Document common role / access / security patterns

[shahneil88]

HI All,

I had earlier created an admin user. And I created Dashboard with it.
Now, I wanted to share it with some other people, so I started testing for suitable user permissions by creating a new user and assigned public group to it.

Now whenever I open localhost:8088 , it just says localhost redirected you too many times

Can anybody help me here? It seems I am stuck.

I checked the debugger logs

[shahneil88]

The way to resolve this is:-

1. Clear the cache
2. Login with Admin user
3. Update "test user" created in previous step, by removing "public" role to "alpha" or "gamma" role.
4. save it
5. Login as "test user" it works.

It seems issue occurs when we create a new user and assign only public role to it.
By default, public role does not have permission listed in http://localhost:8088/roles/list/

[mistercrunch]

Public isn't really usable, I should delete it.

Gamma works but you need to give access on a per-datasource basis. I'll try to take a moment to document it.

[gregroberts]

I've been looking into what permissions would be neccesary for the 'public' role to provide access to view dashboards.

So far, the permissions set:

[can show on DashboardModelView, can show on DashboardModelViewAsync, can dashboard on Caravel, can list on DashboardModelView, can list on DashboardModelViewAsync, can edit on DashboardModelViewAsync, can welcome on Caravel]

Solves the TOO_MANY_REDIRECTS error when logging in as a public user, and displays only a dashboard list page. Currently looking at what permission would make some/all dashboards visible to the user.

[povilasp]

@gregroberts any progress on that so far? Would really love to see superset public dashboard view.

[gregroberts]

I'm afraid I haven't really made much progress on this, because the only way I can proceed is guesswork. The set of permissions I have on my Public role is as follows:

[
    can show on DashboardModelView,
    can show on DashboardModelViewAsync,
    can dashboard on Caravel,
    can list on DashboardModelView,
    can list on DashboardModelViewAsync,
    can edit on DashboardModelViewAsync,
    can welcome on Caravel
  ]

And what happens on the front end for non logged in users is as follows:

<domain>/caravel/welcome

shows the Dashboard list page, but it's empty. Looking at the network calls made, the page calls:

<domain>/dashboardmodelviewasync/api/read?_oc_DashboardModelViewAsync=changed_on&_od_DashboardModelViewAsync=desc

As it does for a logged in user, but no result rows are returned.

If the user is given a url for a dashboard, e.g.

<domain>/caravel/dashboard/17/

The dashboard loads and works perfectly fine.

If the user tries to access pretty much any other area of the site, e.g.:

<domain>/slicemodelview/list/

They are redirected to /login

This is pretty much all I need for now, and I'm not going to continue because I may be unwittingly poking holes where I don't want them.

I think this issue is really important, as it will allow users to really customise access across Caravel Superset.

[kvotheyr]

@gregroberts Hi, I have a similar situation where I have to expose embedded dashboards to users without requiring authentication and I tried giving public role dashboard permissions but it doesn't seem to work. please let me if you were able to do this is in superset.

[gregroberts]

@Carpediemy

I can't say anything definitively, and documenting of roles and their meanings is the subject of another open issue, however, if you set the Public role permissions as in my comment above, logged out users should be able to view dashboards if they have the url of the dashboard.

[mistercrunch]

One requirement is to set PUBLIC_ROLE_LIKE_GAMMA = True in your superset_config.py , and then to add the Public datasources in the Public role.