Reputation: 11
Can apache superset be used to embed charts and dashboards into public website where authentication is not required for users?
Can apache superset be used to embed charts and dashboards into a public website where authentication is not required for users? If yes, what are the security implications? Are there any better strategies or solutions someone has implemented?
Upvotes: 1
Views: 4723
Answers (3)
Reputation: 26
You can restrict superset to ONLY allow dashboards to embed to certain sites (when you enable embedding you can specify the URL(s) of the site(s) you want to allow embedding to.
If you leave it blank, you basically allow anyone who can get the dashboard ID to embed your dashboard, if you specify a URL (has to be a FULL URL), you can restrict it to just one site (or more if you specify more than one URL).
That is one first layer of security.
Then, you can use CORS to restrict the sites that can access your superset server.
To get embedding to work, you should have set a CORS section in your superset_config.py, there you can define the origins you want to allow to access superset embedding
what has worked for us (on the superset_config.py side) is:
'''
Dashboard Embedding Stuff
'''
FEATURE_FLAGS = {"EMBEDDED_SUPERSET": True,
"EMBEDDABLE_CHARTS": True }
SESSION_COOKIE_SAMESITE = None
WTF_CSRF_ENABLED = False
TALISMAN_ENABLED = False
GUEST_ROLE_NAME = "Gamma"
PUBLIC_ROLE_LIKE = "Gamma"
CORS_OPTIONS = {
'supports_credentials': True,
'allow_headers': ['*'],
'resources':['*'],
'origins': ['*']
}
'''
Dashboard Embedding Stuff
'''
You will need to either restrict the access at the dashboard level or on the backend API level if you want any restrictions at all. (OR you could modify the CORS settings up there to restrict who can access superset to suit your purposes.
Upvotes: 0
Reputation: 116
Before Superset 1.5.0
Dashboard can be embedded with the usage of iframe tag.
<iframe src="dashboardLink?standalone=true" />
To avoid Superset authorization PUBLIC_ROLE_LIKE = 'Gamma' must be set in superset_config.py, which will make all dashboards readable without authorization. This approach does not cover the need where access to the dashboards should be provided only through your application.
If this approach does not fit due to security reasons a custom authentication layer can be implemented as described in the following article.
Starting from Superset 1.5.0
Now embedding can be done with the usage of Embedded SDK. This provides possibility to embed dashboards through your application. This means that you will be able to provide access to the dashboards via your own authorization flow.
Please note that the given feature is still in Alpha and several breaking changes are coming.
See more: https://github.com/apache/superset/issues/17187
Upvotes: 2
Reputation: 430
You can embed charts using IFrames. For security you can set the Public role to have the same characteristics as Gamma role in the superset_config.py file, PUBLIC_ROLE_LIKE = Gamma This only grants view access to charts and dashboards.
Upvotes: 1
Related Questions
- Import dashboard in Apache Superset through REST API
- How to embed an Apache Superset dashboard in a webpage?
- How can I embed Superset Apache charts in my application bypassing login
- Can I create a custom Chart in Apache Superset?
- How to embed Apache Superset (v1.5) Dashboard in Wordpress?
- Can superset support real-time dashboards?
- Has anyone tried making custom charts with Superset as per preset.io blog?
- SuperSet Gamma users can't see their own charts
- Preset Apache Superset Starter Plan, is it possible to embed a public dashboard
- Is there any superset API to open dashboard?