sfirke commented on code in PR #36548:
URL: https://github.com/apache/superset/pull/36548#discussion_r2631462609
##########
docs/docs/security/security.mdx:
##########
@@ -46,12 +46,34 @@ to all databases by default, both **Alpha** and **Gamma**
users need to be given
### Public
-To allow logged-out users to access some Superset features, you can use the
`PUBLIC_ROLE_LIKE` config setting and assign it to another role whose
permissions you want passed to this role.
+The **Public** role is the most restrictive built-in role, designed
specifically for anonymous/unauthenticated
+users who need to view dashboards. It provides minimal read-only access for:
-For example, by setting `PUBLIC_ROLE_LIKE = "Gamma"` in your
`superset_config.py` file, you grant
-public role the same set of permissions as for the **Gamma** role. This is
useful if one
-wants to enable anonymous users to view dashboards. Explicit grant on specific
datasets is
-still required, meaning that you need to edit the **Public** role and add the
public data sources to the role manually.
+- Viewing dashboards and charts
+- Using interactive dashboard filters
+- Accessing dashboard permalinks
+- Reading embedded dashboards
+
+The Public role explicitly excludes:
+- Any write permissions on dashboards, charts, or datasets
+- SQL Lab access
+- Share functionality
+- User profile or admin features
+- Menu access to most Superset features
+
+To allow logged-out users to access Superset features, use the
`PUBLIC_ROLE_LIKE` config setting
Review Comment:
One big thing is unclear to me and thus maybe we can address for others here
too. If you set `PUBLIC_ROLE_LIKE = "Public"` does that mean the anonymous user
can now see all dashboards with these permissions? How does that interact with
the `DASHBOARD_RBAC` feature flag?
I have `DASHBOARD_RBAC` enabled and thus the only dashboards that the Public
user can see currently are ones where I've added the role "Public" as an owner
of the dashboard in its properties. That also obviates the need to grant the
role access to any datasets.
But if I didn't have that feature flag enabled, would this potentially let
anonymous users see any dashboard - but not load it because they don't have
access to the underlying data? It's hard for me to think as a
non-DASHBOARD_RBAC deployment.
I feel like we should cover this terrain here, and maybe suggest using
`DASHBOARD_RBAC` with this role or at least describe the interactions.
##########
superset/security/manager.py:
##########
@@ -1205,9 +1254,16 @@ def sync_role_definitions(self) -> None:
self.set_role("sql_lab", self._is_sql_lab_pvm, pvms)
# Configure public role
- if get_conf()["PUBLIC_ROLE_LIKE"]:
+ # If PUBLIC_ROLE_LIKE is not set or is "Public", use the built-in
Public role
Review Comment:
I don't see a change to `config.py` (here's the line for reference
https://github.com/apache/superset/blob/master/superset/config.py#L411). Does
that mean per the logic below that after this PR merges, the public role will
get enabled for all deployments? Is that a breaking change? I wonder if we
should remove the `if not public_role_like` from the conditional.
##########
superset/security/manager.py:
##########
@@ -389,6 +389,55 @@ class SupersetSecurityManager( # pylint:
disable=too-many-public-methods
("can_read", "Database"),
}
+ # Permissions for the Public role - minimal read-only access for viewing
+ # dashboards without authentication. This is more restrictive than Gamma.
+ # Users can set PUBLIC_ROLE_LIKE = "Public" to use these sensible defaults.
+ PUBLIC_ROLE_PERMISSIONS = {
+ # Core dashboard viewing
+ ("can_read", "Dashboard"),
+ ("can_read", "Chart"),
+ ("can_dashboard", "Superset"),
+ ("can_slice", "Superset"),
+ ("can_explore_json", "Superset"),
+ ("can_dashboard_permalink", "Superset"),
+ ("can_read", "DashboardPermalinkRestApi"),
+ # Dashboard filter interactions
+ ("can_read", "DashboardFilterStateRestApi"),
+ ("can_write", "DashboardFilterStateRestApi"),
+ # API access for chart rendering
+ ("can_time_range", "Api"),
+ ("can_query_form_data", "Api"),
+ ("can_query", "Api"),
+ # CSS for dashboard styling
+ ("can_read", "CssTemplate"),
+ # Embedded dashboard support
+ ("can_read", "EmbeddedDashboard"),
+ # Datasource metadata for chart rendering
+ ("can_get", "Datasource"),
+ ("can_external_metadata", "Datasource"),
+ }
+
Review Comment:
I have a Public role in production. I set it up around 2022 so many versions
ago. Here I compare this PR's list to the list I'm using, both ways.
