Google Git
Sign in
apache / superset-site / c55de24a2995a9257390337305b837bd607e7954 / . / docs / security / index.html
blob: 0c5ccb38ee370ab9e8c13c429a82476d86efc9f5 [file] [log] [blame]
<!doctype html>
<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-security">
<head>
<meta charset="UTF-8">
<meta name="generator" content="Docusaurus v2.3.1">
<title data-rh="true">Security | Superset</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://superset.apache.org/docs/security"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Security | Superset"><meta data-rh="true" name="description" content="Roles"><meta data-rh="true" property="og:description" content="Roles"><link data-rh="true" rel="icon" href="/img/favicon.ico"><link data-rh="true" rel="canonical" href="https://superset.apache.org/docs/security"><link data-rh="true" rel="alternate" href="https://superset.apache.org/docs/security" hreflang="en"><link data-rh="true" rel="alternate" href="https://superset.apache.org/docs/security" hreflang="x-default"><link data-rh="true" rel="preconnect" href="https://WR5FASX5ED-dsn.algolia.net" crossorigin="anonymous"><link rel="preconnect" href="https://www.google-analytics.com">
<script>window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)},ga.l=+new Date,ga("create","G-133LHD3B3N","auto"),ga("set","anonymizeIp",!0),ga("send","pageview")</script>
<script async src="https://www.google-analytics.com/analytics.js"></script>
<link rel="preconnect" href="https://www.google-analytics.com">
<link rel="preconnect" href="https://www.googletagmanager.com">
<script async src="https://www.googletagmanager.com/gtag/js?id=G-133LHD3B3N"></script>
<script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","G-133LHD3B3N",{anonymize_ip:!0})</script>
<link rel="search" type="application/opensearchdescription+xml" title="Superset" href="/opensearch.xml">
<script src="/script/matomo.js"></script>
<script src="https://www.bugherd.com/sidebarv2.js?apikey=enilpiu7bgexxsnoqfjtxa" async></script><link rel="stylesheet" href="/assets/css/styles.574a8f44.css">
<link rel="preload" href="/assets/js/runtime~main.508e0599.js" as="script">
<link rel="preload" href="/assets/js/main.633857fa.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/superset-logo-horiz.svg" alt="Superset Logo" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/superset-logo-horiz-dark.svg" alt="Superset Logo" class="themedImage_ToTc themedImage--dark_i4oU"></div></a><div class="navbar__item dropdown dropdown--hoverable"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Documentation</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/docs/intro">Getting Started</a></li><li><a class="dropdown__link" href="/docs/frequently-asked-questions">FAQ</a></li></ul></div><div class="navbar__item dropdown dropdown--hoverable"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Community</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/community">Resources</a></li><li><a href="https://github.com/apache/superset" target="_blank" rel="noopener noreferrer" class="dropdown__link">GitHub<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="http://bit.ly/join-superset-slack" target="_blank" rel="noopener noreferrer" class="dropdown__link">Slack<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://lists.apache.org/list.html?dev@superset.apache.org" target="_blank" rel="noopener noreferrer" class="dropdown__link">Mailing List<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://stackoverflow.com/questions/tagged/superset+apache-superset" target="_blank" rel="noopener noreferrer" class="dropdown__link">Stack Overflow<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div></div><div class="navbar__items navbar__items--right"><a href="https://github.com/apache/superset" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link" class="github-logo-container"></a><div class="searchBox_ZlJk"><button type="button" class="DocSearch DocSearch-Button" aria-label="Search"><span class="DocSearch-Button-Container"><svg width="20" height="20" class="DocSearch-Search-Icon" viewBox="0 0 20 20"><path d="M14.386 14.386l4.0877 4.0877-4.0877-4.0877c-2.9418 2.9419-7.7115 2.9419-10.6533 0-2.9419-2.9418-2.9419-7.7115 0-10.6533 2.9418-2.9419 7.7115-2.9419 10.6533 0 2.9419 2.9418 2.9419 7.7115 0 10.6533z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"></path></svg><span class="DocSearch-Button-Placeholder">Search</span></span><span class="DocSearch-Button-Keys"></span></button></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><aside class="theme-doc-sidebar-container docSidebarContainer_b6E3"><div class="sidebarViewport_Xe31"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/intro">Introduction</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/installation/installing-superset-using-docker-compose">Installation and Configuration</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/databases/installing-database-drivers">Connecting to Databases</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/creating-charts-dashboards/creating-your-first-dashboard">Creating Charts and Dashboards</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/miscellaneous/country-map-tools">Miscellaneous</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/contributing/contributing-page">Contributing</a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/frequently-asked-questions">Frequently Asked Questions</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/api">API</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" href="/docs/security">Security</a></li></ul></nav></div></div></aside><main class="docMainContainer_gTbr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">Security</span><meta itemprop="position" content="1"></li></ul></nav><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><h3 class="anchor anchorWithStickyNavbar_LWe7" id="roles">Roles<a href="#roles" class="hash-link" aria-label="Direct link to Roles" title="Direct link to Roles"></a></h3><p>Security in Superset is handled by Flask AppBuilder (FAB), an application development framework
built on top of Flask. FAB provides authentication, user management, permissions and roles.
