.equals(
+        pd.DataFrame(
+            index=pd.to_datetime(
+                [
+                    "2019-01-01",
+                    "2019-01-02",
+                    "2019-01-03",
+                    "2019-01-04",
+                    "2019-01-05",
+                    "2019-01-06",
+                    "2019-01-07",
+                ]
+            ),
+            data={
+                "label": ["x", "y", 0, 0, "z", 0, "q"],
+                "y": [1.0, 2.0, 0, 0, 0, 0, 4.0],
+            },
+        )
+    )
+
+
 def test_resample_after_pivot():
     df = pd.DataFrame(
         data={

From ea83e9f9a7e7e23dd9e4e5144e46e35eefb8b1e7 Mon Sep 17 00:00:00 2001
From: Jack <41238731+fisjac@users.noreply.github.com>
Date: Fri, 15 Mar 2024 13:10:00 -0500
Subject: [PATCH 093/114] fix(alerts/reports): implementing custom_width as an
 Antd number input (#27260)

---
 .../src/features/alerts/AlertReportModal.tsx       | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/superset-frontend/src/features/alerts/AlertReportModal.tsx b/superset-frontend/src/features/alerts/AlertReportModal.tsx
index f836599ca4c1e..ebc85db78b66c 100644
--- a/superset-frontend/src/features/alerts/AlertReportModal.tsx
+++ b/superset-frontend/src/features/alerts/AlertReportModal.tsx
@@ -36,7 +36,7 @@ import rison from 'rison';
 import { useSingleViewResource } from 'src/views/CRUD/hooks';
 
 import Icons from 'src/components/Icons';
-import { Input } from 'src/components/Input';
+import { Input, InputNumber } from 'src/components/Input';
 import { Switch } from 'src/components/Switch';
 import Modal from 'src/components/Modal';
 import TimezoneSelector from 'src/components/TimezoneSelector';
@@ -890,6 +890,10 @@ const AlertReportModal: FunctionComponent<AlertReportModalProps> = ({
     updateAlertState(name, parsedValue);
   };
 
+  const onCustomWidthChange = (value: number | null | undefined) => {
+    updateAlertState('custom_width', value);
+  };
+
   const onTimeoutVerifyChange = (
     event: React.ChangeEvent<HTMLTextAreaElement | HTMLInputElement>,
   ) => {
@@ -1504,14 +1508,16 @@ const AlertReportModal: FunctionComponent<AlertReportModalProps> = ({
                   {TRANSLATIONS.CUSTOM_SCREENSHOT_WIDTH_TEXT}
                 </div>
                 <div className="input-container">
-                  <Input
+                  <InputNumber
                     type="number"
                     name="custom_width"
-                    value={currentAlert?.custom_width || ''}
+                    value={currentAlert?.custom_width || undefined}
+                    min={600}
+                    max={2400}
                     placeholder={
                       TRANSLATIONS.CUSTOM_SCREENSHOT_WIDTH_PLACEHOLDER_TEXT
                     }
-                    onChange={onInputChange}
+                    onChange={onCustomWidthChange}
                   />
                 </div>
               </StyledInputContainer>

From 8274d869b1d5a7bbe1992b9dc91b7c8d233f4740 Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Mon, 18 Mar 2024 13:02:58 -0400
Subject: [PATCH 094/114] feat: `improve _extract_tables_from_sql` (#26748)

---
 superset/sql_parse.py                     | 18 ++++++++++--
 tests/unit_tests/jinja_context_test.py    |  8 ++++++
 tests/unit_tests/security/manager_test.py |  1 +
 tests/unit_tests/sql_parse_tests.py       | 34 +++++++++++++++++++----
 4 files changed, 53 insertions(+), 8 deletions(-)

diff --git a/superset/sql_parse.py b/superset/sql_parse.py
index c85afc9460f12..49ee4c491f22e 100644
--- a/superset/sql_parse.py
+++ b/superset/sql_parse.py
@@ -25,6 +25,7 @@
 from typing import Any, cast, Optional
 
 import sqlparse
+from flask_babel import gettext as __
 from sqlalchemy import and_
 from sqlglot import exp, parse, parse_one
 from sqlglot.dialects import Dialects
@@ -55,7 +56,11 @@
 )
 from sqlparse.utils import imt
 
-from superset.exceptions import QueryClauseValidationException
+from superset.errors import ErrorLevel, SupersetError, SupersetErrorType
+from superset.exceptions import (
+    QueryClauseValidationException,
+    SupersetSecurityException,
+)
 from superset.utils.backports import StrEnum
 
 try:
@@ -287,9 +292,16 @@ def _extract_tables_from_sql(self) -> set[Table]:
         """
         try:
             statements = parse(self.stripped(), dialect=self._dialect)
-        except SqlglotError:
+        except SqlglotError as ex:
             logger.warning("Unable to parse SQL (%s): %s", self._dialect, self.sql)
-            return set()
+            dialect = self._dialect or "generic"
+            raise SupersetSecurityException(
+                SupersetError(
+                    error_type=SupersetErrorType.QUERY_SECURITY_ACCESS_ERROR,
+                    message=__(f"Unable to parse SQL ({dialect}): {self.sql}"),
+                    level=ErrorLevel.ERROR,
+                )
+            ) from ex
 
         return {
             table
diff --git a/tests/unit_tests/jinja_context_test.py b/tests/unit_tests/jinja_context_test.py
index e2a5e8cd49280..bbd9bcf06c60d 100644
--- a/tests/unit_tests/jinja_context_test.py
+++ b/tests/unit_tests/jinja_context_test.py
@@ -90,6 +90,14 @@ def test_dataset_macro(mocker: MockFixture) -> None:
     )
     DatasetDAO = mocker.patch("superset.daos.dataset.DatasetDAO")
     DatasetDAO.find_by_id.return_value = dataset
+    mocker.patch(
+        "superset.connectors.sqla.models.security_manager.get_guest_rls_filters",
+        return_value=[],
+    )
+    mocker.patch(
+        "superset.models.helpers.security_manager.get_guest_rls_filters",
+        return_value=[],
+    )
 
     assert (
         dataset_macro(1)
diff --git a/tests/unit_tests/security/manager_test.py b/tests/unit_tests/security/manager_test.py
index 5a06013a683bb..325531c25b8d7 100644
--- a/tests/unit_tests/security/manager_test.py
+++ b/tests/unit_tests/security/manager_test.py
@@ -202,6 +202,7 @@ def test_raise_for_access_query_default_schema(
     sm = SupersetSecurityManager(appbuilder)
     mocker.patch.object(sm, "can_access_database", return_value=False)
     mocker.patch.object(sm, "get_schema_perm", return_value="[PostgreSQL].[public]")
+    mocker.patch.object(sm, "is_guest_user", return_value=False)
     SqlaTable = mocker.patch("superset.connectors.sqla.models.SqlaTable")
     SqlaTable.query_datasources_by_name.return_value = []
 
diff --git a/tests/unit_tests/sql_parse_tests.py b/tests/unit_tests/sql_parse_tests.py
index 2d2448c2fad90..fc1ae1b23150e 100644
--- a/tests/unit_tests/sql_parse_tests.py
+++ b/tests/unit_tests/sql_parse_tests.py
@@ -25,7 +25,10 @@
 from sqlparse.sql import Identifier, Token, TokenList
 from sqlparse.tokens import Name
 
-from superset.exceptions import QueryClauseValidationException
+from superset.exceptions import (
+    QueryClauseValidationException,
+    SupersetSecurityException,
+)
 from superset.sql_parse import (
     add_table_name,
     extract_table_references,
@@ -265,13 +268,34 @@ def test_extract_tables_illdefined() -> None:
     """
     Test that ill-defined tables return an empty set.
     """
-    assert extract_tables("SELECT * FROM schemaname.") == set()
-    assert extract_tables("SELECT * FROM catalogname.schemaname.") == set()
-    assert extract_tables("SELECT * FROM catalogname..") == set()
+    with pytest.raises(SupersetSecurityException) as excinfo:
+        extract_tables("SELECT * FROM schemaname.")
+    assert (
+        str(excinfo.value) == "Unable to parse SQL (generic): SELECT * FROM schemaname."
+    )
+
+    with pytest.raises(SupersetSecurityException) as excinfo:
+        extract_tables("SELECT * FROM catalogname.schemaname.")
+    assert (
+        str(excinfo.value)
+        == "Unable to parse SQL (generic): SELECT * FROM catalogname.schemaname."
+    )
+
+    with pytest.raises(SupersetSecurityException) as excinfo:
+        extract_tables("SELECT * FROM catalogname..")
+    assert (
+        str(excinfo.value)
+        == "Unable to parse SQL (generic): SELECT * FROM catalogname.."
+    )
+
+    with pytest.raises(SupersetSecurityException) as excinfo:
+        extract_tables('SELECT * FROM "tbname')
+    assert str(excinfo.value) == 'Unable to parse SQL (generic): SELECT * FROM "tbname'
+
+    # odd edge case that works
     assert extract_tables("SELECT * FROM catalogname..tbname") == {
         Table(table="tbname", schema=None, catalog="catalogname")
     }
-    assert extract_tables('SELECT * FROM "tbname') == set()
 
 
 def test_extract_tables_show_tables_from() -> None:

From efa94c4ab02144a836ddeb7d7f6faecf8bc53108 Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Mon, 18 Mar 2024 15:38:58 -0400
Subject: [PATCH 095/114] fix: pass valid SQL to SM (#27464)

(cherry picked from commit 376bfd05bdba2bbc4bde2d209324105d0d408ee4)
---
 .../src/features/alerts/AlertReportModal.tsx  |  2 +-
 superset/security/manager.py                  |  6 +++-
 tests/unit_tests/commands/dataset/__init__.py | 16 +++++++++
 tests/unit_tests/security/manager_test.py     | 35 +++++++++++++++++++
 4 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 tests/unit_tests/commands/dataset/__init__.py

diff --git a/superset-frontend/src/features/alerts/AlertReportModal.tsx b/superset-frontend/src/features/alerts/AlertReportModal.tsx
index ebc85db78b66c..ae4feda653799 100644
--- a/superset-frontend/src/features/alerts/AlertReportModal.tsx
+++ b/superset-frontend/src/features/alerts/AlertReportModal.tsx
@@ -36,7 +36,7 @@ import rison from 'rison';
 import { useSingleViewResource } from 'src/views/CRUD/hooks';
 
 import Icons from 'src/components/Icons';
-import { Input, InputNumber } from 'src/components/Input';
+import { InputNumber } from 'src/components/Input';
 import { Switch } from 'src/components/Switch';
 import Modal from 'src/components/Modal';
 import TimezoneSelector from 'src/components/TimezoneSelector';
diff --git a/superset/security/manager.py b/superset/security/manager.py
index 38f4e4bdfa356..f125269fb910a 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -59,6 +59,7 @@
     DatasetInvalidPermissionEvaluationException,
     SupersetSecurityException,
 )
+from superset.jinja_context import get_template_processor
 from superset.security.guest_token import (
     GuestToken,
     GuestTokenResources,
@@ -1956,11 +1957,14 @@ def raise_for_access(
                 return
 
             if query:
+                # make sure the quuery is valid SQL by rendering any Jinja
+                processor = get_template_processor(database=query.database)
+                rendered_sql = processor.process_template(query.sql)
                 default_schema = database.get_default_schema_for_query(query)
                 tables = {
                     Table(table_.table, table_.schema or default_schema)
                     for table_ in sql_parse.ParsedQuery(
-                        query.sql,
+                        rendered_sql,
                         engine=database.db_engine_spec.engine,
                     ).tables
                 }
diff --git a/tests/unit_tests/commands/dataset/__init__.py b/tests/unit_tests/commands/dataset/__init__.py
new file mode 100644
index 0000000000000..13a83393a9124
--- /dev/null
+++ b/tests/unit_tests/commands/dataset/__init__.py
@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
diff --git a/tests/unit_tests/security/manager_test.py b/tests/unit_tests/security/manager_test.py
index 325531c25b8d7..22ec0dda4a7a4 100644
--- a/tests/unit_tests/security/manager_test.py
+++ b/tests/unit_tests/security/manager_test.py
@@ -27,6 +27,7 @@
 from superset.extensions import appbuilder
 from superset.models.slice import Slice
 from superset.security.manager import SupersetSecurityManager
+from superset.sql_parse import Table
 from superset.superset_typing import AdhocMetric
 from superset.utils.core import override_user
 
@@ -245,6 +246,40 @@ def test_raise_for_access_query_default_schema(
     )
 
 
+def test_raise_for_access_jinja_sql(mocker: MockFixture, app_context: None) -> None:
+    """
+    Test that Jinja gets rendered to SQL.
+    """
+    sm = SupersetSecurityManager(appbuilder)
+    mocker.patch.object(sm, "can_access_database", return_value=False)
+    mocker.patch.object(sm, "get_schema_perm", return_value="[PostgreSQL].[public]")
+    mocker.patch.object(sm, "can_access", return_value=False)
+    mocker.patch.object(sm, "is_guest_user", return_value=False)
+    get_table_access_error_object = mocker.patch.object(
+        sm, "get_table_access_error_object"
+    )
+    SqlaTable = mocker.patch("superset.connectors.sqla.models.SqlaTable")
+    SqlaTable.query_datasources_by_name.return_value = []
+
+    database = mocker.MagicMock()
+    database.get_default_schema_for_query.return_value = "public"
+    query = mocker.MagicMock()
+    query.database = database
+    query.sql = "SELECT * FROM {% if True %}ab_user{% endif %} WHERE 1=1"
+
+    with pytest.raises(SupersetSecurityException):
+        sm.raise_for_access(
+            database=None,
+            datasource=None,
+            query=query,
+            query_context=None,
+            table=None,
+            viz=None,
+        )
+
+    get_table_access_error_object.assert_called_with({Table("ab_user", "public")})
+
+
 def test_raise_for_access_chart_for_datasource_permission(
     mocker: MockFixture,
     app_context: None,

From 9887b4ed33b4cd5319e0ce2107825787fc62da52 Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Tue, 19 Mar 2024 11:20:52 -0400
Subject: [PATCH 096/114] fix: guest queries (#27566)

(cherry picked from commit 36290ce72fa806e8b6c063511ea434a97d91c3a9)
---
 superset/security/manager.py              |  24 +++--
 tests/unit_tests/security/manager_test.py | 119 +++++++++++++++++++++-
 2 files changed, 132 insertions(+), 11 deletions(-)

diff --git a/superset/security/manager.py b/superset/security/manager.py
index f125269fb910a..bc235ad5059fb 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -68,6 +68,7 @@
     GuestTokenUser,
     GuestUser,
 )
+from superset.superset_typing import Metric
 from superset.utils.core import (
     DatasourceName,
     DatasourceType,
@@ -144,6 +145,13 @@ def __init__(self, **kwargs: Any) -> None:
 RoleModelView.related_views = []
 
 
+def freeze_metric(metric: Metric) -> str:
+    """
+    Used to compare metric sets.
+    """
+    return json.dumps(metric, sort_keys=True)
+
+
 def query_context_modified(query_context: "QueryContext") -> bool:
     """
     Check if a query context has been modified.
@@ -154,9 +162,9 @@ def query_context_modified(query_context: "QueryContext") -> bool:
     form_data = query_context.form_data
     stored_chart = query_context.slice_
 
-    # sanity checks
+    # native filter requests
     if form_data is None or stored_chart is None:
-        return True
+        return False
 
     # cannot request a different chart
     if form_data.get("slice_id") != stored_chart.id:
@@ -164,11 +172,10 @@ def query_context_modified(query_context: "QueryContext") -> bool:
 
     # compare form_data
     requested_metrics = {
-        frozenset(metric.items()) if isinstance(metric, dict) else metric
-        for metric in form_data.get("metrics") or []
+        freeze_metric(metric) for metric in form_data.get("metrics") or []
     }
     stored_metrics = {
-        frozenset(metric.items()) if isinstance(metric, dict) else metric
+        freeze_metric(metric)
         for metric in stored_chart.params_dict.get("metrics") or []
     }
     if not requested_metrics.issubset(stored_metrics):
@@ -176,7 +183,7 @@ def query_context_modified(query_context: "QueryContext") -> bool:
 
     # compare queries in query_context
     queries_metrics = {
-        frozenset(metric.items()) if isinstance(metric, dict) else metric
+        freeze_metric(metric)
         for query in query_context.queries
         for metric in query.metrics or []
     }
@@ -185,10 +192,7 @@ def query_context_modified(query_context: "QueryContext") -> bool:
         stored_query_context = json.loads(cast(str, stored_chart.query_context))
         for query in stored_query_context.get("queries") or []:
             stored_metrics.update(
-                {
-                    frozenset(metric.items()) if isinstance(metric, dict) else metric
-                    for metric in query.get("metrics") or []
-                }
+                {freeze_metric(metric) for metric in query.get("metrics") or []}
             )
 
     return not queries_metrics.issubset(stored_metrics)
diff --git a/tests/unit_tests/security/manager_test.py b/tests/unit_tests/security/manager_test.py
index 22ec0dda4a7a4..7ed32b0abbc3e 100644
--- a/tests/unit_tests/security/manager_test.py
+++ b/tests/unit_tests/security/manager_test.py
@@ -26,7 +26,7 @@
 from superset.exceptions import SupersetSecurityException
 from superset.extensions import appbuilder
 from superset.models.slice import Slice
-from superset.security.manager import SupersetSecurityManager
+from superset.security.manager import query_context_modified, SupersetSecurityManager
 from superset.sql_parse import Table
 from superset.superset_typing import AdhocMetric
 from superset.utils.core import override_user
@@ -414,3 +414,120 @@ def test_raise_for_access_chart_owner(
         sm.raise_for_access(
             chart=slice,
         )
+
+
+def test_query_context_modified(
+    mocker: MockFixture,
+    stored_metrics: list[AdhocMetric],
+) -> None:
+    """
+    Test the `query_context_modified` function.
+
+    The function is used to ensure guest users are not modifying the request payload on
+    embedded dashboard, preventing users from modifying it to access metrics different
+    from the ones stored in dashboard charts.
+    """
+    query_context = mocker.MagicMock()
+    query_context.slice_.id = 42
+    query_context.slice_.query_context = None
+    query_context.slice_.params_dict = {
+        "metrics": stored_metrics,
+    }
+
+    query_context.form_data = {
+        "slice_id": 42,
+        "metrics": stored_metrics,
+    }
+    query_context.queries = [QueryObject(metrics=stored_metrics)]  # type: ignore
+    assert not query_context_modified(query_context)
+
+
+def test_query_context_modified_tampered(
+    mocker: MockFixture,
+    stored_metrics: list[AdhocMetric],
+) -> None:
+    """
+    Test the `query_context_modified` function when the request is tampered with.
+
+    The function is used to ensure guest users are not modifying the request payload on
+    embedded dashboard, preventing users from modifying it to access metrics different
+    from the ones stored in dashboard charts.
+    """
+    query_context = mocker.MagicMock()
+    query_context.slice_.id = 42
+    query_context.slice_.query_context = None
+    query_context.slice_.params_dict = {
+        "metrics": stored_metrics,
+    }
+
+    tampered_metrics = [
+        {
+            "column": None,
+            "expressionType": "SQL",
+            "hasCustomLabel": False,
+            "label": "COUNT(*) + 2",
+            "sqlExpression": "COUNT(*) + 2",
+        }
+    ]
+
+    query_context.form_data = {
+        "slice_id": 42,
+        "metrics": tampered_metrics,
+    }
+    query_context.queries = [QueryObject(metrics=tampered_metrics)]  # type: ignore
+    assert query_context_modified(query_context)
+
+
+def test_query_context_modified_native_filter(mocker: MockFixture) -> None:
+    """
+    Test the `query_context_modified` function with a native filter request.
+
+    A native filter request has no chart (slice) associated with it.
+    """
+    query_context = mocker.MagicMock()
+    query_context.slice_ = None
+
+    assert not query_context_modified(query_context)
+
+
+def test_query_context_modified_mixed_chart(mocker: MockFixture) -> None:
+    """
+    Test the `query_context_modified` function for a mixed chart request.
+
+    The metrics in the mixed chart are a nested dictionary (due to `columns`), and need
+    to be serialized to JSON with the keys sorted in order to compare the request
+    metrics with the chart metrics.
+    """
+    stored_metrics = [
+        {
+            "optionName": "metric_vgops097wej_g8uff99zhk7",
+            "label": "AVG(num)",
+            "expressionType": "SIMPLE",
+            "column": {"column_name": "num", "type": "BIGINT(20)"},
+            "aggregate": "AVG",
+        }
+    ]
+    # different order (remember, dicts have order!)
+    requested_metrics = [
+        {
+            "aggregate": "AVG",
+            "column": {"column_name": "num", "type": "BIGINT(20)"},
+            "expressionType": "SIMPLE",
+            "label": "AVG(num)",
+            "optionName": "metric_vgops097wej_g8uff99zhk7",
+        }
+    ]
+
+    query_context = mocker.MagicMock()
+    query_context.slice_.id = 42
+    query_context.slice_.query_context = None
+    query_context.slice_.params_dict = {
+        "metrics": stored_metrics,
+    }
+
+    query_context.form_data = {
+        "slice_id": 42,
+        "metrics": requested_metrics,
+    }
+    query_context.queries = [QueryObject(metrics=requested_metrics)]  # type: ignore
+    assert not query_context_modified(query_context)

From 48f851f2615f27cf06d1d3f0b035445f5fb64a63 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Thu, 21 Mar 2024 13:26:24 -0300
Subject: [PATCH 097/114] fix: Skips Hive tests that are blocking PRs (#27605)

(cherry picked from commit 718cd64657248f846a03a73167d2dc32d1f9dec5)
---
 tests/integration_tests/charts/data/api_tests.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tests/integration_tests/charts/data/api_tests.py b/tests/integration_tests/charts/data/api_tests.py
index 4def03ff4e484..1cb607d770a43 100644
--- a/tests/integration_tests/charts/data/api_tests.py
+++ b/tests/integration_tests/charts/data/api_tests.py
@@ -62,6 +62,8 @@
 from tests.common.query_context_generator import ANNOTATION_LAYERS
 from tests.integration_tests.fixtures.query_context import get_query_context
 
+from tests.integration_tests.test_app import app
+
 
 CHART_DATA_URI = "api/v1/chart/data"
 CHARTS_FIXTURE_COUNT = 10
@@ -79,6 +81,13 @@
 }
 
 
+@pytest.fixture(autouse=True)
+def skip_by_backend():
+    with app.app_context():
+        if backend() == "hive":
+            pytest.skip("Skipping tests for Hive backend")
+
+
 class BaseTestChartDataApi(SupersetTestCase):
     query_context_payload_template = None
 

From fc611a8873f45a88393e60774a896bb6106e6d90 Mon Sep 17 00:00:00 2001
From: hlcianfagna <110453267+hlcianfagna@users.noreply.github.com>
Date: Thu, 21 Mar 2024 18:35:40 +0000
Subject: [PATCH 098/114] fix(db_engine_specs): Update convert_dttm to work
 correctly with CrateDB (#27567)

(cherry picked from commit fcceaf081c85c501ce946a114447751d43a1f8fb)
---
 superset/db_engine_specs/crate.py              | 2 +-
 tests/unit_tests/db_engine_specs/test_crate.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/superset/db_engine_specs/crate.py b/superset/db_engine_specs/crate.py
index 46ce1e08ff24e..4952bd5a0d7d6 100644
--- a/superset/db_engine_specs/crate.py
+++ b/superset/db_engine_specs/crate.py
@@ -59,7 +59,7 @@ def convert_dttm(
         sqla_type = cls.get_sqla_column_type(target_type)
 
         if isinstance(sqla_type, types.TIMESTAMP):
-            return f"{dttm.timestamp() * 1000}"
+            return f"CAST('{dttm.isoformat()}' AS TIMESTAMP)"
         return None
 
     @classmethod
diff --git a/tests/unit_tests/db_engine_specs/test_crate.py b/tests/unit_tests/db_engine_specs/test_crate.py
index 2cb1cd78966dc..d2bace955c10a 100644
--- a/tests/unit_tests/db_engine_specs/test_crate.py
+++ b/tests/unit_tests/db_engine_specs/test_crate.py
@@ -59,7 +59,7 @@ def test_alter_new_orm_column() -> None:
 @pytest.mark.parametrize(
     "target_type,expected_result",
     [
-        ("TimeStamp", "1546398245678.9"),
+        ("TimeStamp", "CAST('2019-01-02T03:04:05.678900' AS TIMESTAMP)"),
         ("UnknownType", None),
     ],
 )

From 2ef0c13be93fa54ae931fe8988e85c12001eb95f Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Wed, 20 Mar 2024 15:26:01 -0400
Subject: [PATCH 099/114] fix: bump sqlglot to support materialized CTEs
 (#27576)

---
 requirements/base.txt | 2 +-
 setup.py              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements/base.txt b/requirements/base.txt
index de25938a0166d..98ee56910921c 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -335,7 +335,7 @@ sqlalchemy-utils==0.38.3
     # via
     #   apache-superset
     #   flask-appbuilder
-sqlglot==20.8.0
+sqlglot==23.0.2
     # via apache-superset
 sqlparse==0.4.4
     # via apache-superset
diff --git a/setup.py b/setup.py
index 7050d7b497c89..62fffb5b598b2 100644
--- a/setup.py
+++ b/setup.py
@@ -126,7 +126,7 @@ def get_git_sha() -> str:
         "slack_sdk>=3.19.0, <4",
         "sqlalchemy>=1.4, <2",
         "sqlalchemy-utils>=0.38.3, <0.39",
-        "sqlglot>=20,<21",
+        "sqlglot>=23.0.2,<24",
         "sqlparse>=0.4.4, <0.5",
         "tabulate>=0.8.9, <0.9",
         "typing-extensions>=4, <5",

From 56a4b11464de50700d2bf88d510af5555b9c4d7b Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Thu, 21 Mar 2024 17:09:40 -0400
Subject: [PATCH 100/114] fix: sqlglot SQL Server (#27577)

(cherry picked from commit 72a41c16424e86c92d7423aac7e9fbab505a2c37)
---
 superset/sql_parse.py                            | 2 +-
 tests/integration_tests/charts/data/api_tests.py | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/superset/sql_parse.py b/superset/sql_parse.py
index 49ee4c491f22e..db51991e22ee0 100644
--- a/superset/sql_parse.py
+++ b/superset/sql_parse.py
@@ -112,7 +112,7 @@
     # "impala": ???
     # "kustokql": ???
     # "kylin": ???
-    # "mssql": ???
+    "mssql": Dialects.TSQL,
     "mysql": Dialects.MYSQL,
     "netezza": Dialects.POSTGRES,
     # "ocient": ???
diff --git a/tests/integration_tests/charts/data/api_tests.py b/tests/integration_tests/charts/data/api_tests.py
index 1cb607d770a43..3b740339967e1 100644
--- a/tests/integration_tests/charts/data/api_tests.py
+++ b/tests/integration_tests/charts/data/api_tests.py
@@ -460,6 +460,9 @@ def test_chart_data_prophet(self):
         """
         Chart data API: Ensure prophet post transformation works
         """
+        if backend() == "hive":
+            return
+
         time_grain = "P1Y"
         self.query_context_payload["queries"][0]["is_timeseries"] = True
         self.query_context_payload["queries"][0]["groupby"] = []
@@ -494,6 +497,9 @@ def test_chart_data_invalid_post_processing(self):
         """
         Chart data API: Ensure incorrect post processing returns correct response
         """
+        if backend() == "hive":
+            return
+
         query_context = self.query_context_payload
         query = query_context["queries"][0]
         query["columns"] = ["name", "gender"]

From b7492077134f3947c145aa5027665c342c137ba9 Mon Sep 17 00:00:00 2001
From: Sam Firke <sfirke@users.noreply.github.com>
Date: Thu, 21 Mar 2024 18:06:36 -0400
Subject: [PATCH 101/114] fix(utils): fix off-by-one error in how rolling
 window's min_periods truncates dataframe (#27388)

(cherry picked from commit d4d8625ab83168b10a5977a7cc402707b5fff2a9)
---
 superset/utils/pandas_postprocessing/rolling.py        | 2 +-
 tests/unit_tests/pandas_postprocessing/test_rolling.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/superset/utils/pandas_postprocessing/rolling.py b/superset/utils/pandas_postprocessing/rolling.py
index f93a047be989e..775acc7aa6d4c 100644
--- a/superset/utils/pandas_postprocessing/rolling.py
+++ b/superset/utils/pandas_postprocessing/rolling.py
@@ -97,5 +97,5 @@ def rolling(  # pylint: disable=too-many-arguments
     df_rolling = _append_columns(df, df_rolling, columns)
 
     if min_periods:
-        df_rolling = df_rolling[min_periods:]
+        df_rolling = df_rolling[min_periods - 1 :]
     return df_rolling
diff --git a/tests/unit_tests/pandas_postprocessing/test_rolling.py b/tests/unit_tests/pandas_postprocessing/test_rolling.py
index 1859b0c2c7a1f..cd162fb2d7b38 100644
--- a/tests/unit_tests/pandas_postprocessing/test_rolling.py
+++ b/tests/unit_tests/pandas_postprocessing/test_rolling.py
@@ -107,7 +107,7 @@ def test_rolling():
         )
 
