Comments (9)
Gotcha. The way that Superset works is typically that you create a database connection using a service account (I'm guessing that's probably what your admin person did), and then you configure your data access within Superset (associating a role to users and to database connections, schemas, tables and row-level-security (RLS) rules). Otherwise Superset doesn't really know what to show you when listing charts, dashboards and datasets, and whether it's safe to share a cache (in the case of RLS).
But, there's recent development around impersonation / oauth for databases. I don't think it's implemented for Clickhouse, but may be implementable if Clickhouse supports oauth. More information here: #27631
Note that a shortcoming of that approach is Superset, unless you duplicate some of the data access policy as Superset roles, will show you all objects (charts, dashboards, datasets, ....) and when you click on it you'll get a "NO ACCESS" error message, which isn't a great experience. But it sounded like this is the behavior you were expecting.
from superset.
Given the title of the issue, it sounds like berlicon's expectations are very different from the common expectations when configuring/using a BI tool. Unless I'm missing something.
from superset.
- How should I grant access to dashboards to users so that the data is loaded under the access rights of the current user?
- Or where/how should I change the Superset code to do the same thing (dashboards are loaded under the current user's permissions, not the dashboard creator's permissions)?
from superset.
What is/are user2's role? You'll want user 2 as Gamma
presumably
from superset.
It does not matter what role in Superset User2 has. I want that if User2 viewing any dashboard that dashboard be loaded under User2 access rights. And if User2 does not have access rights for viewing data (these rights are stored in ClickHouse DB) he would get an error "Access denied".
from superset.
@mistercrunch Even I provided Gamma
role still they are not able to view Dashboards.
from superset.
It does not matter what role in Superset User2 has
Mmmh. Yes it does. Alpha
and and Admin
both have all_datasource_access
. https://superset.apache.org/docs/security/#alpha
I'm not sure I understand you fully though, it's unclear to me whether you are referring to database permissions or superset permissions at times, please clarify. Just to clarify since there seems to be confusion around this, the typical way to access databases from BI tools is to use a service account that has general read access to everything you want to expose in the BI tools, and implement the restrictions using the security model in the BI tool.
There are ways to have Superset users "impersonate" database users, or use oauth so that each user can effectively have their database-defined user access. If that's what you're looking for there are recent developments in that area.
from superset.
@mistercrunch I meant we have Angular app where users can create ClickHouse databases. And we give grants (CRUD operations to tables) to these users with such SQL script: "GRANT SELECT ON "dbo"."DATA" TO 'user26'". Also we have Superset integrated to our app. And users can run SQL queries to some tables where they have grants for SELECT. Also Superset have dashboard functionality. And we have bug that if some user (admin) created dashboard for viewing data to some table he has access and share that dashboard to other users (business users) they could view data they do not have access. I checked that when business user view dashboard, page loaded data from database with dashboard's creator (admin) accout. But I want that dashboard should be loaded under role with current user. So we have users in Superset but their access rights to tables we store in ClickHouse database which Superset does not know. As I understand I have to change backend code of Superset on Python to implement this. But Python/React/Flask and Supersert are not my tech stack and I want help how and where I should modify Superset code. Or maybe we should create dashboards in Superset another way to support this behaviour (users can view data they have access only).
from superset.
My expectations were that somehow advice me how to change code in Superset. May be here:
superset\tasks\async_queries.py
@celery_app.task(name="load_chart_data_into_cache", soft_time_limit=query_timeout)
def load_chart_data_into_cache(...)
OK. Let's close this ticket.
from superset.
Related Issues (20)
- Logarithmic Axis in Apache Superset Charts
- Adjusting Font Size of Legend, Axes, and Value Labels in Apache Superset Dashboard HOT 1
- [ENABLE_TEMPLATE_PROCESSING] BaseTemplateProcessor interface (process_template) is misused HOT 1
- Helm installation bug: "Deployment is not ready: superset/superset-worker" HOT 1
- Not able to enable DASHBOARD_RBAC in helm chart ? HOT 4
- Helm: import_datasources.yaml - 'TypeError: 'str' object does not support item deletion'
- Superset Kubernetes documentation resource offline HOT 4
- Add Missing Stacktrace information on errors, SQL lab query execution HOT 1
- Hiding Force refresh in Dashboard HOT 6
- "There was an error connecting to the database" ... and general database connection woes! HOT 1
- Can't enter commas into database configuration setup
- Slider step size is incorrect in some cases
- Elements of markdown not supported by Text layout Element HOT 3
- Error is not precise when 2 database connexions use the same display name HOT 2
- Filter / Column of Dataset HOT 1
- Superset app loads infinitely or throws unexpected error occasionally. Ver. 3.1.2 HOT 8
- Can not Connect to AWS Redis Serverless HOT 4
- [SIP-129] POC - Real-time Dashboards powered by data streams HOT 2
- Drag and drop of metrics in chart interface does not allow movement of order of metrics once placed (was previously able) HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from superset.