tessl/pypi-superset
A modern, enterprise-ready business intelligence web application
—
Pending
security.mddocs/
Security
Role-based access control system with fine-grained permissions for databases, schemas, tables, and individual metrics. Supports multiple authentication methods, custom security policies, and comprehensive audit trails for enterprise-grade security management.
Capabilities
Security Manager
Core security management system providing authentication, authorization, and permission control.
class SupersetSecurityManager:
"""
Comprehensive security manager for Superset access control.
Extends Flask-AppBuilder security with Superset-specific permissions
and datasource-level access controls.
"""
def can_access(self, permission_name, view_name, user=None):
"""
Check if user has specific permission for a view.
Parameters:
- permission_name: str, permission identifier ('can_read', 'can_write', etc.)
- view_name: str, view or resource name
- user: User, optional user object (defaults to current user)
Returns:
bool, True if user has permission, False otherwise
"""
def all_datasource_access(self, user=None):
"""
Check if user has access to all datasources.
Administrative permission bypassing individual datasource checks.
Parameters:
- user: User, optional user object (defaults to current user)
Returns:
bool, True if user has all-datasource access
"""
def database_access(self, database, user=None):
"""
Check database-level access permission.
Parameters:
- database: Database, database instance to check
- user: User, optional user object (defaults to current user)
Returns:
bool, True if user can access the database
"""
def schema_access(self, database, schema, user=None):
"""
Check schema-level access permission.
Parameters:
- database: Database, database containing the schema
- schema: str, schema name to check access for
- user: User, optional user object (defaults to current user)
Returns:
bool, True if user can access the schema
"""
def datasource_access(self, datasource, user=None):
"""
Check datasource-level access permission.
Parameters:
- datasource: BaseDatasource, table or Druid datasource to check
- user: User, optional user object (defaults to current user)
Returns:
bool, True if user can access the datasource
"""
def get_schema_perm(self, database, schema):
"""
Generate schema permission string for access control.
Parameters:
- database: Database, database instance
- schema: str, schema name
Returns:
str, formatted permission string for schema access
"""
def can_access_datasource(self, database, table, schema=None):
"""
Check table access with optional schema context.
Parameters:
- database: Database, database containing the table
- table: str, table name to check access for
- schema: str, optional schema name for context
Returns:
bool, True if user can access the specified table
"""Built-in Roles
Predefined role hierarchy with escalating permission levels.
# Admin Role
"""
Full system access and administrative privileges.
Permissions:
- All database and datasource access
- User and role management
- System configuration changes
- Import/export operations
- SQL Lab with DDL/DML capabilities
- Dashboard and chart creation/modification
- Access request approval
"""
# Alpha Role
"""
Advanced user with broad access and content creation privileges.
Permissions:
- All datasource access (configurable)
- Dashboard and chart creation/modification
- SQL Lab with SELECT privileges
- Bulk delete operations
- Data exploration across all sources
- Limited administrative functions
"""
# Gamma Role
"""
Basic user with restricted access to assigned resources.
Permissions:
- Access to specifically granted datasources
- Dashboard and chart viewing
- Limited chart creation (on permitted data)
- SQL Lab on granted databases (if enabled)
- Personal workspace management
"""
# Public Role
"""
Anonymous access role (when enabled).
Permissions:
- Access to publicly shared dashboards
- View-only access to designated public data
- No authentication required
- Configurable through PUBLIC_ROLE_LIKE_GAMMA setting
"""
# SQL Lab Role
"""
Specialized role for SQL Lab access.
Permissions:
- SQL query execution
- Saved query management
- Result export capabilities
- Database metadata browsing
"""Permission Categories
Hierarchical permission system for granular access control.
# Read-Only Permissions
"""
View and list permissions for basic access.
"""
can_show = "can_show"
"""View object details and properties."""
can_list = "can_list"
"""List objects in collections and indexes."""
# Administrative Permissions
"""
System-level permissions for administrative functions.
"""
all_database_access = "all_database_access"
"""Access to all database connections regardless of grants."""
can_sql_json = "can_sql_json"
"""Execute SQL queries through JSON API."""
can_override_role_permissions = "can_override_role_permissions"
"""Temporarily modify user permissions."""
can_sync_druid_source = "can_sync_druid_source"
"""Synchronize Druid metadata and datasources."""
can_approve = "can_approve"
"""Approve datasource access requests."""
can_update_role = "can_update_role"
"""Modify user roles and assignments."""
# Alpha-Level Permissions
"""
Advanced user permissions for content creation.
"""
muldelete = "muldelete"
"""Perform bulk delete operations."""
all_datasource_access = "all_datasource_access"
"""Access all datasources without individual grants."""
# Object-Specific Permissions
"""
Fine-grained permissions for individual resources.
"""
database_access = "database_access"
"""Access to specific database connections."""
schema_access = "schema_access"
"""Access to specific database schemas."""
datasource_access = "datasource_access"
"""Access to specific tables or Druid datasources."""
metric_access = "metric_access"
"""Access to specific calculated metrics."""View Access Control
Permission assignments for different interface components and administrative views.
# Read-Only Model Views
"""
Views accessible to users with basic read permissions.
"""
READ_ONLY_MODEL_VIEWS = {
'DatabaseAsync',
'DatabaseView',
'DruidClusterModelView'
}
# Gamma Read-Only Views
"""
Views accessible to Gamma role users for data exploration.