 
-def test_rolling_should_empty_df():
+def test_rolling_min_periods_trims_correctly():
     pivot_df = pp.pivot(
         df=single_metric_df,
         index=["dttm"],
@@ -121,7 +121,7 @@ def test_rolling_should_empty_df():
         min_periods=2,
         columns={"sum_metric": "sum_metric"},
     )
-    assert rolling_df.empty is True
+    assert len(rolling_df) == 1
 
 
 def test_rolling_after_pivot_with_single_metric():

From 3919651b0ad51a6f8237473579a03cd278fcf5ef Mon Sep 17 00:00:00 2001
From: Ross Mabbett <92495987+rtexelm@users.noreply.github.com>
Date: Fri, 22 Mar 2024 00:36:17 -0400
Subject: [PATCH 102/114] fix(Dashboard): Add editMode conditional for
 translate3d fix on charts to allow intended Fullscreen (#27613)

(cherry picked from commit 842b0939f6a182a8f7d3c7c893200d93be3a4b0c)
---
 .../src/dashboard/components/dnd/DragDroppable.jsx           | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/superset-frontend/src/dashboard/components/dnd/DragDroppable.jsx b/superset-frontend/src/dashboard/components/dnd/DragDroppable.jsx
index 92a3ab5636f31..ed14ba0742e0a 100644
--- a/superset-frontend/src/dashboard/components/dnd/DragDroppable.jsx
+++ b/superset-frontend/src/dashboard/components/dnd/DragDroppable.jsx
@@ -82,7 +82,9 @@ const DragDroppableStyles = styled.div`
       preview expands outside of the bounds of the drag source card, see:
       https://github.com/react-dnd/react-dnd/issues/832#issuecomment-442071628
     */
-    transform: translate3d(0, 0, 0);
+    &.dragdroppable--edit-mode {
+      transform: translate3d(0, 0, 0);
+    }
 
     &.dragdroppable--dragging {
       opacity: 0.2;
@@ -217,6 +219,7 @@ export class UnwrappedDragDroppable extends React.PureComponent {
         data-test="dragdroppable-object"
         className={cx(
           'dragdroppable',
+          editMode && 'dragdroppable--edit-mode',
           orientation === 'row' && 'dragdroppable-row',
           orientation === 'column' && 'dragdroppable-column',
           isDragging && 'dragdroppable--dragging',

From 46535a315eca8f0eb18eee941c305e594836df2d Mon Sep 17 00:00:00 2001
From: Pat Nadolny <patnadolny@gmail.com>
Date: Thu, 21 Mar 2024 17:06:15 -0500
Subject: [PATCH 103/114] fix: Volatile datasource ordering in dashboard export
 (#19595)

Co-authored-by: Michael S. Molina <70410625+michael-s-molina@users.noreply.github.com>
---
 superset/models/dashboard.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/superset/models/dashboard.py b/superset/models/dashboard.py
index 919c832ab5b4f..b615d886ee47a 100644
--- a/superset/models/dashboard.py
+++ b/superset/models/dashboard.py
@@ -320,9 +320,9 @@ def data(self) -> dict[str, Any]:
     )
     def datasets_trimmed_for_slices(self) -> list[dict[str, Any]]:
         # Verbose but efficient database enumeration of dashboard datasources.
-        slices_by_datasource: dict[
-            tuple[type[BaseDatasource], int], set[Slice]
-        ] = defaultdict(set)
+        slices_by_datasource: dict[tuple[type[BaseDatasource], int], set[Slice]] = (
+            defaultdict(set)
+        )
 
         for slc in self.slices:
             slices_by_datasource[(slc.cls_model, slc.datasource_id)].add(slc)
@@ -443,8 +443,11 @@ def export_dashboards(  # pylint: disable=too-many-locals
             copied_dashboard.alter_params(remote_id=dashboard_id)
             copied_dashboards.append(copied_dashboard)
 
+        datasource_id_list = list(datasource_ids)
+        datasource_id_list.sort()
+
         eager_datasources = []
-        for datasource_id, _ in datasource_ids:
+        for datasource_id, _ in datasource_id_list:
             eager_datasource = SqlaTable.get_eager_sqlatable_datasource(
                 db.session, datasource_id
             )

From b4fde185084a956913b779dd535a19b148eb983c Mon Sep 17 00:00:00 2001
From: John Bodley <4567245+john-bodley@users.noreply.github.com>
Date: Fri, 22 Mar 2024 13:39:28 +1300
Subject: [PATCH 104/114] fix(sql_parse): Ensure table extraction handles Jinja
 templating (#27470)

---
 superset/commands/sql_lab/execute.py |   4 +-
 superset/jinja_context.py            |  10 +--
 superset/models/sql_lab.py           |  40 ++++++----
 superset/security/manager.py         |  13 +---
 superset/sql_parse.py                | 105 +++++++++++++++++++++------
 superset/sqllab/query_render.py      |   3 +-
 tests/unit_tests/sql_parse_tests.py  |  41 +++++++++++
 7 files changed, 163 insertions(+), 53 deletions(-)

diff --git a/superset/commands/sql_lab/execute.py b/superset/commands/sql_lab/execute.py
index 5d955571d8441..533264fb28a4b 100644
--- a/superset/commands/sql_lab/execute.py
+++ b/superset/commands/sql_lab/execute.py
@@ -144,11 +144,13 @@ def _run_sql_json_exec_from_scratch(self) -> SqlJsonExecutionStatus:
         try:
             logger.info("Triggering query_id: %i", query.id)
 
+            # Necessary to check access before rendering the Jinjafied query as the
+            # some Jinja macros execute statements upon rendering.
+            self._validate_access(query)
             self._execution_context.set_query(query)
             rendered_query = self._sql_query_render.render(self._execution_context)
             validate_rendered_query = copy.copy(query)
             validate_rendered_query.sql = rendered_query
-            self._validate_access(validate_rendered_query)
             self._set_query_limit_if_required(rendered_query)
             self._query_dao.update(
                 query, {"limit": self._execution_context.query.limit}
diff --git a/superset/jinja_context.py b/superset/jinja_context.py
index 54d1f54866d24..9edddf24d93a6 100644
--- a/superset/jinja_context.py
+++ b/superset/jinja_context.py
@@ -24,7 +24,7 @@
 import dateutil
 from flask import current_app, g, has_request_context, request
 from flask_babel import gettext as _
-from jinja2 import DebugUndefined
+from jinja2 import DebugUndefined, Environment
 from jinja2.sandbox import SandboxedEnvironment
 from sqlalchemy.engine.interfaces import Dialect
 from sqlalchemy.sql.expression import bindparam
@@ -462,11 +462,11 @@ def __init__(
         self._applied_filters = applied_filters
         self._removed_filters = removed_filters
         self._context: dict[str, Any] = {}
-        self._env = SandboxedEnvironment(undefined=DebugUndefined)
+        self.env: Environment = SandboxedEnvironment(undefined=DebugUndefined)
         self.set_context(**kwargs)
 
         # custom filters
-        self._env.filters["where_in"] = WhereInMacro(database.get_dialect())
+        self.env.filters["where_in"] = WhereInMacro(database.get_dialect())
 
     def set_context(self, **kwargs: Any) -> None:
         self._context.update(kwargs)
@@ -479,7 +479,7 @@ def process_template(self, sql: str, **kwargs: Any) -> str:
         >>> process_template(sql)
         "SELECT '2017-01-01T00:00:00'"
         """
-        template = self._env.from_string(sql)
+        template = self.env.from_string(sql)
         kwargs.update(self._context)
 
         context = validate_template_context(self.engine, kwargs)
@@ -623,7 +623,7 @@ class TrinoTemplateProcessor(PrestoTemplateProcessor):
     engine = "trino"
 
     def process_template(self, sql: str, **kwargs: Any) -> str:
-        template = self._env.from_string(sql)
+        template = self.env.from_string(sql)
         kwargs.update(self._context)
 
         # Backwards compatibility if migrating from Presto.
diff --git a/superset/models/sql_lab.py b/superset/models/sql_lab.py
index aff8c1ce3d5ca..2fd0d2dc7628c 100644
--- a/superset/models/sql_lab.py
+++ b/superset/models/sql_lab.py
@@ -46,6 +46,7 @@
 from sqlalchemy.sql.elements import ColumnElement, literal_column
 
 from superset import security_manager
+from superset.exceptions import SupersetSecurityException
 from superset.jinja_context import BaseTemplateProcessor, get_template_processor
 from superset.models.helpers import (
     AuditMixinNullable,
@@ -53,7 +54,7 @@
     ExtraJSONMixin,
     ImportExportMixin,
 )
-from superset.sql_parse import CtasMethod, ParsedQuery, Table
+from superset.sql_parse import CtasMethod, extract_tables_from_jinja_sql, Table
 from superset.sqllab.limiting_factor import LimitingFactor
 from superset.utils.core import get_column_name, QueryStatus, user_label
 
@@ -65,8 +66,25 @@
 logger = logging.getLogger(__name__)
 
 
+class SqlTablesMixin:  # pylint: disable=too-few-public-methods
+    @property
+    def sql_tables(self) -> list[Table]:
+        try:
+            return list(
+                extract_tables_from_jinja_sql(
+                    self.sql,  # type: ignore
+                    self.database.db_engine_spec.engine,  # type: ignore
+                )
+            )
+        except SupersetSecurityException:
+            return []
+
+
 class Query(
-    Model, ExtraJSONMixin, ExploreMixin
+    SqlTablesMixin,
+    ExtraJSONMixin,
+    ExploreMixin,
+    Model,
 ):  # pylint: disable=abstract-method,too-many-public-methods
     """ORM model for SQL query
 
@@ -181,10 +199,6 @@ def database_name(self) -> str:
     def username(self) -> str:
         return self.user.username
 
-    @property
-    def sql_tables(self) -> list[Table]:
-        return list(ParsedQuery(self.sql, engine=self.db_engine_spec.engine).tables)
-
     @property
     def columns(self) -> list["TableColumn"]:
         from superset.connectors.sqla.models import (  # pylint: disable=import-outside-toplevel
@@ -355,7 +369,13 @@ def adhoc_column_to_sqla(
         return self.make_sqla_column_compatible(sqla_column, label)
 
 
-class SavedQuery(Model, AuditMixinNullable, ExtraJSONMixin, ImportExportMixin):
+class SavedQuery(
+    SqlTablesMixin,
+    AuditMixinNullable,
+    ExtraJSONMixin,
+    ImportExportMixin,
+    Model,
+):
     """ORM model for SQL query"""
 
     __tablename__ = "saved_query"
@@ -425,12 +445,6 @@ def sqlalchemy_uri(self) -> URL:
     def url(self) -> str:
         return f"/sqllab?savedQueryId={self.id}"
 
-    @property
-    def sql_tables(self) -> list[Table]:
-        return list(
-            ParsedQuery(self.sql, engine=self.database.db_engine_spec.engine).tables
-        )
-
     @property
     def last_run_humanized(self) -> str:
         return naturaltime(datetime.now() - self.changed_on)
diff --git a/superset/security/manager.py b/superset/security/manager.py
index bc235ad5059fb..3c4b4106d3442 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -52,14 +52,12 @@
 from sqlalchemy.orm.mapper import Mapper
 from sqlalchemy.orm.query import Query as SqlaQuery
 
-from superset import sql_parse
 from superset.constants import RouteMethod
 from superset.errors import ErrorLevel, SupersetError, SupersetErrorType
 from superset.exceptions import (
     DatasetInvalidPermissionEvaluationException,
     SupersetSecurityException,
 )
-from superset.jinja_context import get_template_processor
 from superset.security.guest_token import (
     GuestToken,
     GuestTokenResources,
@@ -68,6 +66,7 @@
     GuestTokenUser,
     GuestUser,
 )
+from superset.sql_parse import extract_tables_from_jinja_sql
 from superset.superset_typing import Metric
 from superset.utils.core import (
     DatasourceName,
@@ -1961,16 +1960,12 @@ def raise_for_access(
                 return
 
             if query:
-                # make sure the quuery is valid SQL by rendering any Jinja
-                processor = get_template_processor(database=query.database)
-                rendered_sql = processor.process_template(query.sql)
                 default_schema = database.get_default_schema_for_query(query)
                 tables = {
                     Table(table_.table, table_.schema or default_schema)
-                    for table_ in sql_parse.ParsedQuery(
-                        rendered_sql,
-                        engine=database.db_engine_spec.engine,
-                    ).tables
+                    for table_ in extract_tables_from_jinja_sql(
+                        query.sql, database.db_engine_spec.engine
+                    )
                 }
             elif table:
                 tables = {table}
diff --git a/superset/sql_parse.py b/superset/sql_parse.py
index db51991e22ee0..58bca48a6e2df 100644
--- a/superset/sql_parse.py
+++ b/superset/sql_parse.py
@@ -16,16 +16,19 @@
 # under the License.
 
 # pylint: disable=too-many-lines
+from __future__ import annotations
 
 import logging
 import re
 import urllib.parse
 from collections.abc import Iterable, Iterator
 from dataclasses import dataclass
-from typing import Any, cast, Optional
+from typing import Any, cast
+from unittest.mock import Mock
 
 import sqlparse
 from flask_babel import gettext as __
+from jinja2 import nodes
 from sqlalchemy import and_
 from sqlglot import exp, parse, parse_one
 from sqlglot.dialects import Dialects
@@ -142,7 +145,7 @@ class CtasMethod(StrEnum):
     VIEW = "VIEW"
 
 
-def _extract_limit_from_query(statement: TokenList) -> Optional[int]:
+def _extract_limit_from_query(statement: TokenList) -> int | None:
     """
     Extract limit clause from SQL statement.
 
@@ -163,9 +166,7 @@ def _extract_limit_from_query(statement: TokenList) -> Optional[int]:
     return None
 
 
-def extract_top_from_query(
-    statement: TokenList, top_keywords: set[str]
-) -> Optional[int]:
+def extract_top_from_query(statement: TokenList, top_keywords: set[str]) -> int | None:
     """
     Extract top clause value from SQL statement.
 
