0
# Security
1
2
Role-based access control system with fine-grained permissions for databases, schemas, tables, and individual metrics. Supports multiple authentication methods, custom security policies, and comprehensive audit trails for enterprise-grade security management.
3
4
## Capabilities
5
6
### Security Manager
7
8
Core security management system providing authentication, authorization, and permission control.
9
10
```python { .api }
11
class SupersetSecurityManager:
12
"""
13
Comprehensive security manager for Superset access control.
14
Extends Flask-AppBuilder security with Superset-specific permissions
15
and datasource-level access controls.
16
"""
17
18
def can_access(self, permission_name, view_name, user=None):
19
"""
20
Check if user has specific permission for a view.
21
22
Parameters:
23
- permission_name: str, permission identifier ('can_read', 'can_write', etc.)
24
- view_name: str, view or resource name
25
- user: User, optional user object (defaults to current user)
26
27
Returns:
28
bool, True if user has permission, False otherwise
29
"""
30
31
def all_datasource_access(self, user=None):
32
"""
33
Check if user has access to all datasources.
34
Administrative permission bypassing individual datasource checks.
35
36
Parameters:
37
- user: User, optional user object (defaults to current user)
38
39
Returns:
40
bool, True if user has all-datasource access
41
"""
42
43
def database_access(self, database, user=None):
44
"""
45
Check database-level access permission.
46
47
Parameters:
48
- database: Database, database instance to check
49
- user: User, optional user object (defaults to current user)
50
51
Returns:
52
bool, True if user can access the database
53
"""
54
55
def schema_access(self, database, schema, user=None):
56
"""
57
Check schema-level access permission.
58
59
Parameters:
60
- database: Database, database containing the schema
61
- schema: str, schema name to check access for
62
- user: User, optional user object (defaults to current user)
63
64
Returns:
65
bool, True if user can access the schema
66
"""
67
68
def datasource_access(self, datasource, user=None):
69
"""
70
Check datasource-level access permission.
71
72
Parameters:
73
- datasource: BaseDatasource, table or Druid datasource to check
74
- user: User, optional user object (defaults to current user)
75
76
Returns:
77
bool, True if user can access the datasource
78
"""
79
80
def get_schema_perm(self, database, schema):
81
"""
82
Generate schema permission string for access control.
83
84
Parameters:
85
- database: Database, database instance
86
- schema: str, schema name
87
88
Returns:
89
str, formatted permission string for schema access
90
"""
91
92
def can_access_datasource(self, database, table, schema=None):
93
"""
94
Check table access with optional schema context.
95
96
Parameters:
97
- database: Database, database containing the table
98
- table: str, table name to check access for
99
- schema: str, optional schema name for context
100
101
Returns:
102
bool, True if user can access the specified table
103
"""
104
```
105
106
### Built-in Roles
107
108
Predefined role hierarchy with escalating permission levels.
109
110
```python { .api }
111
# Admin Role
112
"""
113
Full system access and administrative privileges.
114
115
Permissions:
116
- All database and datasource access
117
- User and role management
118
- System configuration changes
119
- Import/export operations
120
- SQL Lab with DDL/DML capabilities
121
- Dashboard and chart creation/modification
122
- Access request approval
123
"""
124
125
# Alpha Role
126
"""
127
Advanced user with broad access and content creation privileges.
128
129
Permissions:
130
- All datasource access (configurable)
131
- Dashboard and chart creation/modification
132
- SQL Lab with SELECT privileges
133
- Bulk delete operations
134
- Data exploration across all sources
135
- Limited administrative functions
136
"""
137
138
# Gamma Role
139
"""
140
Basic user with restricted access to assigned resources.
141
142
Permissions:
143
- Access to specifically granted datasources
144
- Dashboard and chart viewing
145
- Limited chart creation (on permitted data)
146
- SQL Lab on granted databases (if enabled)
147
- Personal workspace management
148
"""
149
150
# Public Role
151
"""
152
Anonymous access role (when enabled).
153
154
Permissions:
155
- Access to publicly shared dashboards
156
- View-only access to designated public data
157
- No authentication required
158
- Configurable through PUBLIC_ROLE_LIKE_GAMMA setting
159
"""
160
161
# SQL Lab Role
162
"""
163
Specialized role for SQL Lab access.
164
165
Permissions:
166
- SQL query execution
167
- Saved query management
168
- Result export capabilities
169
- Database metadata browsing
170
"""
171
```
172
173
### Permission Categories
174
175
Hierarchical permission system for granular access control.
