Re: [PR] feat(security): add built-in Public role for anonymous dashboard access [superset]

Sat, 03 Jan 2026 22:33:30 -0800 


rusackas commented on PR #36548:
URL: https://github.com/apache/superset/pull/36548#issuecomment-3707787417

   Thanks for the detailed review! I've pushed updates addressing all the 
feedback:
   
   ## Documentation Improvements
   
   **Clarified `PUBLIC_ROLE_LIKE` is optional:**
   - Anonymous users get the Public role via `AUTH_ROLE_PUBLIC` (FAB config)
   - `PUBLIC_ROLE_LIKE` only controls what permissions are synced during 
`superset init`
   - If you're manually configuring permissions or using `DASHBOARD_RBAC`, you 
don't need to set it
   
   **Consolidated DASHBOARD_RBAC documentation:**
   - Added a new "Dashboard Access Control" section to security.mdx
   - Explains both approaches: dataset-based access (default) vs 
dashboard-level access (DASHBOARD_RBAC)
   - Updated networking-settings.mdx with two clear options for making 
dashboards public
   - Streamlined creating-your-first-dashboard.mdx to link to the consolidated 
docs
   
   **Fixed "Role synchronization" section:**
   - Corrected: roles sync during `superset init`, not on startup
   - Two options for customization: edit Public role directly (don't set 
`PUBLIC_ROLE_LIKE`), or use a custom role with **both** `PUBLIC_ROLE_LIKE` and 
`AUTH_ROLE_PUBLIC` updated
   
   **Streamlined data access explanation:**
   - Combined the two bullets into one with sub-bullets for with/without 
DASHBOARD_RBAC
   - Without DASHBOARD_RBAC: dashboards only visible if user has access to at 
least one dataset
   - With DASHBOARD_RBAC: dataset permissions not required, cascading check 
handled automatically
   
   ## Bug Fix
   
   **Fixed hard-coded "Public" role in `bootstrap_user_data`:**
   - Changed `security_manager.find_role("Public")` → 
`security_manager.get_public_role()`
   - Now respects `AUTH_ROLE_PUBLIC` config instead of being hard-coded
   - This was a pre-existing issue that explains why your setup works without 
`PUBLIC_ROLE_LIKE`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to