@@ -189,7 +190,7 @@ def extract_top_from_query(
     return top
 
 
-def get_cte_remainder_query(sql: str) -> tuple[Optional[str], str]:
+def get_cte_remainder_query(sql: str) -> tuple[str | None, str]:
     """
     parse the SQL and return the CTE and rest of the block to the caller
 
@@ -197,7 +198,7 @@ def get_cte_remainder_query(sql: str) -> tuple[Optional[str], str]:
     :return: CTE and remainder block to the caller
 
     """
-    cte: Optional[str] = None
+    cte: str | None = None
     remainder = sql
     stmt = sqlparse.parse(sql)[0]
 
@@ -215,7 +216,7 @@ def get_cte_remainder_query(sql: str) -> tuple[Optional[str], str]:
     return cte, remainder
 
 
-def strip_comments_from_sql(statement: str, engine: Optional[str] = None) -> str:
+def strip_comments_from_sql(statement: str, engine: str | None = None) -> str:
     """
     Strips comments from a SQL statement, does a simple test first
     to avoid always instantiating the expensive ParsedQuery constructor
@@ -239,8 +240,8 @@ class Table:
     """
 
     table: str
-    schema: Optional[str] = None
-    catalog: Optional[str] = None
+    schema: str | None = None
+    catalog: str | None = None
 
     def __str__(self) -> str:
         """
@@ -262,7 +263,7 @@ def __init__(
         self,
         sql_statement: str,
         strip_comments: bool = False,
-        engine: Optional[str] = None,
+        engine: str | None = None,
     ):
         if strip_comments:
             sql_statement = sqlparse.format(sql_statement, strip_comments=True)
@@ -271,7 +272,7 @@ def __init__(
         self._dialect = SQLGLOT_DIALECTS.get(engine) if engine else None
         self._tables: set[Table] = set()
         self._alias_names: set[str] = set()
-        self._limit: Optional[int] = None
+        self._limit: int | None = None
 
         logger.debug("Parsing with sqlparse statement: %s", self.sql)
         self._parsed = sqlparse.parse(self.stripped())
@@ -382,7 +383,7 @@ def _is_cte(self, source: exp.Table, scope: Scope) -> bool:
         return source.name in ctes_in_scope
 
     @property
-    def limit(self) -> Optional[int]:
+    def limit(self) -> int | None:
         return self._limit
 
     def _get_cte_tables(self, parsed: dict[str, Any]) -> list[dict[str, Any]]:
@@ -463,7 +464,7 @@ def is_select(self) -> bool:
 
         return True
 
-    def get_inner_cte_expression(self, tokens: TokenList) -> Optional[TokenList]:
+    def get_inner_cte_expression(self, tokens: TokenList) -> TokenList | None:
         for token in tokens:
             if self._is_identifier(token):
                 for identifier_token in token.tokens:
@@ -527,7 +528,7 @@ def get_statements(self) -> list[str]:
         return statements
 
     @staticmethod
-    def get_table(tlist: TokenList) -> Optional[Table]:
+    def get_table(tlist: TokenList) -> Table | None:
         """
         Return the table if valid, i.e., conforms to the [[catalog.]schema.]table
         construct.
@@ -563,7 +564,7 @@ def _is_identifier(token: Token) -> bool:
     def as_create_table(
         self,
         table_name: str,
-        schema_name: Optional[str] = None,
+        schema_name: str | None = None,
         overwrite: bool = False,
         method: CtasMethod = CtasMethod.TABLE,
     ) -> str:
@@ -723,8 +724,8 @@ def add_table_name(rls: TokenList, table: str) -> None:
 def get_rls_for_table(
     candidate: Token,
     database_id: int,
-    default_schema: Optional[str],
-) -> Optional[TokenList]:
+    default_schema: str | None,
+) -> TokenList | None:
     """
     Given a table name, return any associated RLS predicates.
     """
@@ -770,7 +771,7 @@ def get_rls_for_table(
 def insert_rls_as_subquery(
     token_list: TokenList,
     database_id: int,
-    default_schema: Optional[str],
+    default_schema: str | None,
 ) -> TokenList:
     """
     Update a statement inplace applying any associated RLS predicates.
@@ -786,7 +787,7 @@ def insert_rls_as_subquery(
     This method is safer than ``insert_rls_in_predicate``, but doesn't work in all
     databases.
     """
-    rls: Optional[TokenList] = None
+    rls: TokenList | None = None
     state = InsertRLSState.SCANNING
     for token in token_list.tokens:
         # Recurse into child token list
@@ -862,7 +863,7 @@ def insert_rls_as_subquery(
 def insert_rls_in_predicate(
     token_list: TokenList,
     database_id: int,
-    default_schema: Optional[str],
+    default_schema: str | None,
 ) -> TokenList:
     """
     Update a statement inplace applying any associated RLS predicates.
@@ -873,7 +874,7 @@ def insert_rls_in_predicate(
         after:  SELECT * FROM some_table WHERE ( 1=1) AND some_table.id=42
 
     """
-    rls: Optional[TokenList] = None
+    rls: TokenList | None = None
     state = InsertRLSState.SCANNING
     for token in token_list.tokens:
         # Recurse into child token list
@@ -1007,7 +1008,7 @@ def insert_rls_in_predicate(
 
 def extract_table_references(
     sql_text: str, sqla_dialect: str, show_warning: bool = True
-) -> set["Table"]:
+) -> set[Table]:
     """
     Return all the dependencies from a SQL sql_text.
     """
@@ -1051,3 +1052,61 @@ def find_nodes_by_key(element: Any, target: str) -> Iterator[Any]:
         Table(*[part["value"] for part in table["name"][::-1]])
         for table in find_nodes_by_key(tree, "Table")
     }
+
+
+def extract_tables_from_jinja_sql(sql: str, engine: str | None = None) -> set[Table]:
+    """
+    Extract all table references in the Jinjafied SQL statement.
+
+    Due to Jinja templating, a multiphase approach is necessary as the Jinjafied SQL
+    statement may represent invalid SQL which is non-parsable by SQLGlot.
+
+    Firstly, we extract any tables referenced within the confines of specific Jinja
+    macros. Secondly, we replace these non-SQL Jinja calls with a pseudo-benign SQL
+    expression to help ensure that the resulting SQL statements are parsable by
+    SQLGlot.
+
+    :param sql: The Jinjafied SQL statement
+    :param engine: The associated database engine
+    :returns: The set of tables referenced in the SQL statement
+    :raises SupersetSecurityException: If SQLGlot is unable to parse the SQL statement
+    """
+
+    from superset.jinja_context import (  # pylint: disable=import-outside-toplevel
+        get_template_processor,
+    )
+
+    # Mock the required database as the processor signature is exposed publically.
+    processor = get_template_processor(database=Mock(backend=engine))
+    template = processor.env.parse(sql)
+
+    tables = set()
+
+    for node in template.find_all(nodes.Call):
+        if isinstance(node.node, nodes.Getattr) and node.node.attr in (
+            "latest_partition",
+            "latest_sub_partition",
+        ):
+            # Extract the table referenced in the macro.
+            tables.add(
+                Table(
+                    *[
+                        remove_quotes(part)
+                        for part in node.args[0].value.split(".")[::-1]
+                        if len(node.args) == 1
+                    ]
+                )
+            )
+
+            # Replace the potentially problematic Jinja macro with some benign SQL.
+            node.__class__ = nodes.TemplateData
+            node.fields = nodes.TemplateData.fields
+            node.data = "NULL"
+
+    return (
+        tables
+        | ParsedQuery(
+            sql_statement=processor.process_template(template),
+            engine=engine,
+        ).tables
+    )
diff --git a/superset/sqllab/query_render.py b/superset/sqllab/query_render.py
index 5597bcb086d7c..caf9a3cb2b206 100644
--- a/superset/sqllab/query_render.py
+++ b/superset/sqllab/query_render.py
@@ -79,8 +79,7 @@ def _validate(
         sql_template_processor: BaseTemplateProcessor,
     ) -> None:
         if is_feature_enabled("ENABLE_TEMPLATE_PROCESSING"):
-            # pylint: disable=protected-access
-            syntax_tree = sql_template_processor._env.parse(rendered_query)
+            syntax_tree = sql_template_processor.env.parse(rendered_query)
             undefined_parameters = find_undeclared_variables(syntax_tree)
             if undefined_parameters:
                 self._raise_undefined_parameter_exception(
diff --git a/tests/unit_tests/sql_parse_tests.py b/tests/unit_tests/sql_parse_tests.py
index fc1ae1b23150e..42b796bc58f1a 100644
--- a/tests/unit_tests/sql_parse_tests.py
+++ b/tests/unit_tests/sql_parse_tests.py
@@ -32,6 +32,7 @@
 from superset.sql_parse import (
     add_table_name,
     extract_table_references,
+    extract_tables_from_jinja_sql,
     get_rls_for_table,
     has_table_query,
     insert_rls_as_subquery,
@@ -1875,3 +1876,43 @@ def test_is_select() -> None:
 )
 SELECT * FROM t"""
     ).is_select()
+
+
+@pytest.mark.parametrize(
+    "engine",
+    [
+        "hive",
+        "presto",
+        "trino",
+    ],
+)
+@pytest.mark.parametrize(
+    "macro",
+    [
+        "latest_partition('foo.bar')",
+        "latest_sub_partition('foo.bar', baz='qux')",
+    ],
+)
+@pytest.mark.parametrize(
+    "sql,expected",
+    [
+        (
+            "SELECT '{{{{ {engine}.{macro} }}}}'",
+            {Table(table="bar", schema="foo")},
+        ),
+        (
+            "SELECT * FROM foo.baz WHERE quux = '{{{{ {engine}.{macro} }}}}'",
+            {Table(table="bar", schema="foo"), Table(table="baz", schema="foo")},
+        ),
+    ],
+)
+def test_extract_tables_from_jinja_sql(
+    engine: str,
+    macro: str,
+    sql: str,
+    expected: set[Table],
+) -> None:
+    assert (
+        extract_tables_from_jinja_sql(sql.format(engine=engine, macro=macro), engine)
+        == expected
+    )

From 06195b53ce60d292cf1f4908ed368bc62930fa2d Mon Sep 17 00:00:00 2001
From: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Date: Fri, 22 Mar 2024 10:24:31 +0100
Subject: [PATCH 105/114] fix: Persist query params appended to permalink
 (#27601)

---
 superset/models/dashboard.py          |  6 +++---
 superset/views/core.py                |  2 ++
 tests/integration_tests/core_tests.py | 15 +++++++++++++++
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/superset/models/dashboard.py b/superset/models/dashboard.py
index b615d886ee47a..f5a1b3c06108e 100644
--- a/superset/models/dashboard.py
+++ b/superset/models/dashboard.py
@@ -320,9 +320,9 @@ def data(self) -> dict[str, Any]:
     )
     def datasets_trimmed_for_slices(self) -> list[dict[str, Any]]:
         # Verbose but efficient database enumeration of dashboard datasources.
-        slices_by_datasource: dict[tuple[type[BaseDatasource], int], set[Slice]] = (
-            defaultdict(set)
-        )
+        slices_by_datasource: dict[
+            tuple[type[BaseDatasource], int], set[Slice]
+        ] = defaultdict(set)
 
         for slc in self.slices:
             slices_by_datasource[(slc.cls_model, slc.datasource_id)].add(slc)
diff --git a/superset/views/core.py b/superset/views/core.py
index 613ea89b34b1b..dead91cb98c93 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -891,6 +891,8 @@ def dashboard_permalink(
         if url_params := state.get("urlParams"):
             params = parse.urlencode(url_params)
             url = f"{url}&{params}"
+        if original_params := request.query_string.decode():
+            url = f"{url}&{original_params}"
         if hash_ := state.get("anchor", state.get("hash")):
             url = f"{url}#{hash_}"
         return redirect(url)
diff --git a/tests/integration_tests/core_tests.py b/tests/integration_tests/core_tests.py
index c4a0897332b38..3698e5f5be3d7 100644
--- a/tests/integration_tests/core_tests.py
+++ b/tests/integration_tests/core_tests.py
@@ -1220,6 +1220,21 @@ def test_redirect_new_sqllab_history(self):
         resp = self.client.get("/superset/sqllab/history/")
         assert resp.status_code == 302
 
+    @mock.patch("superset.views.core.request")
+    @mock.patch(
+        "superset.commands.dashboard.permalink.get.GetDashboardPermalinkCommand.run"
+    )
+    def test_dashboard_permalink(self, get_dashboard_permalink_mock, request_mock):
+        request_mock.query_string = b"standalone=3"
+        get_dashboard_permalink_mock.return_value = {"dashboardId": 1}
+        self.login()
+        resp = self.client.get("superset/dashboard/p/123/")
+
+        expected_url = "/superset/dashboard/1?permalink_key=123&standalone=3"
+
+        self.assertEqual(resp.headers["Location"], expected_url)
+        assert resp.status_code == 302
+
 
 if __name__ == "__main__":
     unittest.main()

From bc603db7d4a7787d6bcd31668777860595281f94 Mon Sep 17 00:00:00 2001
From: Jack <41238731+fisjac@users.noreply.github.com>
Date: Fri, 22 Mar 2024 13:49:18 -0500
Subject: [PATCH 106/114] fix(AlertReports): clearing custom_width when
 disabled (#27551)

(cherry picked from commit 0f6e4041c73bcae931bac0a9daa1837beac5aaf6)
---
 superset-frontend/src/features/alerts/AlertReportModal.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/superset-frontend/src/features/alerts/AlertReportModal.tsx b/superset-frontend/src/features/alerts/AlertReportModal.tsx
index ae4feda653799..39261543f7065 100644
--- a/superset-frontend/src/features/alerts/AlertReportModal.tsx
+++ b/superset-frontend/src/features/alerts/AlertReportModal.tsx
@@ -628,6 +628,7 @@ const AlertReportModal: FunctionComponent<AlertReportModalProps> = ({
       chart: contentType === 'chart' ? currentAlert?.chart?.value : null,
       dashboard:
         contentType === 'dashboard' ? currentAlert?.dashboard?.value : null,
+      custom_width: isScreenshot ? currentAlert?.custom_width : undefined,
       database: currentAlert?.database?.value,
       owners: (currentAlert?.owners || []).map(
         owner => (owner as MetaObject).value || owner.id,

From 0b9c0d97dc25744ddef68d9c00c6616a8f1d2aeb Mon Sep 17 00:00:00 2001
From: Jack <41238731+fisjac@users.noreply.github.com>
Date: Mon, 25 Mar 2024 12:12:01 -0500
Subject: [PATCH 107/114] fix(AlertReports): defaulting grace period to
 undefined (#27552)

(cherry picked from commit 4fce940a9c3566c5dded68aa5cbba26fb562ae69)
---
 superset-frontend/src/features/alerts/AlertReportModal.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/superset-frontend/src/features/alerts/AlertReportModal.tsx b/superset-frontend/src/features/alerts/AlertReportModal.tsx
index 39261543f7065..8449024d1384c 100644
--- a/superset-frontend/src/features/alerts/AlertReportModal.tsx
+++ b/superset-frontend/src/features/alerts/AlertReportModal.tsx
@@ -903,7 +903,7 @@ const AlertReportModal: FunctionComponent<AlertReportModalProps> = ({
 