An original artifact of the list I used was this gist:
https://gist.github.com/byk0t/bd6e9c3839967b4ac28a8da30f468b2a its comments
have a couple of useful clues.
### Present here but not in my Public role
1. `("can_read", "EmbeddedDashboard")` - makes sense to add
It surprises me that my Public role works without having these:
`# Datasource metadata for chart rendering`
2. `("can_get", "Datasource"),`
3. `("can_external_metadata", "Datasource")`
### Present in my Public role but not this PR
I think we might want to add:
- `can annotation json Superset` - I would think this is needed for
annotations to render on a Public-facing chart?
- `can read Annotation` - same
- `can filter Superset` - I don't know how this is different from the filter
permissions you have above
- `can read ExplorePermalinkRestApi` - I think this was for permalinks to
charts? I was trying to embed _charts_ in webpages when I started using
Superset for public facing.
I'm not sure about these - I have them but it's not obvious to me what they
do and I don't remember why I added each:
- `can favstar Superset` - at least in Superset 1.5.0 this was needed to
avoid the error message: "There was an issue fetching the favorite status of
this dashboard"
- `can get OpenApi`
- `can list FilterSets`
- `can queries Superset`
- `can read AdvancedDataType`
- `can read ExploreFormDataRestApi,`
- `can share dashboard Superset`
- `can slice json Superset`
- `can sql json Superset`
- `can validate sql json Superset`
- `can write DashboardPermalinkRestApi` - maybe I had this because of
https://github.com/apache/superset/issues/30004 which has been fixed?
- `can write ExploreFormDataRestApi`
- `can write ExplorePermalinkRestApi`
Probably only a fit for my use case:
- `can csv Superset` - maybe we note in the docs that if you want the public
user to be able to download the data behind a chart, add this?
##########
docs/docs/security/security.mdx:
##########
@@ -46,12 +46,34 @@ to all databases by default, both **Alpha** and **Gamma**
users need to be given
### Public
-To allow logged-out users to access some Superset features, you can use the
`PUBLIC_ROLE_LIKE` config setting and assign it to another role whose
permissions you want passed to this role.
+The **Public** role is the most restrictive built-in role, designed
specifically for anonymous/unauthenticated
+users who need to view dashboards. It provides minimal read-only access for:
-For example, by setting `PUBLIC_ROLE_LIKE = "Gamma"` in your
`superset_config.py` file, you grant
-public role the same set of permissions as for the **Gamma** role. This is
useful if one
-wants to enable anonymous users to view dashboards. Explicit grant on specific
datasets is
-still required, meaning that you need to edit the **Public** role and add the
public data sources to the role manually.
+- Viewing dashboards and charts
+- Using interactive dashboard filters
+- Accessing dashboard permalinks
+- Reading embedded dashboards
+
+The Public role explicitly excludes:
+- Any write permissions on dashboards, charts, or datasets
+- SQL Lab access
+- Share functionality
+- User profile or admin features
+- Menu access to most Superset features
+
+To allow logged-out users to access Superset features, use the
`PUBLIC_ROLE_LIKE` config setting
+to copy permissions from any built-in role to the actual public/anonymous role:
+
+```python
+# Recommended: Use the new Public role for minimal, secure public access
+PUBLIC_ROLE_LIKE = "Public"
+
+# Alternative: Use Gamma for broader access (includes create/edit permissions)
+# PUBLIC_ROLE_LIKE = "Gamma"
+```
+
+**Important:** Explicit grants on specific datasets are still required. You
need to edit the
+public role in the Superset UI and add the public data sources to the role
manually.
Review Comment:
Will edits to this role persist, i.e., the init script establishes this role
but then won't overwrite it during upgrades etc?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
