dosubot[bot] commented on issue #29709:
URL: https://github.com/apache/superset/issues/29709#issuecomment-2252662322
<!-- Answer -->
To achieve a true "read-only" behavior for anonymous users in Apache
Superset, you should create a custom role with minimal permissions and use it
as a reference for the "public" role. Here are the steps and permissions you
need to configure:
1. **Create a Custom Role**:
Define a custom role with the necessary permissions.
2. **Assign Minimal Permissions**:
Assign the following permissions to the custom role:
- `can dashboard permalink on Superset`
- `can read on Chart`
- `can read on Dashboard`
- `can dashboard on Superset`
- `can explore json on Superset`
- `can read on DashboardPermalinkRestApi`
- `can write on DashboardPermalinkRestApi`
- `can time range on Api`
- `datasource access on` (specific datasets)
3. **Set the Custom Role for Public Access**:
Update the `superset_config.py` to use the custom role for the public
role.
Here is an example of how to configure this:
```python
# superset_config.py
PUBLIC_ROLE_LIKE = "ReadOnly"
DEFAULT_FEATURE_FLAGS = {
"DASHBOARD_RBAC": True,
"ENABLE_TEMPLATE_PROCESSING": True,
"DASHBOARD_NATIVE_FILTERS": True,
"DASHBOARD_CROSS_FILTERS": True
}
```
4. **Programmatically Create and Assign Permissions**:
Use the following script to create the custom role and assign the
necessary permissions:
```python
from superset import app, security_manager
from superset.models.core import PermissionView
# Initialize the app context
with app.app_context():
# Create a new role
role_name = "ReadOnly"
read_only_role = security_manager.add_role(role_name)
# Define the permissions to assign
permissions_to_assign = [
("can_dashboard_permalink", "Superset"),
("can_read", "Chart"),
("can_read", "Dashboard"),
("can_dashboard", "Superset"),
("can_explore_json", "Superset"),
("can_read", "DashboardPermalinkRestApi"),
("can_write", "DashboardPermalinkRestApi"),
("can_time_range", "Api"),
("datasource_access", "YourDatasetName") # Replace with your
dataset name
]
# Find and assign the permissions to the role
for perm_name, view_name in permissions_to_assign:
perm_view = security_manager.find_permission_view_menu(perm_name,
view_name)
if perm_view:
read_only_role.permissions.append(perm_view)
# Commit the changes to the database
security_manager.get_session.commit()
```
By following these steps, you can ensure that anonymous users have a
"read-only" experience, restricting them to viewing dashboards and generating
permalinks without the ability to edit or save charts
<sup>[[1]](https://github.com/apache/superset/discussions/25299)</sup><sup>[[2]](https://github.com/apache/superset/blob/master/superset/security/manager.py)</sup>.
<!-- Dosu Comment Footer -->
*To continue talking to [Dosu](https://dosu.dev), mention @dosu.*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org
