You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/05/06 05:44:32 UTC
[GitHub] [superset] 710700 opened a new issue, #19973: Anyone can access the dashboards and datasets via the login page even without logging in, anything wrong with my configuration?
710700 opened a new issue, #19973:
URL: https://github.com/apache/superset/issues/19973
## Screenshot
## Description
Anonymous user can access the dashboards and data(including datasets and databases), however if click charts, it throws an unexpected error like this
my superset_config.py:
```python
from flask_appbuilder.security.manager import AUTH_LDAP
from celery.schedules import crontab
from superset.typing import CacheConfig
SQLALCHEMY_DATABASE_URI = 'xxxx'
APP_NAME = "xxxx"
# ----------------------------------------------------
# AUTHENTICATION CONFIG
# ----------------------------------------------------
# The authentication type
# AUTH_OID : Is for OpenID
# AUTH_DB : Is for database (username/password)
# AUTH_LDAP : Is for LDAP
# AUTH_REMOTE_USER : Is for using REMOTE_USER from web server
AUTH_TYPE = AUTH_LDAP
# Uncomment to setup Full admin role name
AUTH_ROLE_ADMIN = 'Admin'
# Uncomment to setup Public role name, no authentication needed
AUTH_ROLE_PUBLIC = 'Public'
# Will allow user self registration
AUTH_USER_REGISTRATION = True
# The default user self registration role
AUTH_USER_REGISTRATION_ROLE = "Public"
# When using LDAP Auth, setup the LDAP server
# AUTH_LDAP_SERVER = "ldap://ldapserver.new"
AUTH_LDAP_SERVER = " xxxx"
AUTH_LDAP_SEARCH = "xxxx"
AUTH_LDAP_UID_FIELD = "sn"
AUTH_LDAP_LASTTNAME_FIELD = "cn"
AUTH_LDAP_BIND_USER = "xxxx"
AUTH_LDAP_BIND_PASSWORD = "xxxx"
# FEATURE_FLAGS: Dict[str, bool] = {}
FEATURE_FLAGS = {
"ALERT_REPORTS": True,
# This could cause the server to run out of memory or compute.
"ALLOW_FULL_CSV_EXPORT": True,
}
# ---------------------------------------------------
# Thumbnail config (behind feature flag)
# Also used by Alerts & Reports
# ---------------------------------------------------
THUMBNAIL_SELENIUM_USER = "xxxx"
# Default cache for Superset objects
CACHE_CONFIG: CacheConfig = {"CACHE_TYPE": "simple"}
# Cache for datasource metadata and query results
DATA_CACHE_CONFIG: CacheConfig = {"CACHE_TYPE": "simple"}
# CSV Options: key/value pairs that will be passed as argument to DataFrame.to_csv
# method.
# note: index option should not be overridden
CSV_EXPORT = {"encoding": "utf-8"}
# Default celery config is to use SQLA as a broker, in a production setting
# you'll want to use a proper broker as specified here:
# http://docs.celeryproject.org/en/latest/getting-started/brokers/index.html
class CeleryConfig: # pylint: disable=too-few-public-methods
# BROKER_URL = "sqla+sqlite:///celerydb.sqlite"
BROKER_URL = 'xxxx'
CELERY_IMPORTS = ("superset.sql_lab", "superset.tasks")
# CELERY_RESULT_BACKEND = "db+sqlite:///celery_results.sqlite"
CELERY_RESULT_BACKEND = 'xxxx'
CELERYD_LOG_LEVEL = "DEBUG"
CELERYD_PREFETCH_MULTIPLIER = 10
CELERY_ACKS_LATE = True
CELERY_ANNOTATIONS = {
"sql_lab.get_sql_results": {"rate_limit": "100/s"},
"email_reports.send": {
"rate_limit": "1/s",
"time_limit": 300,
"soft_time_limit": 300,
"ignore_result": True,
},
}
CELERYBEAT_SCHEDULE = {
"email_reports.schedule_hourly": {
"task": "email_reports.schedule_hourly",
"schedule": crontab(minute=1, hour="*"),
},
"reports.scheduler": {
"task": "reports.scheduler",
"schedule": crontab(minute="*", hour="*"),
},
"reports.prune_log": {
"task": "reports.prune_log",
"schedule": crontab(minute=0, hour=0),
},
}
# smtp server configuration
EMAIL_NOTIFICATIONS = True # all the emails are sent using dryrun
SMTP_HOST = "xxxx"
SMTP_STARTTLS = True
SMTP_SSL = True
SMTP_USER = "xxxx"
SMTP_PORT = 465
SMTP_PASSWORD = "xxxx"
SMTP_MAIL_FROM = "xxxx"
ENABLE_CHUNK_ENCODING = True
# Enable / disable scheduled email reports
#
# Warning: This config key is deprecated and will be removed in version 2.0.0"
ENABLE_SCHEDULED_EMAIL_REPORTS = True
# A custom prefix to use on all Alerts & Reports emails
EMAIL_REPORTS_SUBJECT_PREFIX = "xxxx"
# The base URL to query for accessing the user interface
WEBDRIVER_BASEURL = "xxxx"
# The base URL for the email report hyperlinks.
WEBDRIVER_BASEURL_USER_FRIENDLY = "xxxx"
WTF_CSRF_TIME_LIMIT = None
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] 710700 closed issue #19973: Anyone can access the dashboards and datasets via the login page even without logging in, anything wrong with my configuration?
Posted by GitBox <gi...@apache.org>.
710700 closed issue #19973: Anyone can access the dashboards and datasets via the login page even without logging in, anything wrong with my configuration?
URL: https://github.com/apache/superset/issues/19973
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] 710700 commented on issue #19973: Anyone can access the dashboards and datasets via the login page even without logging in, anything wrong with my configuration?
Posted by GitBox <gi...@apache.org>.
710700 commented on issue #19973:
URL: https://github.com/apache/superset/issues/19973#issuecomment-1119355533
update
By removing "menu access of dashboards", "menu access of charts", "menu access of data“ of Public role, anonymous user cannot access these components anymore.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org