403 Forbidden when accessing /api/v1/extensions/_info (Superset 6.1.0rc1 + extension 0.1.0rc1, Docker)

[worker123-tech]

Environment

Apache Superset: 6.1.0rc1

apache-superset-extension-cli: 0.1.0rc1

apache-superset-core: 0.1.0rc1

Deployment: Docker

Authentication: Database (admin user)

Problem

When accessing the /extensions page, the frontend fails to load extension metadata.

The request:

GET /api/v1/extensions/_info?q=(keys:!(permissions))

fails with:

401 Unauthorized when no Authorization header is provided

403 Forbidden when Authorization header is included

Observations

Admin user has read and menu access permissions for extensions

However, the following command shows no related permissions:

superset fab list-permissions | grep -i extension

No permissions such as can read on ExtensionsRestApi are present

The API route exists and is reachable, but authorization fails

Expected Behavior

Authenticated admin user should be able to access /api/v1/extensions/_info

Required permissions for ExtensionsRestApi should be automatically generated

/extensions page should load successfully

Actual Behavior

Endpoint requires authentication

Authentication succeeds (Authorization header works)

Authorization fails with 403

Missing permissions for Extensions API in the system

Steps to Reproduce

Run Superset 6.1.0rc1 with Docker

Install and enable extension packages (apache-superset-extension-cli and apache-superset-core)

Login as admin user

Navigate to /extensions

Observe failed request to:

/api/v1/extensions/_info

Check response:

401 without Authorization header

403 with Authorization header

Question

Are permissions for ExtensionsRestApi expected to be auto-generated?

Is there an additional initialization step required for extensions in Docker deployments?

Should this endpoint use session-based auth instead of JWT, or is Authorization header required by design?

Could this be a bug where API routes are registered but permissions are not synchronized?

[dosubot[bot]]

This looks like a permission synchronization issue that's common after upgrades. The ExtensionsRestApi endpoint you're hitting requires permissions that haven't been registered in your FAB security database.

Try these steps in order:

1. Run database migrations and resync permissions:

   docker compose exec superset superset db upgrade
   docker compose exec superset superset init

2. Restart Superset after the init completes.

3. Verify permissions were created:

   docker compose exec superset superset fab list-permissions | grep -i extension

Why this happens: Superset uses Flask-AppBuilder's permission auto-generation system which runs during superset init. If the init service failed or ran before the extension packages were installed, the extension API permissions won't exist.

If that doesn't work: The March 2026 extension API changes introduced a new unified @api decorator with automatic route prefixing to /extensions/{publisher}/{name}. If you're using 6.1.0rc1, the extension packages may need to follow this new registration pattern. Check if the extension packages are compatible with 6.1.0rc1.

For Docker specifically, ensure the superset-init service completed successfully - other services wait for this via condition: service_completed_successfully. Check the init container logs for any errors:

docker compose logs superset-init

This is a known pattern of issues after upgrades where permissions aren't properly synced.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}