     // Need to make sure grace period is not lower than TIMEOUT_MIN
     if (value === 0) {
-      updateAlertState(target.name, null);
+      updateAlertState(target.name, undefined);
     } else {
       updateAlertState(
         target.name,

From 64d1a8f8c315aceed4b20aa1e13713b36ac13853 Mon Sep 17 00:00:00 2001
From: Ross Mabbett <92495987+rtexelm@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:54:03 -0400
Subject: [PATCH 108/114] fix(Chart Annotation modal): Table and Superset
 annotation options will paginate, exceeding previous max limit 100 (#27022)

(cherry picked from commit ce210eebdeeb374611e5b273379a889244f64288)
---
 .../AnnotationLayer.jsx                       | 350 ++++++++++++------
 .../AnnotationLayer.test.tsx                  | 125 +++++--
 2 files changed, 329 insertions(+), 146 deletions(-)

diff --git a/superset-frontend/src/explore/components/controls/AnnotationLayerControl/AnnotationLayer.jsx b/superset-frontend/src/explore/components/controls/AnnotationLayerControl/AnnotationLayer.jsx
index 563b94682385e..e29befc808a27 100644
--- a/superset-frontend/src/explore/components/controls/AnnotationLayerControl/AnnotationLayer.jsx
+++ b/superset-frontend/src/explore/components/controls/AnnotationLayerControl/AnnotationLayer.jsx
@@ -33,12 +33,12 @@ import {
   withTheme,
 } from '@superset-ui/core';
 import SelectControl from 'src/explore/components/controls/SelectControl';
+import { AsyncSelect } from 'src/components';
 import TextControl from 'src/explore/components/controls/TextControl';
 import CheckboxControl from 'src/explore/components/controls/CheckboxControl';
 import PopoverSection from 'src/components/PopoverSection';
 import ControlHeader from 'src/explore/components/ControlHeader';
 import { EmptyStateSmall } from 'src/components/EmptyState';
-import { FILTER_OPTIONS_LIMIT } from 'src/explore/constants';
 import {
   ANNOTATION_SOURCE_TYPES,
   ANNOTATION_TYPES,
@@ -194,28 +194,46 @@ class AnnotationLayer extends React.PureComponent {
       hideLine,
       // refData
       isNew: !name,
-      isLoadingOptions: true,
-      valueOptions: [],
+      slice: null,
     };
     this.submitAnnotation = this.submitAnnotation.bind(this);
     this.deleteAnnotation = this.deleteAnnotation.bind(this);
     this.applyAnnotation = this.applyAnnotation.bind(this);
-    this.fetchOptions = this.fetchOptions.bind(this);
+    this.isValidForm = this.isValidForm.bind(this);
+    // Handlers
     this.handleAnnotationType = this.handleAnnotationType.bind(this);
     this.handleAnnotationSourceType =
       this.handleAnnotationSourceType.bind(this);
-    this.handleValue = this.handleValue.bind(this);
-    this.isValidForm = this.isValidForm.bind(this);
+    this.handleSelectValue = this.handleSelectValue.bind(this);
+    this.handleTextValue = this.handleTextValue.bind(this);
+    // Fetch related functions
+    this.fetchOptions = this.fetchOptions.bind(this);
+    this.fetchCharts = this.fetchCharts.bind(this);
+    this.fetchNativeAnnotations = this.fetchNativeAnnotations.bind(this);
+    this.fetchAppliedAnnotation = this.fetchAppliedAnnotation.bind(this);
+    this.fetchSliceData = this.fetchSliceData.bind(this);
+    this.shouldFetchSliceData = this.shouldFetchSliceData.bind(this);
+    this.fetchAppliedChart = this.fetchAppliedChart.bind(this);
+    this.fetchAppliedNativeAnnotation =
+      this.fetchAppliedNativeAnnotation.bind(this);
+    this.shouldFetchAppliedAnnotation =
+      this.shouldFetchAppliedAnnotation.bind(this);
   }
 
   componentDidMount() {
-    const { annotationType, sourceType, isLoadingOptions } = this.state;
-    this.fetchOptions(annotationType, sourceType, isLoadingOptions);
+    if (this.shouldFetchAppliedAnnotation()) {
+      const { value } = this.state;
+      /* The value prop is the id of the chart/native. This function will set
+      value in state to an object with the id as value.value to be used by
+      AsyncSelect */
+      this.fetchAppliedAnnotation(value);
+    }
   }
 
   componentDidUpdate(prevProps, prevState) {
-    if (prevState.sourceType !== this.state.sourceType) {
-      this.fetchOptions(this.state.annotationType, this.state.sourceType, true);
+    if (this.shouldFetchSliceData(prevState)) {
+      const { value } = this.state;
+      this.fetchSliceData(value.value);
     }
   }
 
@@ -237,6 +255,20 @@ class AnnotationLayer extends React.PureComponent {
     return sources;
   }
 
+  shouldFetchAppliedAnnotation() {
+    const { value, sourceType } = this.state;
+    return value && requiresQuery(sourceType);
+  }
+
+  shouldFetchSliceData(prevState) {
+    const { value, sourceType } = this.state;
+    const isChart =
+      sourceType !== ANNOTATION_SOURCE_TYPES.NATIVE &&
+      requiresQuery(sourceType);
+    const valueIsNew = value && prevState.value !== value;
+    return valueIsNew && isChart;
+  }
+
   isValidFormulaAnnotation(expression, annotationType) {
     if (annotationType === ANNOTATION_TYPES.FORMULA) {
       return isValidExpression(expression);
@@ -276,6 +308,7 @@ class AnnotationLayer extends React.PureComponent {
       annotationType,
       sourceType: null,
       value: null,
+      slice: null,
     });
   }
 
@@ -283,13 +316,17 @@ class AnnotationLayer extends React.PureComponent {
     const { sourceType: prevSourceType } = this.state;
 
     if (prevSourceType !== sourceType) {
-      this.setState({ sourceType, value: null, isLoadingOptions: true });
+      this.setState({
+        sourceType,
+        value: null,
+        slice: null,
+      });
     }
   }
 
-  handleValue(value) {
+  handleSelectValue(selectedValueObject) {
     this.setState({
-      value,
+      value: selectedValueObject,
       descriptionColumns: [],
       intervalEndColumn: null,
       timeColumn: null,
@@ -298,74 +335,172 @@ class AnnotationLayer extends React.PureComponent {
     });
   }
 
-  fetchOptions(annotationType, sourceType, isLoadingOptions) {
-    if (isLoadingOptions) {
-      if (sourceType === ANNOTATION_SOURCE_TYPES.NATIVE) {
-        const queryParams = rison.encode({
-          page: 0,
-          page_size: FILTER_OPTIONS_LIMIT,
-        });
-        SupersetClient.get({
-          endpoint: `/api/v1/annotation_layer/?q=${queryParams}`,
-        }).then(({ json }) => {
-          const layers = json
-            ? json.result.map(layer => ({
-                value: layer.id,
-                label: layer.name,
-              }))
-            : [];
-          this.setState({
-            isLoadingOptions: false,
-            valueOptions: layers,
-          });
-        });
-      } else if (requiresQuery(sourceType)) {
-        const queryParams = rison.encode({
-          filters: [
-            {
-              col: 'id',
-              opr: 'chart_owned_created_favored_by_me',
-              value: true,
-            },
-          ],
-          order_column: 'slice_name',
-          order_direction: 'asc',
-          page: 0,
-          page_size: FILTER_OPTIONS_LIMIT,
-        });
-        SupersetClient.get({
-          endpoint: `/api/v1/chart/?q=${queryParams}`,
-        }).then(({ json }) => {
-          const registry = getChartMetadataRegistry();
-          this.setState({
-            isLoadingOptions: false,
-            valueOptions: json.result
-              .filter(x => {
-                const metadata = registry.get(x.viz_type);
-                return metadata && metadata.canBeAnnotationType(annotationType);
-              })
-              .map(x => ({
-                value: x.id,
-                label: x.slice_name,
-                slice: {
-                  ...x,
-                  data: {
-                    ...x.form_data,
-                    groupby: x.form_data.groupby?.map(column =>
-                      getColumnLabel(column),
-                    ),
-                  },
-                },
-              })),
-          });
-        });
-      } else {
+  handleTextValue(inputValue) {
+    this.setState({
+      value: inputValue,
+    });
+  }
+
+  fetchNativeAnnotations = async (search, page, pageSize) => {
+    const queryParams = rison.encode({
+      filters: [
+        {
+          col: 'name',
+          opr: 'ct',
+          value: search,
+        },
+      ],
+      columns: ['id', 'name'],
+      page,
+      page_size: pageSize,
+    });
+
+    const { json } = await SupersetClient.get({
+      endpoint: `/api/v1/annotation_layer/?q=${queryParams}`,
+    });
+
+    const { result, count } = json;
+
+    const layersArray = result.map(layer => ({
+      value: layer.id,
+      label: layer.name,
+    }));
+
+    return {
+      data: layersArray,
+      totalCount: count,
+    };
+  };
+
+  fetchCharts = async (search, page, pageSize) => {
+    const { annotationType } = this.state;
+
+    const queryParams = rison.encode({
+      filters: [
+        { col: 'slice_name', opr: 'chart_all_text', value: search },
+        {
+          col: 'id',
+          opr: 'chart_owned_created_favored_by_me',
+          value: true,
+        },
+      ],
+      columns: ['id', 'slice_name', 'viz_type'],
+      order_column: 'slice_name',
+      order_direction: 'asc',
+      page,
+      page_size: pageSize,
+    });
+    const { json } = await SupersetClient.get({
+      endpoint: `/api/v1/chart/?q=${queryParams}`,
+    });
+
+    const { result, count } = json;
+    const registry = getChartMetadataRegistry();
+
+    const chartsArray = result
+      .filter(chart => {
+        const metadata = registry.get(chart.viz_type);
+        return metadata && metadata.canBeAnnotationType(annotationType);
+      })
+      .map(chart => ({
+        value: chart.id,
+        label: chart.slice_name,
+        viz_type: chart.viz_type,
+      }));
+
+    return {
+      data: chartsArray,
+      totalCount: count,
+    };
+  };
+
+  fetchOptions = (search, page, pageSize) => {
+    const { sourceType } = this.state;
+
+    if (sourceType === ANNOTATION_SOURCE_TYPES.NATIVE) {
+      return this.fetchNativeAnnotations(search, page, pageSize);
+    }
+    return this.fetchCharts(search, page, pageSize);
+  };
+
+  fetchSliceData = id => {
+    const queryParams = rison.encode({
+      columns: ['query_context'],
+    });
+    SupersetClient.get({
+      endpoint: `/api/v1/chart/${id}?q=${queryParams}`,
+    }).then(({ json }) => {
+      const { result } = json;
+      const queryContext = result.query_context;
+      const formData = JSON.parse(queryContext).form_data;
+      const dataObject = {
+        data: {
+          ...formData,
+          groupby: formData.groupby?.map(column => getColumnLabel(column)),
+        },
+      };
+      this.setState({
+        slice: dataObject,
+      });
+    });
+  };
+
+  fetchAppliedChart(id) {
+    const { annotationType } = this.state;
+    const registry = getChartMetadataRegistry();
+    const queryParams = rison.encode({
+      columns: ['slice_name', 'query_context', 'viz_type'],
+    });
+    SupersetClient.get({
+      endpoint: `/api/v1/chart/${id}?q=${queryParams}`,
+    }).then(({ json }) => {
+      const { result } = json;
+      const sliceName = result.slice_name;
+      const queryContext = result.query_context;
+      const vizType = result.viz_type;
+      const formData = JSON.parse(queryContext).form_data;
+      const metadata = registry.get(vizType);
+      const canBeAnnotationType =
+        metadata && metadata.canBeAnnotationType(annotationType);
+      if (canBeAnnotationType) {
         this.setState({
-          isLoadingOptions: false,
-          valueOptions: [],
+          value: {
+            value: id,
+            label: sliceName,
+          },
+          slice: {
+            data: {
+              ...formData,
+              groupby: formData.groupby?.map(column => getColumnLabel(column)),
+            },
+          },
         });
       }
+    });
+  }
+
+  fetchAppliedNativeAnnotation(id) {
+    SupersetClient.get({
+      endpoint: `/api/v1/annotation_layer/${id}`,
+    }).then(({ json }) => {
+      const { result } = json;
+      const layer = result;
+      this.setState({
+        value: {
+          value: layer.id,
+          label: layer.name,
+        },
+      });
+    });
+  }
+
+  fetchAppliedAnnotation(id) {
+    const { sourceType } = this.state;
+
+    if (sourceType === ANNOTATION_SOURCE_TYPES.NATIVE) {
+      return this.fetchAppliedNativeAnnotation(id);
     }
+    return this.fetchAppliedChart(id);
   }
 
   deleteAnnotation() {
@@ -374,6 +509,7 @@ class AnnotationLayer extends React.PureComponent {
   }
 
   applyAnnotation() {
+    const { value, sourceType } = this.state;
     if (this.isValidForm()) {
       const annotationFields = [
         'name',
@@ -385,7 +521,6 @@ class AnnotationLayer extends React.PureComponent {
         'width',
         'showMarkers',
         'hideLine',
-        'value',
         'overrides',
         'show',
         'showLabel',
@@ -401,6 +536,10 @@ class AnnotationLayer extends React.PureComponent {
         }
       });
 
+      // Prepare newAnnotation.value for use in runAnnotationQuery()
+      const applicableValue = requiresQuery(sourceType) ? value.value : value;
+      newAnnotation.value = applicableValue;
+
       if (newAnnotation.color === AUTOMATIC_COLOR) {
         newAnnotation.color = null;
       }
@@ -415,29 +554,19 @@ class AnnotationLayer extends React.PureComponent {
     this.props.close();
   }
 