Please read its <a href="https://flask-appbuilder.readthedocs.io/en/latest/security.html" target="_blank" rel="noopener noreferrer">Security documentation</a>.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="provided-roles">Provided Roles<a href="#provided-roles" class="hash-link" aria-label="Direct link to Provided Roles" title="Direct link to Provided Roles"></a></h3><p>Superset ships with a set of roles that are handled by Superset itself. You can assume
that these roles will stay up-to-date as Superset evolves (and as you update Superset versions).</p><p>Even though <strong>Admin</strong> users have the ability, we don&#x27;t recommend altering the
permissions associated with each role (e.g. by removing or adding permissions to them). The permissions
associated with each role will be re-synchronized to their original values when you run
the <strong>superset init</strong> command (often done between Superset versions).</p><p>A table with the permissions for these roles can be found at <a href="https://github.com/apache/superset/blob/master/RESOURCES/STANDARD_ROLES.mdd" target="_blank" rel="noopener noreferrer">/RESOURCES/STANDARD_ROLES.md</a>.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="admin">Admin<a href="#admin" class="hash-link" aria-label="Direct link to Admin" title="Direct link to Admin"></a></h3><p>Admins have all possible rights, including granting or revoking rights from other
users and altering other people’s slices and dashboards.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="alpha">Alpha<a href="#alpha" class="hash-link" aria-label="Direct link to Alpha" title="Direct link to Alpha"></a></h3><p>Alpha users have access to all data sources, but they cannot grant or revoke access
from other users. They are also limited to altering the objects that they own. Alpha users can add and alter data sources.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="gamma">Gamma<a href="#gamma" class="hash-link" aria-label="Direct link to Gamma" title="Direct link to Gamma"></a></h3><p>Gamma users have limited access. They can only consume data coming from data sources
they have been given access to through another complementary role. They only have access to
view the slices and dashboards made from data sources that they have access to. Currently Gamma
users are not able to alter or add data sources. We assume that they are mostly content consumers, though they can create slices and dashboards.</p><p>Also note that when Gamma users look at the dashboards and slices list view, they will
only see the objects that they have access to.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="sql_lab">sql_lab<a href="#sql_lab" class="hash-link" aria-label="Direct link to sql_lab" title="Direct link to sql_lab"></a></h3><p>The <strong>sql_lab</strong> role grants access to SQL Lab. Note that while <strong>Admin</strong> users have access
to all databases by default, both <strong>Alpha</strong> and <strong>Gamma</strong> users need to be given access on a per database basis.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="public">Public<a href="#public" class="hash-link" aria-label="Direct link to Public" title="Direct link to Public"></a></h3><p>To allow logged-out users to access some Superset features, you can use the <code>PUBLIC_ROLE_LIKE</code> config setting and assign it to another role whose permissions you want passed to this role.</p><p>For example, by setting <code>PUBLIC_ROLE_LIKE = &quot;Gamma&quot;</code> in your <code>superset_config.py</code> file, you grant
public role the same set of permissions as for the <strong>Gamma</strong> role. This is useful if one
wants to enable anonymous users to view dashboards. Explicit grant on specific datasets is