"""
GAMMA_READ_ONLY_VIEWS = {
'SqlMetricInlineView',
'TableColumnInlineView',
'TableModelView',
'DruidColumnInlineView',
'DruidDatasourceModelView',
'DruidMetricInlineView'
}
# Admin-Only Views
"""
Administrative interfaces requiring Admin role.
"""
ADMIN_ONLY_VIEWS = {
'AccessRequestsModelView',
'Manage',
'SQL Lab',
'Queries',
'Refresh Druid Metadata',
'ResetPasswordView',
'RoleModelView',
'Security',
'UserDBModelView',
'UserLDAPModelView',
'UserOAuthModelView',
'UserOIDModelView',
'UserRemoteUserModelView'
}
# Alpha-Only Views
"""
Views requiring Alpha role privileges.
"""
ALPHA_ONLY_VIEWS = {
'Upload a CSV'
}Security Context
Runtime security context and permission evaluation functions.
def get_user_roles():
"""
Get current user's assigned roles.
Returns:
List of Role objects assigned to current user
"""
def get_user_datasources():
"""
Get datasources accessible to current user.
Returns:
List of datasource instances user can access
"""
def merge_perm(permission_name, view_menu_name):
"""
Create or retrieve permission object.
Parameters:
- permission_name: str, permission identifier
- view_menu_name: str, view or resource name
Returns:
Permission object for role assignment
"""
def is_item_public(permission_name, view_menu_name):
"""
Check if permission is assigned to public role.
Parameters:
- permission_name: str, permission to check
- view_menu_name: str, view or resource name
Returns:
bool, True if accessible without authentication
"""Authentication Methods
Supported authentication backends for user identity management.
# Database Authentication (Default)
AUTH_TYPE = AUTH_DB
"""
Built-in user management with local database storage.
Features:
- User registration and password management
- Role-based access control
- Password reset functionality
- User profile management
"""
# LDAP Authentication
AUTH_TYPE = AUTH_LDAP
"""
LDAP/Active Directory integration.
Configuration:
- AUTH_LDAP_SERVER: LDAP server URL
- AUTH_LDAP_USE_TLS: Enable TLS encryption
- AUTH_LDAP_USERNAME_FORMAT: Username format string
- AUTH_LDAP_SEARCH: User search configuration
"""
# OAuth Authentication
AUTH_TYPE = AUTH_OAUTH
"""
OAuth 2.0 provider integration.
Supported Providers:
- Google OAuth
- GitHub OAuth
- Azure Active Directory
- Custom OAuth providers
"""
# OpenID Connect
AUTH_TYPE = AUTH_OID
"""
OpenID Connect authentication.
Features:
- Standard OIDC flow implementation
- JWT token validation
- Automatic user provisioning
- Role mapping from claims
"""
# Remote User Authentication
AUTH_TYPE = AUTH_REMOTE_USER
"""
External authentication via HTTP headers.
Use Cases:
- Single sign-on (SSO) integration
- Proxy-based authentication
- Enterprise identity systems
"""Permission Examples
Database-Level Security
# Check database access
if security_manager.database_access(database):
# User can access this database
tables = database.all_table_names()
# Check schema access
if security_manager.schema_access(database, 'public'):
# User can access public schema
schema_tables = get_schema_tables(database, 'public')Datasource-Level Security
# Check table access
if security_manager.datasource_access(table):
# User can query this table
query_result = table.query(query_obj)
# Filter accessible datasources
accessible_tables = [
table for table in all_tables
if security_manager.datasource_access(table)
]Role-Based Access
# Check administrative permissions
if security_manager.can_access('can_override_role_permissions', 'Superset'):
# User can modify permissions
grant_temporary_access(user, datasource)
# Check Alpha-level permissions
if security_manager.can_access('all_datasource_access', 'all_datasource_access'):
# User has Alpha privileges
return get_all_datasources()Custom Security Policies
Custom Security Manager
class CustomSecurityManager(SupersetSecurityManager):
"""Custom security manager with organization-specific rules."""
def datasource_access(self, datasource, user=None):
"""Custom datasource access logic."""
# Check standard permissions first
if super().datasource_access(datasource, user):
return True
# Custom business logic
if user and hasattr(datasource, 'department'):
return user.department == datasource.department
return False
# Configure custom security manager
CUSTOM_SECURITY_MANAGER = CustomSecurityManagerPermission Decorators
from superset.security import has_access
@has_access
def protected_view():
"""View requiring authentication."""
pass
@has_access_api
def protected_api():
"""API endpoint with permission checking."""
passAudit and Compliance
Activity Logging
# All user actions are automatically logged
log_entry = Log(
action='dashboard_view',
user_id=current_user.id,
dashboard_id=dashboard.id,
dttm=datetime.now(),
json=json.dumps(request_details)
)Access Request Workflow
# Users can request access to restricted datasources
access_request = DatasourceAccessRequest(
datasource_type='table',
datasource_id=table.id,
changed_by_fk=current_user.id
)
# Administrators approve/deny requests
if security_manager.can_access('can_approve', 'Superset'):
approve_access_request(access_request)The security framework provides comprehensive protection for data and functionality while maintaining flexibility for custom authentication and authorization requirements.
Install with Tessl CLI
npx tessl i tessl/pypi-superset