superset
superset copied to clipboard
apache
Public role is too strong by default
Bug description
Hello,
to implement the 'public' role, the documentation (https://superset.apache.org/docs/security/#public) indicates that the PUBLIC_ROLE_LIKE variable must be updated and gives the example of using the GAMMA role. It is also specified that the GAMMA role provides access for consultation.
By applying these recommendations and defining a “datasource access on” permission, an anonymous user can consult :
- a dashboard
- diagrams
- datasets (by accessing the various main menus)
Visible elements are related to the “datasource access on” permission but the gamma permissions used like template are too strong.
An anonymous user can start creating a diagram and freely query a dataset via the diagram editing screen. It can also export all diagram data. However, it cannot save the diagram.
In order to achieve “read only” behavior, you should set up a role limited to the strict minimum and use it as a reference for the “public” role.
Here are the permissions I've identified as mandatory for this role:
- can dashboard permalink on Superset
- can read on Chart
- can read on Dashboard
- can dashboard on Superset
- can explore json on Superset
- can read on DashboardPermalinkRestApi
- can write on DashboardPermalinkRestApi
- can time range on Api Of course, these permissions must be supplemented with the “datasource access on” permission.
With these permissions, an anonymous user will only be able to :
- access a dashboard via its permalink
- view the dashboard (and its diagrams)
- generate permalinks (on tabs, headers, dashboard and diagrams)
- filter a dashboard (including time ranges)
- export a dashboard (PDF or image)
Best regards
How to reproduce the bug
- Define a PUBLIC_ROLE_LIKE = GAMMA
- On the "Public" role, add a “datasource access on” permission on a table
- Visit superset like anonymous user
- Click on "Dataset" menu
- Click on public dataset
- Edit a chart
- Export data
- Save chart (refused)
Screenshots/recordings
No response
Superset version
master / latest-dev
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist
- [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
To achieve a true "read-only" behavior for anonymous users in Apache Superset, you should create a custom role with minimal permissions and use it as a reference for the "public" role. Here are the steps and permissions you need to configure:
-
Create a Custom Role: Define a custom role with the necessary permissions.
-
Assign Minimal Permissions: Assign the following permissions to the custom role:
can dashboard permalink on Supersetcan read on Chartcan read on Dashboardcan dashboard on Supersetcan explore json on Supersetcan read on DashboardPermalinkRestApican write on DashboardPermalinkRestApican time range on Apidatasource access on(specific datasets)
-
Set the Custom Role for Public Access: Update the
superset_config.pyto use the custom role for the public role.
Here is an example of how to configure this:
# superset_config.py
PUBLIC_ROLE_LIKE = "ReadOnly"
DEFAULT_FEATURE_FLAGS = {
"DASHBOARD_RBAC": True,
"ENABLE_TEMPLATE_PROCESSING": True,
"DASHBOARD_NATIVE_FILTERS": True,
"DASHBOARD_CROSS_FILTERS": True
}
- Programmatically Create and Assign Permissions: Use the following script to create the custom role and assign the necessary permissions:
from superset import app, security_manager
from superset.models.core import PermissionView
# Initialize the app context
with app.app_context():
# Create a new role
role_name = "ReadOnly"
read_only_role = security_manager.add_role(role_name)
# Define the permissions to assign
permissions_to_assign = [
("can_dashboard_permalink", "Superset"),
("can_read", "Chart"),
("can_read", "Dashboard"),
("can_dashboard", "Superset"),
("can_explore_json", "Superset"),
("can_read", "DashboardPermalinkRestApi"),
("can_write", "DashboardPermalinkRestApi"),
("can_time_range", "Api"),
("datasource_access", "YourDatasetName") # Replace with your dataset name
]
# Find and assign the permissions to the role
for perm_name, view_name in permissions_to_assign:
perm_view = security_manager.find_permission_view_menu(perm_name, view_name)
if perm_view:
read_only_role.permissions.append(perm_view)
# Commit the changes to the database
security_manager.get_session.commit()
By following these steps, you can ensure that anonymous users have a "read-only" experience, restricting them to viewing dashboards and generating permalinks without the ability to edit or save charts [1][2].
To continue talking to Dosu, mention @dosu.
![dosubot[bot] avatar](https://avatars.githubusercontent.com/in/324583?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is a good catch - I agree that Gamma permissions are too powerful for most people who want a Public viewer role.
The set of permissions I've given to people is:
can read on CssTemplate, can read on Chart, can read on Annotation, can read on Dashboard, can get on OpenApi, can write on DashboardFilterStateRestApi, can read on DashboardFilterStateRestApi, can write on DashboardPermalinkRestApi, can read on DashboardPermalinkRestApi, can write on ExploreFormDataRestApi, can read on ExploreFormDataRestApi, can write on ExplorePermalinkRestApi, can read on ExplorePermalinkRestApi, can list on FilterSets, can time range on Api, can query on Api, can query form data on Api, can filter on Superset, can slice json on Superset, can explore json on Superset, can validate sql json on Superset, can favstar on Superset, can dashboard permalink on Superset, can sql json on Superset, can queries on Superset, can csv on Superset, can dashboard on Superset, can slice on Superset, can annotation json on Superset, can share dashboard on Superset, can read on AdvancedDataType
I shared that list with someone on Slack and they said that they also had to add these: menu access on dashboards, can recent activity on logs, can userinfo on UserDBModelView
I would be interested in blending it with yours to get the narrowest set possible, then recommending that to people -- or simply adding it as a default role in Superset.
It's been a couple of years since I refined this list. I see a couple of mine that I think are clearly missing from yours, e.g., getting CSS templates and annotations. Are there are any on my list that seem problematic to you in terms of giving the user too much power?
Maybe it's time to add a new built-in public role (Delta?) for this purpose, but just not wire it up to anything by default? Curious also to hear if/how @dpgaspar would like to weigh in on the above.
I agree with @rusackas. I struggle since approximately 3 weeks to configure a proper "Public" role mixed or not with the RBAC feature. A proper minimal Public role should be included or at least documented.
In addition I didn't found any documentation of permission. Is there one somewhere I have missed ? If not it's important to write one.
@xavier-GitHub76 what is the "can write to DashboardPermalinkRestApi" permission for? I tried without and I didn't found what was blocked.
@Arcelone I'm guessing it's so that dashboard permalinks can be accessed. E.g., accessing the dashboard at https://data.yourdomain.com/superset/dashboard/your-dashboard instead of https://data.yourdomain.com/superset/dashboard/101. Did you try that?
@sfirke I didn't get what you said.
When you share the dashboard permalink it looks like : https://data.yourdomain.com/superset/dashboard/aiiduzgxykrofbzh
The receiver paste it in his browser and here you go.
The display of dashboard is impossible (redirection to login page) without one of
- can dashboard on Superset
- can dashboard permalink on Superset
- can explore json on Superset
- can read on Chart
- can read on Dashboard
- can read on DashboardPermalinkRestApi
To download a chart as CSV/Excel/Image --> permission "can csv on Superset " (label not precise) https://github.com/apache/superset/issues/30317
Moving this to an Ideas discussion, since it sounds like that... a good idea, rather than a Superset bug. Holler if you want to open a PR and/or open a SIP to add a new role.