-  renderOption(option) {
+  renderChartHeader(label, description, value) {
     return (
-      <span
-        css={{
-          overflow: 'hidden',
-          textOverflow: 'ellipsis',
-          whiteSpace: 'nowrap',
-        }}
-        title={option.label}
-      >
-        {option.label}
-      </span>
+      <ControlHeader
+        hovered
+        label={label}
+        description={description}
+        validationErrors={!value ? ['Mandatory'] : []}
+      />
     );
   }
 
   renderValueConfiguration() {
-    const {
-      annotationType,
-      sourceType,
-      value,
-      valueOptions,
-      isLoadingOptions,
-    } = this.state;
+    const { annotationType, sourceType, value } = this.state;
     let label = '';
     let description = '';
     if (requiresQuery(sourceType)) {
@@ -462,20 +591,15 @@ class AnnotationLayer extends React.PureComponent {
     }
     if (requiresQuery(sourceType)) {
       return (
-        <SelectControl
+        <AsyncSelect
+          /* key to force re-render on sourceType change */
+          key={sourceType}
           ariaLabel={t('Annotation layer value')}
           name="annotation-layer-value"
-          showHeader
-          hovered
-          description={description}
-          label={label}
-          placeholder=""
-          options={valueOptions}
-          isLoading={isLoadingOptions}
-          value={value}
-          onChange={this.handleValue}
-          validationErrors={!value ? ['Mandatory'] : []}
-          optionRenderer={this.renderOption}
+          header={this.renderChartHeader(label, description, value)}
+          options={this.fetchOptions}
+          value={value || null}
+          onChange={this.handleSelectValue}
           notFoundContent={<NotFoundContent />}
         />
       );
@@ -490,7 +614,7 @@ class AnnotationLayer extends React.PureComponent {
           label={label}
           placeholder=""
           value={value}
-          onChange={this.handleValue}
+          onChange={this.handleTextValue}
           validationErrors={
             !this.isValidFormulaAnnotation(value, annotationType)
               ? [t('Bad formula.')]
@@ -507,14 +631,18 @@ class AnnotationLayer extends React.PureComponent {
       annotationType,
       sourceType,
       value,
-      valueOptions,
+      slice,
       overrides,
       titleColumn,
       timeColumn,
       intervalEndColumn,
       descriptionColumns,
     } = this.state;
-    const { slice } = valueOptions.find(x => x.value === value) || {};
+
+    if (!slice || !value) {
+      return '';
+    }
+
     if (sourceType !== ANNOTATION_SOURCE_TYPES.NATIVE && slice) {
       const columns = (slice.data.groupby || [])
         .concat(slice.data.all_columns || [])
diff --git a/superset-frontend/src/explore/components/controls/AnnotationLayerControl/AnnotationLayer.test.tsx b/superset-frontend/src/explore/components/controls/AnnotationLayerControl/AnnotationLayer.test.tsx
index 914be7361919a..813a8ebcb9b9c 100644
--- a/superset-frontend/src/explore/components/controls/AnnotationLayerControl/AnnotationLayer.test.tsx
+++ b/superset-frontend/src/explore/components/controls/AnnotationLayerControl/AnnotationLayer.test.tsx
@@ -31,21 +31,37 @@ const defaultProps = {
   annotationType: ANNOTATION_TYPES_METADATA.FORMULA.value,
 };
 
+const nativeLayerApiRoute = 'glob:*/api/v1/annotation_layer/*';
+const chartApiRoute = /\/api\/v1\/chart\/\?q=.+/;
+const chartApiWithIdRoute = /\/api\/v1\/chart\/\w+\?q=.+/;
+
+const withIdResult = {
+  result: {
+    slice_name: 'Mocked Slice',
+    query_context: JSON.stringify({
+      form_data: {
+        groupby: ['country'],
+      },
+    }),
+    viz_type: 'line',
+  },
+};
+
 beforeAll(() => {
   const supportedAnnotationTypes = Object.values(ANNOTATION_TYPES_METADATA).map(
     value => value.value,
   );
 
-  fetchMock.get('glob:*/api/v1/annotation_layer/*', {
-    result: [{ label: 'Chart A', value: 'a' }],
+  fetchMock.get(nativeLayerApiRoute, {
+    result: [{ name: 'Chart A', id: 'a' }],
   });
 
-  fetchMock.get('glob:*/api/v1/chart/*', {
-    result: [
-      { id: 'a', slice_name: 'Chart A', viz_type: 'table', form_data: {} },
-    ],
+  fetchMock.get(chartApiRoute, {
+    result: [{ id: 'a', slice_name: 'Chart A', viz_type: 'table' }],
   });
 
+  fetchMock.get(chartApiWithIdRoute, withIdResult);
+
   setupColors();
 
   getChartMetadataRegistry().registerValue(
@@ -144,7 +160,7 @@ test('triggers removeAnnotationLayer and close when remove button is clicked', a
   expect(close).toHaveBeenCalled();
 });
 
-test('renders chart options', async () => {
+test('fetches Superset annotation layer options', async () => {
   await waitForRender({
     annotationType: ANNOTATION_TYPES_METADATA.EVENT.value,
   });
@@ -153,12 +169,37 @@ test('renders chart options', async () => {
   );
   userEvent.click(screen.getByText('Superset annotation'));
   expect(await screen.findByText('Annotation layer')).toBeInTheDocument();
+  userEvent.click(
+    screen.getByRole('combobox', { name: 'Annotation layer value' }),
+  );
+  expect(await screen.findByText('Chart A')).toBeInTheDocument();
+  expect(fetchMock.calls(nativeLayerApiRoute).length).toBe(1);
+});
 
+test('fetches chart options', async () => {
+  await waitForRender({
+    annotationType: ANNOTATION_TYPES_METADATA.EVENT.value,
+  });
   userEvent.click(
     screen.getByRole('combobox', { name: 'Annotation source type' }),
   );
   userEvent.click(screen.getByText('Table'));
   expect(await screen.findByText('Chart')).toBeInTheDocument();
+  userEvent.click(
+    screen.getByRole('combobox', { name: 'Annotation layer value' }),
+  );
+  expect(await screen.findByText('Chart A')).toBeInTheDocument();
+  expect(fetchMock.calls(chartApiRoute).length).toBe(1);
+});
+
+test('fetches chart on mount if value present', async () => {
+  await waitForRender({
+    name: 'Test',
+    value: 'a',
+    annotationType: ANNOTATION_TYPES_METADATA.EVENT.value,
+    sourceType: 'Table',
+  });
+  expect(fetchMock.calls(chartApiWithIdRoute).length).toBe(1);
 });
 
 test('keeps apply disabled when missing required fields', async () => {
@@ -171,7 +212,7 @@ test('keeps apply disabled when missing required fields', async () => {
   );
   expect(await screen.findByText('Chart A')).toBeInTheDocument();
   userEvent.click(screen.getByText('Chart A'));
-
+  await screen.findByText(/title column/i);
   userEvent.click(screen.getByRole('button', { name: 'Automatic Color' }));
   userEvent.click(
     screen.getByRole('combobox', { name: 'Annotation layer title column' }),
@@ -197,47 +238,61 @@ test('keeps apply disabled when missing required fields', async () => {
   expect(screen.getByRole('button', { name: 'Apply' })).toBeDisabled();
 });
 
-test.skip('Disable apply button if formula is incorrect', async () => {
-  // TODO: fix flaky test that passes locally but fails on CI
+test('Disable apply button if formula is incorrect', async () => {
   await waitForRender({ name: 'test' });
 
-  userEvent.clear(screen.getByLabelText('Formula'));
-  userEvent.type(screen.getByLabelText('Formula'), 'x+1');
+  const formulaInput = screen.getByRole('textbox', { name: 'Formula' });
+  const applyButton = screen.getByRole('button', { name: 'Apply' });
+  const okButton = screen.getByRole('button', { name: 'OK' });
+
+  userEvent.type(formulaInput, 'x+1');
+  expect(formulaInput).toHaveValue('x+1');
   await waitFor(() => {
-    expect(screen.getByLabelText('Formula')).toHaveValue('x+1');
-    expect(screen.getByRole('button', { name: 'OK' })).toBeEnabled();
-    expect(screen.getByRole('button', { name: 'Apply' })).toBeEnabled();
+    expect(okButton).toBeEnabled();
+    expect(applyButton).toBeEnabled();
   });
 
-  userEvent.clear(screen.getByLabelText('Formula'));
-  userEvent.type(screen.getByLabelText('Formula'), 'y = x*2+1');
+  userEvent.clear(formulaInput);
   await waitFor(() => {
-    expect(screen.getByLabelText('Formula')).toHaveValue('y = x*2+1');
-    expect(screen.getByRole('button', { name: 'OK' })).toBeEnabled();
-    expect(screen.getByRole('button', { name: 'Apply' })).toBeEnabled();
+    expect(formulaInput).toHaveValue('');
+  });
+  userEvent.type(formulaInput, 'y = x*2+1');
+  expect(formulaInput).toHaveValue('y = x*2+1');
+  await waitFor(() => {
+    expect(okButton).toBeEnabled();
+    expect(applyButton).toBeEnabled();
   });
 
-  userEvent.clear(screen.getByLabelText('Formula'));
-  userEvent.type(screen.getByLabelText('Formula'), 'y+1');
+  userEvent.clear(formulaInput);
+  await waitFor(() => {
+    expect(formulaInput).toHaveValue('');
+  });
+  userEvent.type(formulaInput, 'y+1');
+  expect(formulaInput).toHaveValue('y+1');
   await waitFor(() => {
-    expect(screen.getByLabelText('Formula')).toHaveValue('y+1');
-    expect(screen.getByRole('button', { name: 'OK' })).toBeDisabled();
-    expect(screen.getByRole('button', { name: 'Apply' })).toBeDisabled();
+    expect(okButton).toBeDisabled();
+    expect(applyButton).toBeDisabled();
   });
 
-  userEvent.clear(screen.getByLabelText('Formula'));
-  userEvent.type(screen.getByLabelText('Formula'), 'x+');
+  userEvent.clear(formulaInput);
   await waitFor(() => {
-    expect(screen.getByLabelText('Formula')).toHaveValue('x+');
-    expect(screen.getByRole('button', { name: 'OK' })).toBeDisabled();
-    expect(screen.getByRole('button', { name: 'Apply' })).toBeDisabled();
+    expect(formulaInput).toHaveValue('');
+  });
+  userEvent.type(formulaInput, 'x+');
+  expect(formulaInput).toHaveValue('x+');
+  await waitFor(() => {
+    expect(okButton).toBeDisabled();
+    expect(applyButton).toBeDisabled();
   });
 
-  userEvent.clear(screen.getByLabelText('Formula'));
-  userEvent.type(screen.getByLabelText('Formula'), 'y = z+1');
+  userEvent.clear(formulaInput);
+  await waitFor(() => {
+    expect(formulaInput).toHaveValue('');
+  });
+  userEvent.type(formulaInput, 'y = z+1');
+  expect(formulaInput).toHaveValue('y = z+1');
   await waitFor(() => {
-    expect(screen.getByLabelText('Formula')).toHaveValue('y = z+1');
-    expect(screen.getByRole('button', { name: 'OK' })).toBeDisabled();
-    expect(screen.getByRole('button', { name: 'Apply' })).toBeDisabled();
+    expect(okButton).toBeDisabled();
+    expect(applyButton).toBeDisabled();
   });
 });

From e48dae781f2dd0360239c3aa5afc5f07d8ce52c8 Mon Sep 17 00:00:00 2001
From: "JUST.in DO IT" <justin.park@airbnb.com>
Date: Tue, 26 Mar 2024 10:19:50 -0700
Subject: [PATCH 109/114] fix(sqllab): unable to remove table (#27636)

(cherry picked from commit fa3fea9dd811d3cfdbbfe93f31d34992e603ec60)
---
 .../src/SqlLab/actions/sqlLab.js              |  8 ++++---
 .../src/SqlLab/actions/sqlLab.test.js         | 24 +++++++++++++++++--
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/superset-frontend/src/SqlLab/actions/sqlLab.js b/superset-frontend/src/SqlLab/actions/sqlLab.js
index cbab24a21e561..72dc03f001845 100644
--- a/superset-frontend/src/SqlLab/actions/sqlLab.js
+++ b/superset-frontend/src/SqlLab/actions/sqlLab.js
@@ -1125,9 +1125,11 @@ export function removeTables(tables) {
     const sync = isFeatureEnabled(FeatureFlag.SQLLAB_BACKEND_PERSISTENCE)
       ? Promise.all(
           tablesToRemove.map(table =>
-            SupersetClient.delete({
-              endpoint: encodeURI(`/tableschemaview/${table.id}`),
-            }),
+            table.initialized
+              ? SupersetClient.delete({
+                  endpoint: encodeURI(`/tableschemaview/${table.id}`),
+                })
+              : Promise.resolve(),
           ),
         )
       : Promise.resolve();
diff --git a/superset-frontend/src/SqlLab/actions/sqlLab.test.js b/superset-frontend/src/SqlLab/actions/sqlLab.test.js
index dd48ed8c7b697..20fd53ad389c9 100644
--- a/superset-frontend/src/SqlLab/actions/sqlLab.test.js
+++ b/superset-frontend/src/SqlLab/actions/sqlLab.test.js
@@ -883,7 +883,7 @@ describe('async actions', () => {
       it('updates the table schema state in the backend', () => {
         expect.assertions(2);
 
-        const table = { id: 1 };
+        const table = { id: 1, initialized: true };
         const store = mockStore({});
         const expectedActions = [
           {
@@ -900,7 +900,10 @@ describe('async actions', () => {
       it('deletes multiple tables and updates the table schema state in the backend', () => {
         expect.assertions(2);
 
-        const tables = [{ id: 1 }, { id: 2 }];
+        const tables = [
+          { id: 1, initialized: true },
+          { id: 2, initialized: true },
+        ];
         const store = mockStore({});
         const expectedActions = [
           {
@@ -913,6 +916,23 @@ describe('async actions', () => {
           expect(fetchMock.calls(updateTableSchemaEndpoint)).toHaveLength(2);
         });
       });
+
+      it('only updates the initialized table schema state in the backend', () => {
+        expect.assertions(2);
+
+        const tables = [{ id: 1 }, { id: 2, initialized: true }];
+        const store = mockStore({});
+        const expectedActions = [
+          {
+            type: actions.REMOVE_TABLES,
+            tables,
+          },
+        ];
+        return store.dispatch(actions.removeTables(tables)).then(() => {
+          expect(store.getActions()).toEqual(expectedActions);
+          expect(fetchMock.calls(updateTableSchemaEndpoint)).toHaveLength(1);
+        });
+      });
     });
 
     describe('migrateQueryEditorFromLocalStorage', () => {

From 119b2b0c9389ef394b1e2dbbc202f5a77fd19dc6 Mon Sep 17 00:00:00 2001
From: John Bodley <4567245+john-bodley@users.noreply.github.com>
Date: Wed, 27 Mar 2024 08:12:25 +1300
Subject: [PATCH 110/114] fix: Leverage actual database for rendering
 Jinjarized SQL (#27646)

---
 superset/models/sql_lab.py          |  2 +-
 superset/security/manager.py        |  4 +---
 superset/sql_parse.py               | 15 ++++++++-------
 tests/unit_tests/sql_parse_tests.py |  6 +++++-
 4 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/superset/models/sql_lab.py b/superset/models/sql_lab.py
index 2fd0d2dc7628c..3841477cb7ec1 100644
--- a/superset/models/sql_lab.py
+++ b/superset/models/sql_lab.py
@@ -73,7 +73,7 @@ def sql_tables(self) -> list[Table]:
             return list(
                 extract_tables_from_jinja_sql(
                     self.sql,  # type: ignore
-                    self.database.db_engine_spec.engine,  # type: ignore
+                    self.database,  # type: ignore
                 )
             )
         except SupersetSecurityException:
diff --git a/superset/security/manager.py b/superset/security/manager.py
index 3c4b4106d3442..19e1ab8d2e424 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -1963,9 +1963,7 @@ def raise_for_access(
                 default_schema = database.get_default_schema_for_query(query)
                 tables = {
                     Table(table_.table, table_.schema or default_schema)
-                    for table_ in extract_tables_from_jinja_sql(
-                        query.sql, database.db_engine_spec.engine
-                    )
+                    for table_ in extract_tables_from_jinja_sql(query.sql, database)
                 }
             elif table:
                 tables = {table}
diff --git a/superset/sql_parse.py b/superset/sql_parse.py
index 58bca48a6e2df..6df5dbc089e4c 100644
--- a/superset/sql_parse.py
+++ b/superset/sql_parse.py
@@ -23,8 +23,7 @@
 import urllib.parse
 from collections.abc import Iterable, Iterator
 from dataclasses import dataclass
-from typing import Any, cast
-from unittest.mock import Mock
+from typing import Any, cast, TYPE_CHECKING
 
 import sqlparse
 from flask_babel import gettext as __
@@ -71,6 +70,9 @@
 except (ImportError, ModuleNotFoundError):
     sqloxide_parse = None
 
+if TYPE_CHECKING:
+    from superset.models.core import Database
+
 RESULT_OPERATIONS = {"UNION", "INTERSECT", "EXCEPT", "SELECT"}
 ON_KEYWORD = "ON"
 PRECEDES_TABLE_NAME = {"FROM", "JOIN", "DESCRIBE", "WITH", "LEFT JOIN", "RIGHT JOIN"}
@@ -1054,7 +1056,7 @@ def find_nodes_by_key(element: Any, target: str) -> Iterator[Any]:
     }
 
 
-def extract_tables_from_jinja_sql(sql: str, engine: str | None = None) -> set[Table]:
+def extract_tables_from_jinja_sql(sql: str, database: Database) -> set[Table]:
     """
     Extract all table references in the Jinjafied SQL statement.
 
@@ -1067,7 +1069,7 @@ def extract_tables_from_jinja_sql(sql: str, engine: str | None = None) -> set[Ta
     SQLGlot.
 
     :param sql: The Jinjafied SQL statement
-    :param engine: The associated database engine
+    :param database: The database associated with the SQL statement
     :returns: The set of tables referenced in the SQL statement
     :raises SupersetSecurityException: If SQLGlot is unable to parse the SQL statement
     """
@@ -1076,8 +1078,7 @@ def extract_tables_from_jinja_sql(sql: str, engine: str | None = None) -> set[Ta
         get_template_processor,
     )
 
-    # Mock the required database as the processor signature is exposed publically.
-    processor = get_template_processor(database=Mock(backend=engine))
+    processor = get_template_processor(database)
     template = processor.env.parse(sql)
 
     tables = set()
@@ -1107,6 +1108,6 @@ def extract_tables_from_jinja_sql(sql: str, engine: str | None = None) -> set[Ta
         tables
         | ParsedQuery(
             sql_statement=processor.process_template(template),
-            engine=engine,
+            engine=database.db_engine_spec.engine,
         ).tables
     )
diff --git a/tests/unit_tests/sql_parse_tests.py b/tests/unit_tests/sql_parse_tests.py
index 42b796bc58f1a..1d4f4088cd67b 100644
--- a/tests/unit_tests/sql_parse_tests.py
+++ b/tests/unit_tests/sql_parse_tests.py
@@ -17,6 +17,7 @@
 # pylint: disable=invalid-name, redefined-outer-name, too-many-lines
 
 from typing import Optional
+from unittest.mock import Mock
 
 import pytest
 import sqlparse
@@ -1913,6 +1914,9 @@ def test_extract_tables_from_jinja_sql(
     expected: set[Table],
 ) -> None:
     assert (
-        extract_tables_from_jinja_sql(sql.format(engine=engine, macro=macro), engine)
+        extract_tables_from_jinja_sql(
+            sql=sql.format(engine=engine, macro=macro),
+            database=Mock(),
+        )
         == expected
     )

From 19b05d3422874f2ca11d00ec6fdd5bb914371e52 Mon Sep 17 00:00:00 2001
From: John Bodley <4567245+john-bodley@users.noreply.github.com>
Date: Wed, 27 Mar 2024 08:22:14 +1300
Subject: [PATCH 111/114] fix: Provide more inclusive error handling for saved
 queries (#27644)

(cherry picked from commit 3ae74d1f2daf0399434e16145ba585045bff779f)
---
 superset/models/sql_lab.py              |  3 +-
 superset/sql_parse.py                   |  1 +
 tests/unit_tests/models/sql_lab_test.py | 59 +++++++++++++++++++++++++
 3 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 tests/unit_tests/models/sql_lab_test.py

diff --git a/superset/models/sql_lab.py b/superset/models/sql_lab.py
index 3841477cb7ec1..63684f9f85235 100644
--- a/superset/models/sql_lab.py
+++ b/superset/models/sql_lab.py
@@ -30,6 +30,7 @@
 from flask_appbuilder.models.decorators import renders
 from flask_babel import gettext as __
 from humanize import naturaltime
+from jinja2.exceptions import TemplateError
 from sqlalchemy import (
     Boolean,
     Column,
@@ -76,7 +77,7 @@ def sql_tables(self) -> list[Table]:
                     self.database,  # type: ignore
                 )
             )
-        except SupersetSecurityException:
+        except (SupersetSecurityException, TemplateError):
             return []
 
 
diff --git a/superset/sql_parse.py b/superset/sql_parse.py
index 6df5dbc089e4c..62a2457171ede 100644
--- a/superset/sql_parse.py
+++ b/superset/sql_parse.py
@@ -1072,6 +1072,7 @@ def extract_tables_from_jinja_sql(sql: str, database: Database) -> set[Table]:
     :param database: The database associated with the SQL statement
     :returns: The set of tables referenced in the SQL statement
     :raises SupersetSecurityException: If SQLGlot is unable to parse the SQL statement
+    :raises jinja2.exceptions.TemplateError: If the Jinjafied SQL could not be rendered
     """
 
     from superset.jinja_context import (  # pylint: disable=import-outside-toplevel
diff --git a/tests/unit_tests/models/sql_lab_test.py b/tests/unit_tests/models/sql_lab_test.py
new file mode 100644
index 0000000000000..fb5db97474bc6
--- /dev/null
+++ b/tests/unit_tests/models/sql_lab_test.py
@@ -0,0 +1,59 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from unittest.mock import MagicMock
+
+import pytest
+from flask_appbuilder import Model
+from jinja2.exceptions import TemplateError
+from pytest_mock import MockFixture
+
+from superset.errors import ErrorLevel, SupersetError, SupersetErrorType
+from superset.exceptions import SupersetSecurityException
+from superset.models.sql_lab import Query, SavedQuery, SqlTablesMixin
+
+
+@pytest.mark.parametrize(
+    "klass",
+    [
+        Query,
+        SavedQuery,
+    ],
+)
+@pytest.mark.parametrize(
+    "exception",
+    [
+        SupersetSecurityException(
+            SupersetError(
+                error_type=SupersetErrorType.QUERY_SECURITY_ACCESS_ERROR,
+                message="",
+                level=ErrorLevel.ERROR,
+            )
+        ),
+        TemplateError,
+    ],
+)
+def test_sql_tables_mixin_sql_tables_exception(
+    klass: type[Model],
+    exception: Exception,
+    mocker: MockFixture,
+) -> None:
+    mocker.patch(
+        "superset.models.sql_lab.extract_tables_from_jinja_sql",
+        side_effect=exception,
+    )
+
+    assert klass(sql="SELECT 1", database=MagicMock()).sql_tables == []

From c377ccf7d644238e50fdec5453ddf3e517489bf4 Mon Sep 17 00:00:00 2001
From: Elizabeth Thompson <eschutho@gmail.com>
Date: Wed, 27 Mar 2024 18:10:22 -0700
Subject: [PATCH 112/114] fix: reduce alert error to warning (#27744)

(cherry picked from commit 70da454bbce107c624efda9535f50f7b3ce411b2)
---
 superset-frontend/src/components/Chart/chartAction.js       | 2 +-
 superset-frontend/src/components/Chart/chartActions.test.js | 6 +++---
 superset/commands/report/alert.py                           | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/superset-frontend/src/components/Chart/chartAction.js b/superset-frontend/src/components/Chart/chartAction.js
index 9e7f961abdf52..86e4b6b2a06c6 100644
--- a/superset-frontend/src/components/Chart/chartAction.js
+++ b/superset-frontend/src/components/Chart/chartAction.js
@@ -375,7 +375,7 @@ export function addChart(chart, key) {
 }
 
 export function handleChartDataResponse(response, json, useLegacyApi) {
-  if (isFeatureEnabled(FeatureFlag.GlobalAsyncQueries)) {
+  if (isFeatureEnabled(FeatureFlag.GLOBAL_ASYNC_QUERIES)) {
     // deal with getChartDataRequest transforming the response data
     const result = 'result' in json ? json.result : json;
     switch (response.status) {
diff --git a/superset-frontend/src/components/Chart/chartActions.test.js b/superset-frontend/src/components/Chart/chartActions.test.js
index c2a58e6094404..7babb7bbb2465 100644
--- a/superset-frontend/src/components/Chart/chartActions.test.js
+++ b/superset-frontend/src/components/Chart/chartActions.test.js
@@ -83,7 +83,7 @@ describe('chart actions', () => {
     waitForAsyncDataStub.restore();
 
     global.featureFlags = {
-      [FeatureFlag.GlobalAsyncQueries]: false,
+      [FeatureFlag.GLOBAL_ASYNC_QUERIES]: false,
     };
   });
 
@@ -136,7 +136,7 @@ describe('chart actions', () => {
 
     it('handleChartDataResponse should handle responses when GlobalAsyncQueries flag is enabled and results are returned synchronously', async () => {
       global.featureFlags = {
-        [FeatureFlag.GlobalAsyncQueries]: true,
+        [FeatureFlag.GLOBAL_ASYNC_QUERIES]: true,
       };
       const result = await handleChartDataResponse(
         { status: 200 },
@@ -147,7 +147,7 @@ describe('chart actions', () => {
 
     it('handleChartDataResponse should handle responses when GlobalAsyncQueries flag is enabled and query is running asynchronously', async () => {
       global.featureFlags = {
-        [FeatureFlag.GlobalAsyncQueries]: true,
+        [FeatureFlag.GLOBAL_ASYNC_QUERIES]: true,
       };
       const result = await handleChartDataResponse(
         { status: 202 },
diff --git a/superset/commands/report/alert.py b/superset/commands/report/alert.py
index fc1be14e02049..2c707c21e1522 100644
--- a/superset/commands/report/alert.py
+++ b/superset/commands/report/alert.py
@@ -169,7 +169,7 @@ def _execute_query(self) -> pd.DataFrame:
             logger.warning("A timeout occurred while executing the alert query: %s", ex)
             raise AlertQueryTimeout() from ex
         except Exception as ex:
-            logger.exception("An error occurred when running alert query")
+            logger.warning("An error occurred when running alert query")
             # The exception message here can reveal to much information to malicious
             # users, so we raise a generic message.
             raise AlertQueryError(

From c7a2adc880f95c56a38caff50196e6c148d79316 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Thu, 28 Mar 2024 11:32:00 -0300
Subject: [PATCH 113/114] fix: Select onChange is fired when the same item is
 selected in single mode (#27706)

(cherry picked from commit d69a1870a02787381345c7e67cbb1803d708b2f6)
---
 .../src/components/Select/AsyncSelect.test.tsx | 12 ++++++++++++
 .../src/components/Select/AsyncSelect.tsx      | 13 ++++++++++++-
 .../src/components/Select/Select.test.tsx      | 12 ++++++++++++
 .../src/components/Select/Select.tsx           | 12 +++++++++++-
 .../src/components/Select/utils.tsx            | 18 ++++++++++--------
 5 files changed, 57 insertions(+), 10 deletions(-)

diff --git a/superset-frontend/src/components/Select/AsyncSelect.test.tsx b/superset-frontend/src/components/Select/AsyncSelect.test.tsx
index 0bb24b474a0cc..c2c60aa2bfdc1 100644
--- a/superset-frontend/src/components/Select/AsyncSelect.test.tsx
+++ b/superset-frontend/src/components/Select/AsyncSelect.test.tsx
@@ -939,6 +939,18 @@ test('pasting an existing option does not duplicate it in multiple mode', async
   expect(await findAllSelectOptions()).toHaveLength(4);
 });
 
+test('does not fire onChange if the same value is selected in single mode', async () => {
+  const onChange = jest.fn();
+  render(<AsyncSelect {...defaultProps} onChange={onChange} />);
+  const optionText = 'Emma';
+  await open();
+  expect(onChange).toHaveBeenCalledTimes(0);
+  userEvent.click(await findSelectOption(optionText));
+  expect(onChange).toHaveBeenCalledTimes(1);
+  userEvent.click(await findSelectOption(optionText));
+  expect(onChange).toHaveBeenCalledTimes(1);
+});
+
 /*
  TODO: Add tests that require scroll interaction. Needs further investigation.
  - Fetches more data when scrolling and more data is available
diff --git a/superset-frontend/src/components/Select/AsyncSelect.tsx b/superset-frontend/src/components/Select/AsyncSelect.tsx
index d102af74833ee..e761151a0dac2 100644
--- a/superset-frontend/src/components/Select/AsyncSelect.tsx
+++ b/superset-frontend/src/components/Select/AsyncSelect.tsx
@@ -51,10 +51,12 @@ import {
   mapOptions,
   getOption,
   isObject,
+  isEqual as utilsIsEqual,
 } from './utils';
 import {
   AsyncSelectProps,
   AsyncSelectRef,
+  RawValue,
   SelectOptionsPagePromise,
   SelectOptionsType,
   SelectOptionsTypePage,
@@ -223,7 +225,16 @@ const AsyncSelect = forwardRef(
 
     const handleOnSelect: SelectProps['onSelect'] = (selectedItem, option) => {
       if (isSingleMode) {
+        // on select is fired in single value mode if the same value is selected
+        const valueChanged = !utilsIsEqual(
+          selectedItem,
+          selectValue as RawValue | AntdLabeledValue,
+          'value',
+        );
         setSelectValue(selectedItem);
+        if (valueChanged) {
+          fireOnChange();
+        }
       } else {
         setSelectValue(previousState => {
           const array = ensureIsArray(previousState);
@@ -237,8 +248,8 @@ const AsyncSelect = forwardRef(
           }
           return previousState;
         });
+        fireOnChange();
       }
-      fireOnChange();
       onSelect?.(selectedItem, option);
     };
 
diff --git a/superset-frontend/src/components/Select/Select.test.tsx b/superset-frontend/src/components/Select/Select.test.tsx
index 2910353295187..1daff06d4de77 100644
--- a/superset-frontend/src/components/Select/Select.test.tsx
+++ b/superset-frontend/src/components/Select/Select.test.tsx
@@ -1053,6 +1053,18 @@ test('pasting an existing option does not duplicate it in multiple mode', async
   expect(await findAllSelectOptions()).toHaveLength(4);
 });
 