176
177
```python { .api }
178
# Read-Only Permissions
179
"""
180
View and list permissions for basic access.
181
"""
182
can_show = "can_show"
183
"""View object details and properties."""
184
185
can_list = "can_list"
186
"""List objects in collections and indexes."""
187
188
# Administrative Permissions
189
"""
190
System-level permissions for administrative functions.
191
"""
192
all_database_access = "all_database_access"
193
"""Access to all database connections regardless of grants."""
194
195
can_sql_json = "can_sql_json"
196
"""Execute SQL queries through JSON API."""
197
198
can_override_role_permissions = "can_override_role_permissions"
199
"""Temporarily modify user permissions."""
200
201
can_sync_druid_source = "can_sync_druid_source"
202
"""Synchronize Druid metadata and datasources."""
203
204
can_approve = "can_approve"
205
"""Approve datasource access requests."""
206
207
can_update_role = "can_update_role"
208
"""Modify user roles and assignments."""
209
210
# Alpha-Level Permissions
211
"""
212
Advanced user permissions for content creation.
213
"""
214
muldelete = "muldelete"
215
"""Perform bulk delete operations."""
216
217
all_datasource_access = "all_datasource_access"
218
"""Access all datasources without individual grants."""
219
220
# Object-Specific Permissions
221
"""
222
Fine-grained permissions for individual resources.
223
"""
224
database_access = "database_access"
225
"""Access to specific database connections."""
226
227
schema_access = "schema_access"
228
"""Access to specific database schemas."""
229
230
datasource_access = "datasource_access"
231
"""Access to specific tables or Druid datasources."""
232
233
metric_access = "metric_access"
234
"""Access to specific calculated metrics."""
235
```
236
237
### View Access Control
238
239
Permission assignments for different interface components and administrative views.
240
241
```python { .api }
242
# Read-Only Model Views
243
"""
244
Views accessible to users with basic read permissions.
245
"""
246
READ_ONLY_MODEL_VIEWS = {
247
'DatabaseAsync',
248
'DatabaseView',
249
'DruidClusterModelView'
250
}
251
252
# Gamma Read-Only Views
253
"""
254
Views accessible to Gamma role users for data exploration.
255
"""
256
GAMMA_READ_ONLY_VIEWS = {
257
'SqlMetricInlineView',
258
'TableColumnInlineView',
259
'TableModelView',
260
'DruidColumnInlineView',
261
'DruidDatasourceModelView',
262
'DruidMetricInlineView'
263
}
264
265
# Admin-Only Views
266
"""
267
Administrative interfaces requiring Admin role.
268
"""
269
ADMIN_ONLY_VIEWS = {
270
'AccessRequestsModelView',
271
'Manage',
272
'SQL Lab',
273
'Queries',
274
'Refresh Druid Metadata',
275
'ResetPasswordView',
276
'RoleModelView',
277
'Security',
278
'UserDBModelView',
279
'UserLDAPModelView',
280
'UserOAuthModelView',
281
'UserOIDModelView',
282
'UserRemoteUserModelView'
283
}
284
285
# Alpha-Only Views
286
"""
287
Views requiring Alpha role privileges.
288
"""
289
ALPHA_ONLY_VIEWS = {
290
'Upload a CSV'
291
}
292
```
293
294
### Security Context
295
296
Runtime security context and permission evaluation functions.
297
298
```python { .api }
299
def get_user_roles():
300
"""
301
Get current user's assigned roles.
302
303
Returns:
304
List of Role objects assigned to current user
305
"""
306
307
def get_user_datasources():
308
"""
309
Get datasources accessible to current user.
310
311
Returns:
312
List of datasource instances user can access
313
"""
314
315
def merge_perm(permission_name, view_menu_name):
316
"""
317
Create or retrieve permission object.
318
319
Parameters:
320
- permission_name: str, permission identifier
321
- view_menu_name: str, view or resource name
322
323
Returns:
324
Permission object for role assignment
325
"""
326
327
def is_item_public(permission_name, view_menu_name):
328
"""
329
Check if permission is assigned to public role.
330
331
Parameters:
332
- permission_name: str, permission to check
333
- view_menu_name: str, view or resource name
334
335
Returns:
336
bool, True if accessible without authentication
337
"""
338
```
339
340
## Authentication Methods
341
342
Supported authentication backends for user identity management.
343
344
```python { .api }
345
# Database Authentication (Default)
346
AUTH_TYPE = AUTH_DB
347
"""
348
Built-in user management with local database storage.
