sfirke commented on code in PR #36548: URL: https://github.com/apache/superset/pull/36548#discussion_r2635271506
########## docs/docs/security/security.mdx: ########## @@ -46,12 +46,47 @@ to all databases by default, both **Alpha** and **Gamma** users need to be given ### Public -To allow logged-out users to access some Superset features, you can use the `PUBLIC_ROLE_LIKE` config setting and assign it to another role whose permissions you want passed to this role. +The **Public** role is the most restrictive built-in role, designed specifically for anonymous/unauthenticated +users who need to view dashboards. It provides minimal read-only access for: -For example, by setting `PUBLIC_ROLE_LIKE = "Gamma"` in your `superset_config.py` file, you grant -public role the same set of permissions as for the **Gamma** role. This is useful if one -wants to enable anonymous users to view dashboards. Explicit grant on specific datasets is -still required, meaning that you need to edit the **Public** role and add the public data sources to the role manually. +- Viewing dashboards and charts +- Using interactive dashboard filters +- Accessing dashboard and chart permalinks +- Reading embedded dashboards +- Viewing annotations on charts + +The Public role explicitly excludes: +- Any write permissions on dashboards, charts, or datasets +- SQL Lab access +- Share functionality +- User profile or admin features +- Menu access to most Superset features + +To enable anonymous access with the built-in Public role, set `PUBLIC_ROLE_LIKE` in your config: Review Comment: I think this needs to get folded into the DASHBOARD_RBAC discussion below. I currently use the Public role with DASHBOARD_RBAC = True and I don't have `PUBLIC_ROLE_LIKE` in my config and I don't plan to. Instead, I just assign the Public role to dashboards I want public. I think this section should say you set `PUBLIC_ROLE_LIKE = "Public"` if you're not using DASHBOARD_RBAC. If you are using DASHBOARD_RBAC and want finer controls, simply grant the Public role to the dashboards you want. Hold on... how does this work in my current deployment where I don't have `PUBLIC_ROLE_LIKE` but anonymous users get it assigned anyway?? I think I traced it to this block: https://github.com/apache/superset/blob/fb6f3fbb4db014bbc4934f56119d938be9c5ef4a/superset/views/utils.py#L107-L110 If I'm correct, that's assigning a role called "Public" to anonymous users? That seems brittle, and maybe something to address here. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
