Apache superset is a modern, enterprise-ready business intelligence web application which provides an intuitive interface to explore and visualize datasets. It has a wide array of beautiful visualizations that can be used to showcase data.
Organizations have security considerations at the core of their priorities and superset provides an extensible, high granularity security model allowing intricate rules on who can access which product features and datasets. It has integration with major authentication backends such as database, OpenID, OAuth and REMOTE_USER. There however are scenarios where all these approaches are not supported by your organization and need to implement a custom approach. One such approach for is when you are using a token service such as Identity server 4 or Keycloak. It could also be a custom user database used internally like asp.net core Identity. Luckily superset is extensible and achieving authentication through a custom store is a matter of a little bit of code and configuration.
Code
We will need to create a file named custom_security_manager.py that (for ease of reference) lives in the same directory as superset_config.py. Essentially, all we are doing is an attempt to extend the SupersetSecurityManager class in superset which extends the BaseSecurityManager in Flask App Builder. Specifically, we are trying to override the login method which handles the GET and POST login methods so that instead of using the superset user database for authentication we use a custom user database. See below. We are interested with the code part that comes after the form.validate_on_submit() line.
Figure 1: AuthDView available at https://flask-appbuilder.readthedocs.io/en/latest/_modules/flask_appbuilder/security/views.html
The structure of the custom security manager should look like below
Figure 2: Custom security manager overriding authdbview login method
The section in line 22 to 25 need to be updated to fit the custom requirements. For instance, one can call an api that handles authentication, or do an implementation that queries a different database.
Configuration
The configuration is all about telling superset which security manager to use.
Figure 3:config with custom security manager
You will know both the code and configuration are well set if superset loads the local configuration as shown below. This will appear on the command line interface after running the superset start command; superset runserver -d.
Considerations
Using this approach means superset must keep a copy of a user on its DB. Therefore, there is need to tweak that functionality to fit your needs. Current implementations in Flask App builder can be found in https://flask-appbuilder.readthedocs.io/en/latest/_modules/flask_appbuilder/security/manager.html
1 thought on “Authenticate Apache Superset with a custom user store”