Security

Authentication

Every user has to be authenticated before using Superset: there are several ways in which this can be set up.

Multiple authentication methods

Only one authentication method is supported at a time, and in case of LDAP, only one authentication class is allowed. This means, it is not possible to configure both LDAP and OIDC authentication methods at the same time, but it is possible to configure multiple OIDC classes or one LDAP authentication class.

Superset database

The default setting is to manually set up users via the web interface where they are stored in the database attached to Superset.

LDAP

Superset supports authentication of users against a single LDAP server. This requires setting up an AuthenticationClass for the LDAP server. The AuthenticationClass is then referenced in the SupersetCluster resource as follows:

apiVersion: superset.stackable.tech/v1alpha1
kind: SupersetCluster
metadata:
  name: superset-with-ldap-server
spec:
  image:
    productVersion: 3.1.0
  clusterConfig:
    authentication:
    - authenticationClass: ldap    (1)
      userRegistrationRole: Admin  (2)

1	The reference to an AuthenticationClass called `ldap`
2	The default role to which all users are assigned

Users that log in with LDAP are assigned to a default Role which is specified with the userRegistrationRole property.

You can follow the Authentication with OpenLDAP tutorial to learn how to set up an AuthenticationClass for an LDAP server, as well as consulting the AuthenticationClass concepts page.

OpenID Connect

An OpenID Connect provider can be used for authentication. Unfortunately, there is no generic support for OpenID Connect built into Superset. This means that only specific OpenID Connect providers can be configured.

Superset deployments on the Stackable Data Platform only support Keycloak.

apiVersion: superset.stackable.tech/v1alpha1
kind: SupersetCluster
metadata:
  name: superset-with-oidc
spec:
  image:
    productVersion: 3.1.0
  clusterConfig:
    authentication:
    - authenticationClass: keycloak                        (1)
      oidc:
        clientCredentialsSecret: superset-keycloak-client  (2)
      userRegistrationRole: Gamma                          (3)

1	The reference to an AuthenticationClass called `keycloak`
2	The reference to the Secret containing the Superset client credentials
3	The default role to which all users are assigned

Users that log in with OpenID Connect are assigned to a default Role which is specified with the userRegistrationRole property.

The Secret containing the Superset client credentials:

apiVersion: v1
kind: Secret
metadata:
  name: superset-keycloak-client
stringData:
  clientId: superset                    (1)
  clientSecret: superset_client_secret  (2)

1	The client ID of Superset as defined in Keycloak
2	The client secret as defined in Keycloak

A minimum client configuration in Keycloak for this example looks like this:

{
  "clientId": "superset",
  "enabled": true,
  "clientAuthenticatorType": "client-secret", (1)
  "secret": "superset_client_secret",
  "redirectUris": [
    "*"
  ],
  "webOrigins": [
    "*"
  ],
  "standardFlowEnabled": true, (2)
  "protocol": "openid-connect" (3)
}

1	Sets the OIDC type to confidential access type.
2	Enables the OAuth2 "Authorization Code Flow".
3	Enables OpenID Connect and OAuth2 support.

Further information for specifying an AuthenticationClass for an OIDC provider can be found at the concepts page.

Authorization

Superset has a concept called Roles which allows you to grant user permissions based on roles. Have a look at the Superset documentation on Security.

Superset database

You can view all the available roles in the web interface of Superset and can also assign users to these roles.

LDAP

Superset supports assigning Roles to users based on their LDAP group membership, though this is not yet supported by the Stackable operator. All the users logging in via LDAP get assigned to the same role which you can configure via the attribute authentication[*].userRegistrationRole on the SupersetCluster object:

apiVersion: superset.stackable.tech/v1alpha1
kind: SupersetCluster
metadata:
  name: superset-with-ldap-server
spec:
  clusterConfig:
    authentication:
    - authenticationClass: ldap
      userRegistrationRole: Admin  (1)

1	All users are assigned to the `Admin` role

OpenID Connect

The mechanism for assigning roles to users described in the LDAP section also applies to OpenID Connect. Superset supports assigning Roles to users based on their OpenID Connect scopes, though this is not yet supported by the Stackable operator. All the users logging in via OpenID Connect get assigned to the same role which you can configure via the attribute authentication[*].userRegistrationRole on the SupersetCluster object:

apiVersion: superset.stackable.tech/v1alpha1
kind: SupersetCluster
metadata:
  name: superset-with-oidc
spec:
  image:
    productVersion: 3.1.0
  clusterConfig:
    authentication:
    - authenticationClass: keycloak
      oidc:
        clientCredentialsSecret: superset-keycloak-client
      userRegistrationRole: Gamma  (1)

1	All users are assigned to the `Gamma` role