still required, meaning that you need to edit the <strong>Public</strong> role and add the public data sources to the role manually.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="managing-data-source-access-for-gamma-roles">Managing Data Source Access for Gamma Roles<a href="#managing-data-source-access-for-gamma-roles" class="hash-link" aria-label="Direct link to Managing Data Source Access for Gamma Roles" title="Direct link to Managing Data Source Access for Gamma Roles"></a></h3><p>Here’s how to provide users access to only specific datasets. First make sure the users with
limited access have <!-- -->[only]<!-- --> the Gamma role assigned to them. Second, create a new role (Menu -&gt; Security -&gt; List Roles) and click the + sign.</p><p>This new window allows you to give this new role a name, attribute it to users and select the
tables in the <strong>Permissions</strong> dropdown. To select the data sources you want to associate with this role, simply click on the dropdown and use the typeahead to search for your table names.</p><p>You can then confirm with users assigned to the <strong>Gamma</strong> role that they see the
objects (dashboards and slices) associated with the tables you just extended them.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="customizing-permissions">Customizing Permissions<a href="#customizing-permissions" class="hash-link" aria-label="Direct link to Customizing Permissions" title="Direct link to Customizing Permissions"></a></h3><p>The permissions exposed by FAB are very granular and allow for a great level of
customization. FAB creates many permissions automagically for each model that is
created (can_add, can_delete, can_show, can_edit, …) as well as for each view.
On top of that, Superset can expose more granular permissions like <strong>all_datasource_access</strong>.</p><p><strong>We do not recommend altering the 3 base roles as there are a set of assumptions that
Superset is built upon</strong>. It is possible though for you to create your own roles, and union them to existing ones.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="permissions">Permissions<a href="#permissions" class="hash-link" aria-label="Direct link to Permissions" title="Direct link to Permissions"></a></h3><p>Roles are composed of a set of permissions, and Superset has many categories of
permissions. Here are the different categories of permissions:</p><ul><li>Model &amp; Action: models are entities like Dashboard, Slice, or User. Each model has
a fixed set of permissions, like <strong>can_edit</strong>, <strong>can_show</strong>, <strong>can_delete</strong>, <strong>can_list</strong>, <strong>can_add</strong>,
and so on. For example, you can allow a user to delete dashboards by adding <strong>can_delete</strong> on
Dashboard entity to a role and granting this user that role.</li><li>Views: views are individual web pages, like the Explore view or the SQL Lab view.
When granted to a user, they will see that view in its menu items, and be able to load that page.</li><li>Data source: For each data source, a permission is created. If the user does not have the
<code>all_datasource_access permission</code> granted, the user will only be able to see Slices or explore the data sources that are granted to them</li><li>Database: Granting access to a database allows for the user to access all
data sources within that database, and will enable the user to query that
database in SQL Lab, provided that the SQL Lab specific permission have been granted to the user</li></ul><h3 class="anchor anchorWithStickyNavbar_LWe7" id="restricting-access-to-a-subset-of-data-sources">Restricting Access to a Subset of Data Sources<a href="#restricting-access-to-a-subset-of-data-sources" class="hash-link" aria-label="Direct link to Restricting Access to a Subset of Data Sources" title="Direct link to Restricting Access to a Subset of Data Sources"></a></h3><p>We recommend giving a user the <strong>Gamma</strong> role plus any other roles that would add
access to specific data sources. We recommend that you create individual roles for
each access profile. For example, the users on the Finance team might have access to a set of
databases and data sources; these permissions can be consolidated in a single role.
