Editing
Visualisation showdown
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Security=== This needs a lot of attention, since Superset will theoretically provide access to identifiable client data. Some things to consider: * Ensuring that DB connection is secure.<ref>At the time of writing, we plan to put the RDS instance in an isolated VPC which cannot be directly accessed over the internet. The App host will therefore need to manage incoming public traffic and securely route database requests accordingly.</ref> * Ensuring that specific service-account DB roles are only used in Superset. For auditing we must ensure that no regular user/team credentials are used, as well as making sure that [https://www.okta.com/identity-101/minimum-access-policy/ least privilege] principles are followed in terms of what the DB role can access. * Host app should have SSL/TLS enabled and available via port 443 (forwarded from 8088 or perhaps some other host config is possible). * 'Secret key' configuration. Via <code>superset_config.py</code> should be configured. See [https://superset.apache.org/docs/configuration/configuring-superset#specifying-a-secret_key here] for not much detail. * Metadata database. Whilst [https://superset.apache.org/docs/configuration/configuring-superset#setting-up-a-production-metadata-database Superset docs] state that [https://www.sqlite.org/ SQLite] is used by default, the quickstart container actually stands up a Postgres instance. Whatever final solution is deployed, we absolutely need to ensure that the metadata backend is running on a properly secured production database.<ref>AKA Postgres.</ref> * Superset uses Flask-AppBuilder (FAB), which supports OAuth2/LDAP providers - including Azure/Entra - out of the box (apparently). '''We should use this''' to manage access, and permit use of existing AD groups for access (membership of which can be centrally managed via our MSP). OAuth groups can be mapped to Superset groups by setting an <code>AUTH_ROLES_MAPPING</code> dictionary.<ref>I don't know where this dict is supposed to live, but some documentation can be found [https://superset.apache.org/docs/configuration/configuring-superset#mapping-oauth-groups-to-superset-roles here].</ref> * CORS might need to be set. * Superset roles. Remove access from <code>Public</code> superset group. * Admin role. Reset default admin password, or preferably inactivate default admin account.
Summary:
Please note that all contributions to Kautepedia are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see
Kautepedia:Copyrights
for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource.
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
British English
Not logged in
Talk
Contributions
Log in
Namespaces
Page
Discussion
British English
Views
Read
Edit
Edit source
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Tools
What links here
Related changes
Special pages
Page information