Custom Security Manager for Apache Superset
In April 2021, the Apache Superset community released version 1.1.0 which brings to us more powerful visualizations, easier installation, and many bug fixes. The Superset is becoming more and more popular in the world of Business Intelligence (BI) tools. More companies decide to use Superset as their primary BI system and want to know its security architecture. Authentication is one of the most important parts of the security subsystem. So, which options do we have by default in the Superset?
The Superset is built on top of the Flask App builder (FAB). It has many built-in authentification methods. It’s good to use one of them cause it’s very likely it will cover your needs and is well-maintained by the community:
- Database — username and password style that is queried from the database to match. Passwords are kept hashed on the database.
- Open ID — uses the user’s email field to authenticate on Gmail, Yahoo, etc.
- LDAP — authentication against an LDAP server, like Microsoft Active Directory.
- REMOTE_USER — web server responsibility to authenticate the user, useful for intranet sites, when the server (Apache, Nginx) is configured to use kerberos.
- OAUTH — authentication using OAUTH (v1 or v2).
As you can see, there are many options you could use for your installation by default. But many do not mean all, right? We will go through the next three easy steps needed for creating an Apache Superset custom security manager in this article which will help to understand what to do if default Superset (FAB) options are not good enough for our needs.
At first, create a new file my_security_manager.py, and put it in your PYTHONPATH directory. There will be a base for your future Superset customization. Add these lines to the file:
from superset.security import SupersetSecurityManager
class MySecurityManager(SupersetSecurityManager): def __init__(self, appbuilder):
super(MySecurityManager, self).__init__(appbuilder)
Secondly, you should let Superset know that you want to use your brand new security manager. To do so, add these lines to your Superset configuration file (superset_config.py):
from my_security_manager import MySecurityManager
CUSTOM_SECURITY_MANAGER = MySecurityManagerThirdly, put this line to your Dockerfile to copy your custom settings and new security manager to the container before running it:
COPY my_security_manager.py /app/pythonpathThat’s it! Rebuild your Docker container and go to Superset to check if it works properly.
Now you could extend your security manager in any way. It is amazing! Let say you want to create your own view for the login page. To do so, you could override authdbview property of MySecurityManager class. You could take this original view code as an example and extend it. Or maybe, you want to create different authentication logic, e.g. multidomain LDAP or SMS gateway. You could override auth_user_db() method of MySecurityManager class or create a new method. In case of your own authentication view, do not forget to use it in your own view implementation. Here is the original code of the method for reference.
Hope you’ve enjoyed while reading this article. Please, follow me on Medium, GitHub, Twitter, and LinkedIn.
Please, read additional information about running Superset in the Docker container in the previous article.
