Network and Security Settings
CORS
To configure CORS, or cross-origin resource sharing, the following dependency must be installed:
pip install apache-superset[cors]
The following keys in superset_config.py
can be specified to configure CORS:
ENABLE_CORS
: Must be set toTrue
in order to enable CORSCORS_OPTIONS
: options passed to Flask-CORS (documentation)
HTTP headers
Note that Superset bundles flask-talisman Self-descried as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues.
CSRF settings
Similarly, flask-wtf is used manage
some CSRF configurations. If you need to exempt endpoints from CSRF (e.g. if you are
running a custom auth postback endpoint), you can add the endpoints to WTF_CSRF_EXEMPT_LIST
:
SSH Tunneling
-
Turn on feature flag
- Change
SSH_TUNNELING
toTrue
- If you want to add more security when establishing the tunnel we allow users to overwrite the
SSHTunnelManager
class here - You can also set the
SSH_TUNNEL_LOCAL_BIND_ADDRESS
this the host address where the tunnel will be accessible on your VPC
- Change
-
Create database w/ ssh tunnel enabled
- With the feature flag enabled you should now see ssh tunnel toggle.
- Click the toggle to enable SSH tunneling and add your credentials accordingly.
- Superset allows for two different types of authentication (Basic + Private Key). These credentials should come from your service provider.
-
Verify data is flowing
- Once SSH tunneling has been enabled, go to SQL Lab and write a query to verify data is properly flowing.
Domain Sharding
Chrome allows up to 6 open connections per domain at a time. When there are more than 6 slices in dashboard, a lot of time fetch requests are queued up and wait for next available socket. PR 5039 adds domain sharding to Superset, and this feature will be enabled by configuration only (by default Superset doesn’t allow cross-domain request).
Add the following setting in your superset_config.py
file:
SUPERSET_WEBSERVER_DOMAINS
: list of allowed hostnames for domain sharding feature.
Please create your domain shards as subdomains of your main domain for authorization to work properly on new domains. For Example:
SUPERSET_WEBSERVER_DOMAINS=['superset-1.mydomain.com','superset-2.mydomain.com','superset-3.mydomain.com','superset-4.mydomain.com']
or add the following setting in your superset_config.py
file if domain shards are not subdomains of main domain.
SESSION_COOKIE_DOMAIN = '.mydomain.com'
Middleware
Superset allows you to add your own middleware. To add your own middleware, update the
ADDITIONAL_MIDDLEWARE
key in your superset_config.py
. ADDITIONAL_MIDDLEWARE
should be a list
of your additional middleware classes.
For example, to use AUTH_REMOTE_USER
from behind a proxy server like nginx, you have to add a
simple middleware class to add the value of HTTP_X_PROXY_REMOTE_USER
(or any other custom header
from the proxy) to Gunicorn’s REMOTE_USER
environment variable: