sfirke commented on code in PR #36548: URL: https://github.com/apache/superset/pull/36548#discussion_r2635209177
########## docs/docs/security/security.mdx: ########## @@ -61,19 +62,31 @@ The Public role explicitly excludes: - User profile or admin features - Menu access to most Superset features -To allow logged-out users to access Superset features, use the `PUBLIC_ROLE_LIKE` config setting -to copy permissions from any built-in role to the actual public/anonymous role: +To enable anonymous access with the built-in Public role, set `PUBLIC_ROLE_LIKE` in your config: ```python -# Recommended: Use the new Public role for minimal, secure public access +# Recommended: Use the built-in Public role for minimal, secure public access PUBLIC_ROLE_LIKE = "Public" -# Alternative: Use Gamma for broader access (includes create/edit permissions) +# Alternative: Copy permissions from Gamma for broader access # PUBLIC_ROLE_LIKE = "Gamma" ``` -**Important:** Explicit grants on specific datasets are still required. You need to edit the -public role in the Superset UI and add the public data sources to the role manually. +**Important notes:** + +- **Data access is still required:** The Public role only grants UI/API permissions. You must + also grant access to specific datasets by editing the Public role in the Superset UI + (Menu → Security → List Roles → Public) and adding the relevant data sources. + +- **Using with DASHBOARD_RBAC:** If you have the `DASHBOARD_RBAC` feature flag enabled, Review Comment: I think the content of this paragraph and the preceding one are correct, but I might streamline it into one thing. Along the lines of: "The Public role only grants UI/API permissions. You must also grant access to specific datasets necessary to view a dashboard. As is the case for other roles, this can be done in two ways: 1. **With DASHBOARD_RBAC feature flag set to False**: <_placeholder_>. Grant access to specific datasets by editing the Public role in the Superset UI (Menu → Security → List Roles → Public) and adding the relevant data sources. 2. **With DASHBOARD_RBAC feature flag set to True:** Anonymous users will only see dashboards where the "Public" role has been explicitly added as an owner in the dashboard's properties. There will be no need to grant access to specific datasets, this cascading permissions check is handled by DASHBOARD_RBAC. This provides fine-grained control over which dashboards are publicly visible." Where it says "placeholder" above I want to add: "the Public role can see all dashboards on the dashboard list. It can load them, but won't be able to see any of the charts without access to their datasets." But I don't know if this is true! Can you test this and fill in the placeholder with a sentence about what dashboards are visible in this case? ########## docs/docs/security/security.mdx: ########## @@ -61,19 +62,31 @@ The Public role explicitly excludes: - User profile or admin features - Menu access to most Superset features -To allow logged-out users to access Superset features, use the `PUBLIC_ROLE_LIKE` config setting -to copy permissions from any built-in role to the actual public/anonymous role: +To enable anonymous access with the built-in Public role, set `PUBLIC_ROLE_LIKE` in your config: ```python -# Recommended: Use the new Public role for minimal, secure public access +# Recommended: Use the built-in Public role for minimal, secure public access PUBLIC_ROLE_LIKE = "Public" -# Alternative: Use Gamma for broader access (includes create/edit permissions) +# Alternative: Copy permissions from Gamma for broader access # PUBLIC_ROLE_LIKE = "Gamma" ``` -**Important:** Explicit grants on specific datasets are still required. You need to edit the -public role in the Superset UI and add the public data sources to the role manually. +**Important notes:** + +- **Data access is still required:** The Public role only grants UI/API permissions. You must + also grant access to specific datasets by editing the Public role in the Superset UI + (Menu → Security → List Roles → Public) and adding the relevant data sources. + +- **Using with DASHBOARD_RBAC:** If you have the `DASHBOARD_RBAC` feature flag enabled, + anonymous users will only see dashboards where the "Public" role has been explicitly added + as an owner in the dashboard's properties. This provides fine-grained control over which + dashboards are publicly visible. + +- **Role synchronization:** The Public role permissions are synchronized on Superset startup + when `PUBLIC_ROLE_LIKE = "Public"`. Any manual permission edits to the Public role may be + overwritten during upgrades or restarts. To add custom permissions, consider creating a + separate role and granting it to users alongside the Public role. Review Comment: I've been thinking about this and I think a better recommendation would be: > To customize the permissions assigned to the Public role, make a copy of it via the "Copy Role" option available to admins in the Superset web UI and save it under a different name. Alter it as desired, then edit your config file to point to that copied role, e.g., `PUBLIC_ROLE_LIKE = "Public_Custom"`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