349
350
Features:
351
- User registration and password management
352
- Role-based access control
353
- Password reset functionality
354
- User profile management
355
"""
356
357
# LDAP Authentication
358
AUTH_TYPE = AUTH_LDAP
359
"""
360
LDAP/Active Directory integration.
361
362
Configuration:
363
- AUTH_LDAP_SERVER: LDAP server URL
364
- AUTH_LDAP_USE_TLS: Enable TLS encryption
365
- AUTH_LDAP_USERNAME_FORMAT: Username format string
366
- AUTH_LDAP_SEARCH: User search configuration
367
"""
368
369
# OAuth Authentication
370
AUTH_TYPE = AUTH_OAUTH
371
"""
372
OAuth 2.0 provider integration.
373
374
Supported Providers:
375
- Google OAuth
376
- GitHub OAuth
377
- Azure Active Directory
378
- Custom OAuth providers
379
"""
380
381
# OpenID Connect
382
AUTH_TYPE = AUTH_OID
383
"""
384
OpenID Connect authentication.
385
386
Features:
387
- Standard OIDC flow implementation
388
- JWT token validation
389
- Automatic user provisioning
390
- Role mapping from claims
391
"""
392
393
# Remote User Authentication
394
AUTH_TYPE = AUTH_REMOTE_USER
395
"""
396
External authentication via HTTP headers.
397
398
Use Cases:
399
- Single sign-on (SSO) integration
400
- Proxy-based authentication
401
- Enterprise identity systems
402
"""
403
```
404
405
## Permission Examples
406
407
### Database-Level Security
408
409
```python
410
# Check database access
411
if security_manager.database_access(database):
412
# User can access this database
413
tables = database.all_table_names()
414
415
# Check schema access
416
if security_manager.schema_access(database, 'public'):
417
# User can access public schema
418
schema_tables = get_schema_tables(database, 'public')
419
```
420
421
### Datasource-Level Security
422
423
```python
424
# Check table access
425
if security_manager.datasource_access(table):
426
# User can query this table
427
query_result = table.query(query_obj)
428
429
# Filter accessible datasources
430
accessible_tables = [
431
table for table in all_tables
432
if security_manager.datasource_access(table)
433
]
434
```
435
436
### Role-Based Access
437
438
```python
439
# Check administrative permissions
440
if security_manager.can_access('can_override_role_permissions', 'Superset'):
441
# User can modify permissions
442
grant_temporary_access(user, datasource)
443
444
# Check Alpha-level permissions
445
if security_manager.can_access('all_datasource_access', 'all_datasource_access'):
446
# User has Alpha privileges
447
return get_all_datasources()
448
```
449
450
## Custom Security Policies
451
452
### Custom Security Manager
453
454
```python
455
class CustomSecurityManager(SupersetSecurityManager):
456
"""Custom security manager with organization-specific rules."""
457
458
def datasource_access(self, datasource, user=None):
459
"""Custom datasource access logic."""
460
461
# Check standard permissions first
462
if super().datasource_access(datasource, user):
463
return True
464
465
# Custom business logic
466
if user and hasattr(datasource, 'department'):
467
return user.department == datasource.department
468
469
return False
470
471
# Configure custom security manager
472
CUSTOM_SECURITY_MANAGER = CustomSecurityManager
473
```
474
475
### Permission Decorators
476
477
```python
478
from superset.security import has_access
479
480
@has_access
481
def protected_view():
482
"""View requiring authentication."""
483
pass
484
485
@has_access_api
486
def protected_api():
487
"""API endpoint with permission checking."""
488
pass
489
```
490
491
## Audit and Compliance
492
493
### Activity Logging
494
495
```python
496
# All user actions are automatically logged
497
log_entry = Log(
498
action='dashboard_view',
499
user_id=current_user.id,
500
dashboard_id=dashboard.id,
501
dttm=datetime.now(),
502
json=json.dumps(request_details)
503
)
504
```
505
506
### Access Request Workflow
507
508
```python
509
# Users can request access to restricted datasources
510
access_request = DatasourceAccessRequest(
511
datasource_type='table',
512
datasource_id=table.id,
513
changed_by_fk=current_user.id
514
)
515
516
# Administrators approve/deny requests
517
if security_manager.can_access('can_approve', 'Superset'):
518
approve_access_request(access_request)
519
```
520
521
The security framework provides comprehensive protection for data and functionality while maintaining flexibility for custom authentication and authorization requirements.