+test('does not fire onChange if the same value is selected in single mode', async () => {
+  const onChange = jest.fn();
+  render(<Select {...defaultProps} onChange={onChange} />);
+  const optionText = 'Emma';
+  await open();
+  expect(onChange).toHaveBeenCalledTimes(0);
+  userEvent.click(await findSelectOption(optionText));
+  expect(onChange).toHaveBeenCalledTimes(1);
+  userEvent.click(await findSelectOption(optionText));
+  expect(onChange).toHaveBeenCalledTimes(1);
+});
+
 /*
  TODO: Add tests that require scroll interaction. Needs further investigation.
  - Fetches more data when scrolling and more data is available
diff --git a/superset-frontend/src/components/Select/Select.tsx b/superset-frontend/src/components/Select/Select.tsx
index 1e3bc73758cb1..61943815b85f9 100644
--- a/superset-frontend/src/components/Select/Select.tsx
+++ b/superset-frontend/src/components/Select/Select.tsx
@@ -53,6 +53,7 @@ import {
   hasCustomLabels,
   getOption,
   isObject,
+  isEqual as utilsIsEqual,
 } from './utils';
 import { RawValue, SelectOptionsType, SelectProps } from './types';
 import {
@@ -229,7 +230,16 @@ const Select = forwardRef(
 
     const handleOnSelect: SelectProps['onSelect'] = (selectedItem, option) => {
       if (isSingleMode) {
+        // on select is fired in single value mode if the same value is selected
+        const valueChanged = !utilsIsEqual(
+          selectedItem,
+          selectValue as RawValue | AntdLabeledValue,
+          'value',
+        );
         setSelectValue(selectedItem);
+        if (valueChanged) {
+          fireOnChange();
+        }
       } else {
         setSelectValue(previousState => {
           const array = ensureIsArray(previousState);
@@ -261,8 +271,8 @@ const Select = forwardRef(
           }
           return previousState;
         });
+        fireOnChange();
       }
-      fireOnChange();
       onSelect?.(selectedItem, option);
     };
 
diff --git a/superset-frontend/src/components/Select/utils.tsx b/superset-frontend/src/components/Select/utils.tsx
index 0b638f4f0128f..67b2a0191b385 100644
--- a/superset-frontend/src/components/Select/utils.tsx
+++ b/superset-frontend/src/components/Select/utils.tsx
@@ -49,22 +49,24 @@ export function getValue(
   return isLabeledValue(option) ? option.value : option;
 }
 
+export function isEqual(a: V | LabeledValue, b: V | LabeledValue, key: string) {
+  const actualA = isObject(a) && key in a ? a[key] : a;
+  const actualB = isObject(b) && key in b ? b[key] : b;
+  // When comparing the values we use the equality
+  // operator to automatically convert different types
+  // eslint-disable-next-line eqeqeq
+  return actualA == actualB;
+}
+
 export function getOption(
   value: V,
   options?: V | LabeledValue | (V | LabeledValue)[],
   checkLabel = false,
 ): V | LabeledValue {
   const optionsArray = ensureIsArray(options);
-  // When comparing the values we use the equality
-  // operator to automatically convert different types
   return optionsArray.find(
     x =>
-      // eslint-disable-next-line eqeqeq
-      x == value ||
-      (isObject(x) &&
-        // eslint-disable-next-line eqeqeq
-        (('value' in x && x.value == value) ||
-          (checkLabel && 'label' in x && x.label === value))),
+      isEqual(x, value, 'value') || (checkLabel && isEqual(x, value, 'label')),
   );
 }
 

From 6ba1dfbfd597efa72db2c632b554cbe1cddd4fd4 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <michael.s.molina@gmail.com>
Date: Tue, 2 Apr 2024 10:00:52 -0300
Subject: [PATCH 114/114] chore: Adds 3.1.2 RC1 data to CHANGELOG.md

---
 CHANGELOG.md                   | 74 ++++++++++++++++++++++++++++++++++
 superset-frontend/package.json |  2 +-
 2 files changed, 75 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f4f52e605e693..365ccbc2818f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ under the License.
 
 ## Change Log
 
+- [3.1.2](#312-thu-mar-28-113200-2024--0300)
 - [3.1.1](#311-fri-feb-9-214933-2024-0100)
 - [3.1.0](#310-tue-jan-9-150500-2023--0800)
 - [3.0.3](#303-fri-dec-8-054009-2023--0800)
@@ -38,6 +39,79 @@ under the License.
 - [1.4.2](#142-sat-mar-19-000806-2022-0200)
 - [1.4.1](#141)
 
+### 3.1.2 (Thu Mar 28 11:32:00 2024 -0300)
+
+**Fixes**
+
+- [#27706](https://github.com/apache/superset/pull/27706) fix: Select onChange is fired when the same item is selected in single mode (@michael-s-molina)
+- [#27744](https://github.com/apache/superset/pull/27744) fix: reduce alert error to warning (@eschutho)
+- [#27644](https://github.com/apache/superset/pull/27644) fix: Provide more inclusive error handling for saved queries (@john-bodley)
+- [#27646](https://github.com/apache/superset/pull/27646) fix: Leverage actual database for rendering Jinjarized SQL (@john-bodley)
+- [#27636](https://github.com/apache/superset/pull/27636) fix(sqllab): unable to remove table (@justinpark)
+- [#27022](https://github.com/apache/superset/pull/27022) fix(Chart Annotation modal): Table and Superset annotation options will paginate, exceeding previous max limit 100 (@rtexelm)
+- [#27552](https://github.com/apache/superset/pull/27552) fix(AlertReports): defaulting grace period to undefined (@fisjac)
+- [#27551](https://github.com/apache/superset/pull/27551) fix(AlertReports): clearing custom_width when disabled (@fisjac)
+- [#27601](https://github.com/apache/superset/pull/27601) fix: Persist query params appended to permalink (@kgabryje)
+- [#27470](https://github.com/apache/superset/pull/27470) fix(sql_parse): Ensure table extraction handles Jinja templating (@john-bodley)
+- [#19595](https://github.com/apache/superset/pull/19595) fix: Volatile datasource ordering in dashboard export (@pnadolny13)
+- [#27613](https://github.com/apache/superset/pull/27613) fix(Dashboard): Add editMode conditional for translate3d fix on charts to allow intended Fullscreen (@rtexelm)
+- [#27388](https://github.com/apache/superset/pull/27388) fix(utils): fix off-by-one error in how rolling window's min_periods truncates dataframe (@sfirke)
+- [#27577](https://github.com/apache/superset/pull/27577) fix: sqlglot SQL Server (@betodealmeida)
+- [#27576](https://github.com/apache/superset/pull/27576) fix: bump sqlglot to support materialized CTEs (@betodealmeida)
+- [#27567](https://github.com/apache/superset/pull/27567) fix(db_engine_specs): Update convert_dttm to work correctly with CrateDB (@hlcianfagna)
+- [#27605](https://github.com/apache/superset/pull/27605) fix: Skips Hive tests that are blocking PRs (@michael-s-molina)
+- [#27566](https://github.com/apache/superset/pull/27566) fix: guest queries (@betodealmeida)
+- [#27464](https://github.com/apache/superset/pull/27464) fix: pass valid SQL to SM (@betodealmeida)
+- [#26748](https://github.com/apache/superset/pull/26748) fix: `improve _extract_tables_from_sql` (@betodealmeida)
+- [#27260](https://github.com/apache/superset/pull/27260) fix(alerts/reports): implementing custom_width as an Antd number input (@fisjac)
+- [#27487](https://github.com/apache/superset/pull/27487) fix(postprocessing): resample with holes (@villebro)
+- [#27484](https://github.com/apache/superset/pull/27484) fix: check if guest user modified query (@betodealmeida)
+- [#27471](https://github.com/apache/superset/pull/27471) fix(webpack): remove double-dotted file extensions in webpack config (@rusackas)
+- [#27411](https://github.com/apache/superset/pull/27411) fix(dashboard): Only fetch CSS templates for dashboard header menu when in edit mode (@mskelton)
+- [#27262](https://github.com/apache/superset/pull/27262) fix(Alerts & Reports): Fixing bug that resets cron value to default when empty (@fisjac)
+- [#27315](https://github.com/apache/superset/pull/27315) fix(deps): resolving canvg and html2canvas module not found (@fisjac)
+- [#27403](https://github.com/apache/superset/pull/27403) fix: missing shared color in mixed timeseries (@justinpark)
+- [#27391](https://github.com/apache/superset/pull/27391) fix(sqllab): Close already removed tab (@justinpark)
+- [#27364](https://github.com/apache/superset/pull/27364) fix(API): Updating assets via the API should preserve ownership configuration (@Vitor-Avila)
+- [#27395](https://github.com/apache/superset/pull/27395) fix: improve explore REST api validations (@dpgaspar)
+- [#26205](https://github.com/apache/superset/pull/26205) fix(docker): Remove race condition when building image (@alekseyolg)
+- [#27366](https://github.com/apache/superset/pull/27366) fix: Results section in Explore shows an infinite spinner (@michael-s-molina)
+- [#27187](https://github.com/apache/superset/pull/27187) fix: numexpr to fix CVE-2023-39631⁠ (2.8.4 => 2.9.0) (@nigzak)
+- [#27360](https://github.com/apache/superset/pull/27360) fix: Heatmap numeric sorting (@michael-s-molina)
+- [#27308](https://github.com/apache/superset/pull/27308) fix(dashboard): table chart drag preview overflowing container (@rtexelm)
+- [#27295](https://github.com/apache/superset/pull/27295) fix(sqllab): invalid dump sql shown after closing tab (@justinpark)
+- [#27285](https://github.com/apache/superset/pull/27285) fix(plugin-chart-echarts): calculate Gauge Chart intervals correctly when min value is set (@goto-loop)
+- [#27307](https://github.com/apache/superset/pull/27307) fix: Incorrect data type on import page (@michael-s-molina)
+- [#27291](https://github.com/apache/superset/pull/27291) fix: Data zoom with horizontal orientation (@michael-s-molina)
+- [#27273](https://github.com/apache/superset/pull/27273) fix: Navigating to an invalid page index in lists (@michael-s-molina)
+- [#27271](https://github.com/apache/superset/pull/27271) fix: Inoperable dashboard filter slider when range is <= 1 (@michael-s-molina)
+- [#27154](https://github.com/apache/superset/pull/27154) fix(import-datasources): Use "admin" user as default for importing datasources (@ddxv)
+- [#27258](https://github.com/apache/superset/pull/27258) fix: Sorting charts/dashboards makes the applied filters ineffective (@michael-s-molina)
+- [#27213](https://github.com/apache/superset/pull/27213) fix(trino): bumping trino to fix hudi schema fetching (@rusackas)
+- [#27236](https://github.com/apache/superset/pull/27236) fix(reports): fixing unit test (@fisjac)
+- [#27217](https://github.com/apache/superset/pull/27217) fix(sqlglot): Address regressions introduced in #26476 (@john-bodley)
+- [#27233](https://github.com/apache/superset/pull/27233) fix: bump FAB to 4.4.1 (perf issue) (@dpgaspar)
+- [#27167](https://github.com/apache/superset/pull/27167) fix: setting important lower bounds versions on requirements (@dpgaspar)
+- [#27215](https://github.com/apache/superset/pull/27215) fix: no limit in SELECT \* for TOP dbs (@betodealmeida)
+- [#27191](https://github.com/apache/superset/pull/27191) fix: Failed to execute importScripts on worker-css (@michael-s-molina)
+- [#27181](https://github.com/apache/superset/pull/27181) fix(sqllab): typeahead search is broken in db selector (@justinpark)
+- [#27161](https://github.com/apache/superset/pull/27161) fix(ci): mypy pre-commit issues (@dpgaspar)
+- [#27135](https://github.com/apache/superset/pull/27135) fix: Duplicated toast messages (@michael-s-molina)
+- [#27132](https://github.com/apache/superset/pull/27132) fix: Plain error message when visiting a dashboard via permalink without permissions (@michael-s-molina)
+- [#22840](https://github.com/apache/superset/pull/22840) fix(pivot-table-v2): Added forgotten translation pivot table v2 (@Always-prog)
+- [#27128](https://github.com/apache/superset/pull/27128) fix: RLS modal overflow (@michael-s-molina)
+- [#27112](https://github.com/apache/superset/pull/27112) fix: gevent upgrade to 23.9.1 (@dpgaspar)
+- [#27124](https://github.com/apache/superset/pull/27124) fix: bump grpcio, urllib3 and paramiko (@dpgaspar)
+- [#27113](https://github.com/apache/superset/pull/27113) fix: upgrade cryptography to major 42 (@dpgaspar)
+- [#27106](https://github.com/apache/superset/pull/27106) fix: Timeseries Y-axis format with contribution mode (@michael-s-molina)
+
+**Others**
+
+- [#27281](https://github.com/apache/superset/pull/27281) chore: bump cryptography minimum to 42.0.4 (@sadpandajoe)
+- [#27232](https://github.com/apache/superset/pull/27232) chore: Removes Chromatic workflow and dependencies (@michael-s-molina)
+- [#27159](https://github.com/apache/superset/pull/27159) chore: bump FAB to 4.4.0 (@dpgaspar)
+- [#27129](https://github.com/apache/superset/pull/27129) chore: lower cryptography min version to 41.0.2 (@sadpandajoe)
+
 ### 3.1.1 (Fri Feb 9 21:49:33 2024 +0100)
 
 **Fixes**
diff --git a/superset-frontend/package.json b/superset-frontend/package.json
index 5d7c711bbe9a2..99511ae650361 100644
--- a/superset-frontend/package.json
+++ b/superset-frontend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "superset",
-  "version": "3.1.1",
+  "version": "3.1.2",
   "description": "Superset is a data exploration platform designed to be visual, intuitive, and interactive.",
   "keywords": [
     "big",