ContextQMD
Back to Superset

Network and Security Settings

docs/admin_docs/configuration/networking-settings.mdx

2021.41.07.2 KB
Original Source

Network and Security Settings

CORS

:::note In Superset versions prior to 5.x you have to install to install flask-cors with pip install flask-cors to enable CORS support. :::

The following keys in superset_config.py can be specified to configure CORS:

  • ENABLE_CORS: Must be set to True in order to enable CORS
  • CORS_OPTIONS: options passed to Flask-CORS (documentation)

HTTP headers

Note that Superset bundles flask-talisman Self-described as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues.

HTML Embedding of Dashboards and Charts

There are two ways to embed a dashboard: Using the SDK or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard.

This works by first changing the content security policy (CSP) of flask-talisman to allow for certain domains to display Superset content. Then a dashboard can be made publicly accessible, i.e. bypassing authentication. Once made public, the dashboard's URL can be added to an iframe in another website's HTML code.

Changing flask-talisman CSP

Add to superset_config.py the entire TALISMAN_CONFIG section from config.py and include a frame-ancestors section:

python
TALISMAN_ENABLED = True
TALISMAN_CONFIG = {
    "content_security_policy": {
    ...
 "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"],
    ...

Restart Superset for this configuration change to take effect.

Making a Dashboard Public

There are two approaches to making dashboards publicly accessible:

Option 1: Dataset-based access (simpler)

  1. Set PUBLIC_ROLE_LIKE = "Public" in superset_config.py
  2. Grant the Public role access to the relevant datasets (Menu → Security → List Roles → Public)
  3. All published dashboards using those datasets become visible to anonymous users

Option 2: Dashboard-level access (selective control)

  1. Set PUBLIC_ROLE_LIKE = "Public" in superset_config.py
  2. Add the 'DASHBOARD_RBAC': True Feature Flag
  3. Edit each dashboard's properties and add the "Public" role
  4. Only dashboards with the Public role explicitly assigned are visible to anonymous users

See the Public role documentation for more details.

Embedding a Public Dashboard

Now anybody can directly access the dashboard's URL. You can embed it in an iframe like so:

html
<iframe
  width="600"
  height="400"
  seamless
  frameBorder="0"
  scrolling="no"
  src="https://superset.my-domain.com/superset/dashboard/10/?standalone=1&height=400"
>
</iframe>

Embedding a Chart

A chart's embed code can be generated by going to a chart's edit view and then clicking at the top right on ... > Share > Embed code

Enabling Embedding via the SDK

Clicking on ... next to EDIT DASHBOARD on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard".

To enable this entry, add the following line to the .env file:

text
SUPERSET_FEATURE_EMBEDDED_SUPERSET=true

Hiding the Logout Button in Embedded Contexts

When Superset is embedded in an application that manages authentication via SSO (OAuth2, SAML, or JWT), the logout button should be hidden since session management is handled by the parent application.

To hide the logout button in embedded contexts, add to superset_config.py:

python
FEATURE_FLAGS = {
    "DISABLE_EMBEDDED_SUPERSET_LOGOUT": True,
}

This flag only hides the logout button when Superset detects it is running inside an iframe. Users accessing Superset directly (not embedded) will still see the logout button regardless of this setting.

:::note When embedding with SSO, also set SESSION_COOKIE_SAMESITE = 'None' and SESSION_COOKIE_SECURE = True. See Security documentation for details. :::

CSRF settings

Similarly, flask-wtf is used to manage some CSRF configurations. If you need to exempt endpoints from CSRF (e.g. if you are running a custom auth postback endpoint), you can add the endpoints to WTF_CSRF_EXEMPT_LIST:

SSH Tunneling

  1. Turn on feature flag

    • Change SSH_TUNNELING to True
    • If you want to add more security when establishing the tunnel we allow users to overwrite the SSHTunnelManager class here
    • You can also set the SSH_TUNNEL_LOCAL_BIND_ADDRESS this the host address where the tunnel will be accessible on your VPC

  2. Create database w/ ssh tunnel enabled

    • With the feature flag enabled you should now see ssh tunnel toggle.
    • Click the toggle to enable SSH tunneling and add your credentials accordingly.
      • Superset allows for two different types of authentication (Basic + Private Key). These credentials should come from your service provider.

  3. Verify data is flowing

    • Once SSH tunneling has been enabled, go to SQL Lab and write a query to verify data is properly flowing.

Domain Sharding

:::note Domain Sharding is deprecated as of Superset 5.0.0, and will be removed in Superset 6.0.0. Please Enable HTTP2 to keep more open connections per domain. :::

Chrome allows up to 6 open connections per domain at a time. When there are more than 6 slices in dashboard, a lot of time fetch requests are queued up and wait for next available socket. PR 5039 adds domain sharding to Superset, and this feature will be enabled by configuration only (by default Superset doesn’t allow cross-domain request).

Add the following setting in your superset_config.py file:

  • SUPERSET_WEBSERVER_DOMAINS: list of allowed hostnames for domain sharding feature.

Please create your domain shards as subdomains of your main domain for authorization to work properly on new domains. For Example:

  • SUPERSET_WEBSERVER_DOMAINS=['superset-1.mydomain.com','superset-2.mydomain.com','superset-3.mydomain.com','superset-4.mydomain.com']

or add the following setting in your superset_config.py file if domain shards are not subdomains of main domain.

  • SESSION_COOKIE_DOMAIN = '.mydomain.com'

Middleware

Superset allows you to add your own middleware. To add your own middleware, update the ADDITIONAL_MIDDLEWARE key in your superset_config.py. ADDITIONAL_MIDDLEWARE should be a list of your additional middleware classes.

For example, to use AUTH_REMOTE_USER from behind a proxy server like nginx, you have to add a simple middleware class to add the value of HTTP_X_PROXY_REMOTE_USER (or any other custom header from the proxy) to Gunicorn’s REMOTE_USER environment variable.