Users with this profile then need to be assigned the <strong>Gamma</strong> role as a foundation to
the models and views they can access, and that Finance role that is a collection of permissions to data objects.</p><p>A user can have multiple roles associated with them. For example, an executive on the Finance
team could be granted <strong>Gamma</strong>, <strong>Finance</strong>, and the <strong>Executive</strong> roles. The <strong>Executive</strong>
role could provide access to a set of data sources and dashboards made available only to executives.
In the <strong>Dashboards</strong> view, a user can only see the ones they have access too
based on the roles and permissions that were attributed.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="row-level-security">Row Level Security<a href="#row-level-security" class="hash-link" aria-label="Direct link to Row Level Security" title="Direct link to Row Level Security"></a></h3><p>Using Row Level Security filters (under the <strong>Security</strong> menu) you can create filters
that are assigned to a particular table, as well as a set of roles.
If you want members of the Finance team to only have access to
rows where <code>department = &quot;finance&quot;</code>, you could:</p><ul><li>Create a Row Level Security filter with that clause (<code>department = &quot;finance&quot;</code>)</li><li>Then assign the clause to the <strong>Finance</strong> role and the table it applies to</li></ul><p>The <strong>clause</strong> field, which can contain arbitrary text, is then added to the generated
SQL statement’s WHERE clause. So you could even do something like create a filter
for the last 30 days and apply it to a specific role, with a clause
like <code>date_field &gt; DATE_SUB(NOW(), INTERVAL 30 DAY)</code>. It can also support
multiple conditions: <code>client_id = 6</code> AND <code>advertiser=&quot;foo&quot;</code>, etc.</p><p>All relevant Row level security filters will be combined together (under the hood,
the different SQL clauses are combined using AND statements). This means it&#x27;s
possible to create a situation where two roles conflict in such a way as to limit a table subset to empty.</p><p>For example, the filters <code>client_id=4</code> and <code>client_id=5</code>, applied to a role,
will result in users of that role having <code>client_id=4</code> AND <code>client_id=5</code>
added to their query, which can never be true.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="content-security-policy-csp">Content Security Policy (CSP)<a href="#content-security-policy-csp" class="hash-link" aria-label="Direct link to Content Security Policy (CSP)" title="Direct link to Content Security Policy (CSP)"></a></h3><p>Superset uses the <a href="https://pypi.org/project/flask-talisman/" target="_blank" rel="noopener noreferrer">Talisman</a> extension to enable implementation of a
<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP" target="_blank" rel="noopener noreferrer">Content Security Policy (CSP)</a>, an added
layer of security that helps to detect and mitigate certain types of attacks, including
Cross-Site Scripting (XSS) and data injection attacks.</p><p>A CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can
occur by specifying the domains that the browser should consider to be valid sources of executable scripts.
A CSP-compatible browser will then only execute scripts loaded in source files received from those allowed domains,
ignoring all other scripts (including inline scripts and event-handling HTML attributes).</p><p>A policy is described using a series of policy directives, each of which describes the policy for
a certain resource type or policy area. You can check possible directives
<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank" rel="noopener noreferrer">here</a>.</p><p>It&#x27;s extremely important to correctly configure a Content Security Policy when deploying Superset to
prevent many types of attacks. Superset provides two variables in <code>config.py</code> for deploying a CSP:</p><ul><li><code>TALISMAN_ENABLED</code> defaults to <code>False</code>; set this to <code>True</code> in order to implement a CSP</li><li><code>TALISMAN_CONFIG</code> holds the actual the policy definition (<em>see example below</em>) as well as any
other arguments to be passed to Talisman.</li></ul><p>When running in production mode, Superset will check at startup for the presence
of a CSP. If one is not found, it will issue a warning with the security risks. For environments
where CSP policies are defined outside of Superset using other software, administrators can disable
