Apache Superset SSO integration guide
Integrating Single Sign-On (SSO) with Apache Superset enhances both security and user experience by enabling users to authenticate with their existing credentials. This guide provides a step-by-step process to set up SSO with Superset.
Prerequisites
- A Superset instance (v0.34.0 or later)
- An SSO provider (e.g., Okta, Auth0)
Configuration Steps
- Install Required Packages:
Ensure you have the necessary packages installed, such asflask-appbuilder. - Configure Superset:
Open vs code from your Tools and Edit thesuperset_config.pyfile to include your SSO provider's details. - Set Up OAuth:
Use the OAuth authentication backend to connect with your SSO provider.
Code Example
Here's an example configuration for integrating with Okta:
AUTH_TYPE = AUTH_OAUTH
OAUTH_PROVIDERS = [{
'name':'okta',
'token_key':'access_token',
'icon':'fa-circle-o',
'remote_app': {
'client_id':'YOUR_CLIENT_ID',
'client_secret':'YOUR_CLIENT_SECRET',
'api_base_url':'https://<your-okta-domain>/oauth2/default',
'client_kwargs':{
'scope': 'openid profile email'
},
}
}]
Testing
After configuring, test the SSO integration to ensure users can log in seamlessly.
By following these steps and referring to the official documentation, you can successfully integrate SSO with Apache Superset. This integration provides a secure and efficient method for users to access the platform, streamlining the authentication process.
Configuring SSO Authentication in Superset
To set up Single Sign-On (SSO) authentication in Apache Superset, follow these steps:
- Client Configuration: Provide the
client_id,client_secret, and other client-specific settings within theremote_appconfiguration. - Additional Settings: Adjust additional headers and parameters as needed for your OAuth provider.
- Test the Configuration: Verify the SSO integration by logging into Superset through the configured OAuth provider.
Define OAuth Providers: Specify the OAuth providers in the OAUTH_PROVIDERS configuration. Include necessary details such as name, token_key, icon, remote_app, and endpoints like access_token_url and authorize_url.
OAUTH_PROVIDERS = [
{
'name': 'google',
'token_key': 'access_token',
'icon': 'fa-google',
'remote_app': {
'client_id': '<your-client-id>',
'client_secret': '<your-client-secret>',
'api_base_url': 'https://www.googleapis.com/oauth2/v2/',
'client_kwargs': {
'scope': 'email profile'
},
'access_token_url': 'https://oauth2.googleapis.com/token',
'authorize_url': 'https://accounts.google.com/o/oauth2/auth',
}
}
]
Modify superset_config.py: Configure the authentication type by setting AUTH_TYPE to AUTH_OAUTH.
AUTH_TYPE = AUTH_OAUTH
Managing SSO User Roles and Permissions in Apache Superset
Effectively managing Single Sign-On (SSO) user roles and permissions in Apache Superset is essential for ensuring secure and appropriate access to data and dashboards. Here's how to manage these roles and permissions:
Understanding Permissions
- Model & Action: Assign permissions such as
can_editandcan_deleteon entities like Dashboards or Users to control what actions users can perform. - Views: Grant view permissions to allow users access to specific web pages within Superset.
- Data Source: Create permissions for each data source to restrict access to those explicitly granted to users.
- Database: Permissions to access a database allow users to query within that database and all its data sources, as long as they have SQL Lab permissions.
Role Management
- Admin Role: Use sparingly as it has unrestricted access to everything in Superset.
- Alpha Role: Users can access all data sources but cannot alter permissions.
- Gamma Role: Users have limited access. Assign additional roles for specific data source access.
- Custom Roles: Create custom roles tailored to different access needs. For example, a "Finance" role could be used for users needing access to finance-related data sources.
SSO Integration
Implement a CustomSsoSecurityManager to map SSO user details to Superset roles and permissions. This involves extending the SupersetSecurityManager and overriding the oauth_user_info method.
Best Practices
- Base Roles: Avoid altering the base roles provided by Superset.
- Custom Roles: Create roles with specific permissions suited to different user groups.
- Regular Reviews: Regularly review and update permissions to ensure they align with organizational changes.
Troubleshooting Common SSO Issues in Superset
When integrating Single Sign-On (SSO) with Apache Superset, you may encounter various challenges. Here are some tips for troubleshooting common problems:
Incorrect Redirect URI
- Check Redirect URI: Ensure that the redirect URI configured in your SSO provider matches the one set in Superset. Any mismatch can prevent successful authentication.
SSO Configuration Errors
- Verify Configuration: Double-check the settings in your
superset_config.py, includingAUTH_TYPE,OAUTH_PROVIDERS, and related configurations to ensure they are correct.
User Role and Permissions
- Role Assignment: After SSO authentication, verify that the user has the appropriate role and permissions assigned in Superset to access the necessary resources.
SSL/TLS Certificate Issues
- Certificate Validation: If using HTTPS, ensure that your SSL/TLS certificates are valid and properly installed. Incomplete or invalid certificates can disrupt secure connections.
Debugging Logs
Enable Debug Mode: Activate debug mode in Superset to generate detailed logs that can help identify the issue. Add the following line to your configuration:
DEBUG = True
SSO Provider Downtime
- Check Provider Status: Ensure that your SSO provider is operational and not experiencing any outages or downtime. This can affect the authentication process.
Thanks for reading ❤️
Thank you so much for reading and do check out the Elestio resources and Official Superset documentation to learn more about Superset. You can click the button below to create your service on Elestio. See you in the next one👋
