mirror of
https://github.com/apache/superset.git
synced 2024-09-12 00:29:39 -04:00
Adding a security section to the docs (#561)
This commit is contained in:
parent
5bc50210ad
commit
b5fe9dbe33
BIN
caravel/assets/images/create_role.png
Normal file
BIN
caravel/assets/images/create_role.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 50 KiB |
@ -32,6 +32,7 @@ Contents
|
|||||||
|
|
||||||
installation
|
installation
|
||||||
tutorial
|
tutorial
|
||||||
|
security
|
||||||
videos
|
videos
|
||||||
gallery
|
gallery
|
||||||
druid
|
druid
|
||||||
|
70
docs/security.rst
Normal file
70
docs/security.rst
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
Security
|
||||||
|
========
|
||||||
|
Security in Caravel is handled by Flask AppBuilder (FAB). FAB is a
|
||||||
|
"Simple and rapid application development framework, built on top of Flask.".
|
||||||
|
FAB provides authentication, user management, permissions and roles.
|
||||||
|
|
||||||
|
|
||||||
|
Provided Roles
|
||||||
|
--------------
|
||||||
|
Caravel ships with 3 roles that are handled by Caravel itself. You can
|
||||||
|
assume that these 3 roles will stay up-to-date as Caravel evolves.
|
||||||
|
|
||||||
|
Admin
|
||||||
|
"""""
|
||||||
|
Admins have all rights, including granting or revoking rights from other
|
||||||
|
users and altering other people's slices and dashboards.
|
||||||
|
|
||||||
|
Alpha
|
||||||
|
"""""
|
||||||
|
Alpha have access to all data sources, but they cannot grant or revoke access
|
||||||
|
from other users. They are also limited to altering the objects that they
|
||||||
|
own. Alpha users can add and alter data sources.
|
||||||
|
|
||||||
|
Gamma
|
||||||
|
"""""
|
||||||
|
Gamma have limited access. They can only consume data coming from data sources
|
||||||
|
they have been giving access to through another complementary role.
|
||||||
|
They only have access to view the slices and
|
||||||
|
dashboards made from data sources that they have access to. Currently Gamma
|
||||||
|
users are not able to alter or add data sources. We assume that they are
|
||||||
|
mostly content consumers, though they can create slices and dashboards.
|
||||||
|
|
||||||
|
Also note that when Gamma users look at the dashboards and slices list view,
|
||||||
|
they will only see the objects that they have access to.
|
||||||
|
|
||||||
|
|
||||||
|
Managing Gamma per data source access
|
||||||
|
-------------------------------------
|
||||||
|
Here's how to provide users access to only specific datasets. First make
|
||||||
|
sure the users with limited access have [only] the Gamma role assigned to
|
||||||
|
them. Second, create a new role (``Menu -> Security -> List Roles``) and
|
||||||
|
click the ``+`` sign.
|
||||||
|
|
||||||
|
.. image:: _static/img/create_role.png
|
||||||
|
:scale: 50 %
|
||||||
|
|
||||||
|
This new window allows you to give this new role a name, attribute it to users
|
||||||
|
and select the tables in the ``Permissions`` dropdown. To select the data
|
||||||
|
sources you want to associate with this role, simply click in the dropdown
|
||||||
|
and use the typeahead to search for your table names.
|
||||||
|
|
||||||
|
You can then confirm with your Gamma users that they see the objects
|
||||||
|
(dashboards and slices) associated with the tables related to their roles.
|
||||||
|
|
||||||
|
|
||||||
|
Customizing
|
||||||
|
-----------
|
||||||
|
|
||||||
|
The permissions exposed by FAB are very granular and allow for a great level
|
||||||
|
of customization. FAB creates many permissions automagically for each model
|
||||||
|
that is create (can_add, can_delete, can_show, can_edit, ...) as well as for
|
||||||
|
each view. On top of that, Caravel can expose more granular permissions like
|
||||||
|
``all_datasource_access``.
|
||||||
|
|
||||||
|
We do not recommend altering the 3 base roles as there
|
||||||
|
are a set of assumptions that Caravel build upon. It is possible though for
|
||||||
|
you to create your own roles, and union them to existing ones.
|
||||||
|
|
||||||
|
The best way to go is probably to give user ``Gamma`` plus another role
|
||||||
|
that would add specific permissions needed by this type of users.
|
Loading…
Reference in New Issue
Block a user