this warning using the <code>CONTENT_SECURITY_POLICY_WARNING</code> key in <code>config.py</code>.</p><h4 class="anchor anchorWithStickyNavbar_LWe7" id="csp-requirements">CSP Requirements<a href="#csp-requirements" class="hash-link" aria-label="Direct link to CSP Requirements" title="Direct link to CSP Requirements"></a></h4><ul><li><p>Superset needs both the <code>&#x27;unsafe-eval&#x27;</code> and <code>&#x27;unsafe-inline&#x27;</code> CSP keywords in order to operate.</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token plain">default-src &#x27;self&#x27; &#x27;unsafe-eval&#x27; &#x27;unsafe-inline&#x27;</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></li><li><p>Some dashboards load images using data URIs and require <code>data:</code> in their <code>img-src</code></p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token plain">img-src &#x27;self&#x27; data:</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></li><li><p>MapBox charts use workers and need to connect to MapBox servers in addition to the Superset origin</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token plain">worker-src &#x27;self&#x27; blob:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">connect-src &#x27;self&#x27; https://api.mapbox.com https://events.mapbox.com</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></li></ul><p>This is a basic example <code>TALISMAN_CONFIG</code> that implements the above requirements, uses <code>&#x27;self&#x27;</code> to
limit content to the same origin as the Superset server, and disallows outdated HTML elements by
setting <code>object-src</code> to <code>&#x27;none&#x27;</code>.</p><div class="language-python codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-python codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token plain">TALISMAN_CONFIG </span><span class="token operator" style="color:#393A34">=</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">{</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;content_security_policy&quot;</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">{</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;default-src&quot;</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token string" style="color:#e3116c">&quot;&#x27;self&#x27;&quot;</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;&#x27;unsafe-inline&#x27;&quot;</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;&#x27;unsafe-eval&#x27;&quot;</span><span class="token punctuation" style="color:#393A34">]</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;img-src&quot;</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token string" style="color:#e3116c">&quot;&#x27;self&#x27;&quot;</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;data:&quot;</span><span class="token punctuation" style="color:#393A34">]</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;worker-src&quot;</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token string" style="color:#e3116c">&quot;&#x27;self&#x27;&quot;</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;blob:&quot;</span><span class="token punctuation" style="color:#393A34">]</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;connect-src&quot;</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token string" style="color:#e3116c">&quot;&#x27;self&#x27;&quot;</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;https://api.mapbox.com&quot;</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;https://events.mapbox.com&quot;</span><span class="token punctuation" style="color:#393A34">]</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;object-src&quot;</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;&#x27;none&#x27;&quot;</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">}</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token punctuation" style="color:#393A34">}</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h4 class="anchor anchorWithStickyNavbar_LWe7" id="other-talisman-security-considerations">Other Talisman security considerations<a href="#other-talisman-security-considerations" class="hash-link" aria-label="Direct link to Other Talisman security considerations" title="Direct link to Other Talisman security considerations"></a></h4><p>Setting <code>TALISMAN_ENABLED = True</code> will invoke Talisman&#x27;s protection with its default arguments,
of which <code>content_security_policy</code> is only one. Those can be found in the
<a href="https://pypi.org/project/flask-talisman/" target="_blank" rel="noopener noreferrer">Talisman documentation</a> under <em>Options</em>.
These generally improve security, but administrators should be aware of their existence.</p><p>In particular, the default option of <code>force_https = True</code> may break Superset&#x27;s Alerts &amp; Reports
if workers are configured to access charts via a <code>WEBDRIVER_BASEURL</code> beginning
with <code>http://</code>. As long as a Superset deployment enforces https upstream, e.g.,
through a loader balancer or application gateway, it should be acceptable to set this
option to <code>False</code>, like this:</p><div class="language-python codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-python codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token plain">TALISMAN_CONFIG </span><span class="token operator" style="color:#393A34">=</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">{</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;force_https&quot;</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> </span><span class="token boolean" style="color:#36acaa">False</span><span class="token punctuation" style="color:#393A34">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;content_security_policy&quot;</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">{</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">.</span><span class="token punctuation" style="color:#393A34">.</span><span class="token punctuation" style="color:#393A34">.</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h3 class="anchor anchorWithStickyNavbar_LWe7" id="reporting-security-vulnerabilities">Reporting Security Vulnerabilities<a href="#reporting-security-vulnerabilities" class="hash-link" aria-label="Direct link to Reporting Security Vulnerabilities" title="Direct link to Reporting Security Vulnerabilities"></a></h3><p>Apache Software Foundation takes a rigorous standpoint in annihilating the security issues in its
software projects. Apache Superset is highly sensitive and forthcoming to issues pertaining to its
features and functionality.</p><p>If you have apprehensions regarding Superset security or you discover vulnerability or potential
threat, don’t hesitate to get in touch with the Apache Security Team by dropping a mail at
<a href="mailto:security@apache.org." target="_blank" rel="noopener noreferrer">security@apache.org.</a> In the mail, specify the project name Superset with the description of the
issue or potential threat. You are also urged to recommend the way to reproduce and replicate the
issue. The security team and the Superset community will get back to you after assessing and
analysing the findings.</p><p>PLEASE PAY ATTENTION to report the security issue on the security email before disclosing it on
public domain. The ASF Security Team maintains a page with the description of how vulnerabilities
and potential threats are handled, check their web page for more details.</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/apache/superset/tree/master/docs/docs/security.mdx" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_vwxv"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages navigation"><a class="pagination-nav__link pagination-nav__link--prev" href="/docs/api"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">API</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#roles" class="table-of-contents__link toc-highlight">Roles</a></li><li><a href="#provided-roles" class="table-of-contents__link toc-highlight">Provided Roles</a></li><li><a href="#admin" class="table-of-contents__link toc-highlight">Admin</a></li><li><a href="#alpha" class="table-of-contents__link toc-highlight">Alpha</a></li><li><a href="#gamma" class="table-of-contents__link toc-highlight">Gamma</a></li><li><a href="#sql_lab" class="table-of-contents__link toc-highlight">sql_lab</a></li><li><a href="#public" class="table-of-contents__link toc-highlight">Public</a></li><li><a href="#managing-data-source-access-for-gamma-roles" class="table-of-contents__link toc-highlight">Managing Data Source Access for Gamma Roles</a></li><li><a href="#customizing-permissions" class="table-of-contents__link toc-highlight">Customizing Permissions</a></li><li><a href="#permissions" class="table-of-contents__link toc-highlight">Permissions</a></li><li><a href="#restricting-access-to-a-subset-of-data-sources" class="table-of-contents__link toc-highlight">Restricting Access to a Subset of Data Sources</a></li><li><a href="#row-level-security" class="table-of-contents__link toc-highlight">Row Level Security</a></li><li><a href="#content-security-policy-csp" class="table-of-contents__link toc-highlight">Content Security Policy (CSP)</a></li><li><a href="#reporting-security-vulnerabilities" class="table-of-contents__link toc-highlight">Reporting Security Vulnerabilities</a></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="footer__copyright">Copyright © 2023,
The <a href="https://www.apache.org/" target="_blank" rel="noreferrer">Apache Software Foundation</a>,
Licensed under the Apache <a href="https://apache.org/licenses/LICENSE-2.0" target="_blank" rel="noreferrer">License</a>. <br>
<small>Apache Superset, Apache, Superset, the Superset logo, and the Apache feather logo are either registered trademarks or trademarks of The Apache Software Foundation. All other products or name brands are trademarks of their respective holders, including The Apache Software Foundation.
<a href="https://www.apache.org/" target="_blank">Apache Software Foundation</a> resources</small><br>
<small>
<a href="https://www.apache.org/security/" target="_blank" rel="noreferrer">Security</a>&nbsp;|&nbsp;
<a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noreferrer">Donate</a>&nbsp;|&nbsp;
<a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noreferrer">Thanks</a>&nbsp;|&nbsp;
<a href="https://apache.org/events/current-event" target="_blank" rel="noreferrer">Events</a>&nbsp;|&nbsp;
<a href="https://apache.org/licenses/" target="_blank" rel="noreferrer">License</a>
</small></div></div></div></footer></div>
<script src="/assets/js/runtime~main.508e0599.js"></script>
<script src="/assets/js/main.633857fa.js"></script>
</body>
</html>