feat(end-to-end-security): add superset OPA#407
Conversation
406b26d to
6564a81
Compare
6564a81 to
fe8881a
Compare
354ab4a to
b607bdd
Compare
| "subGroups" : [ ] | ||
| } ], | ||
| "users" : [ { | ||
| "username" : "admin", |
There was a problem hiding this comment.
Should this be something more specific to superset?
| "username" : "admin", | |
| "username" : "superset_admin", |
There was a problem hiding this comment.
I think the admin user name is predefined by superset and as far as I suspect we need to match the user name in Keycloak - however I can give it a try to see whether we can rename it.
There was a problem hiding this comment.
@NickLarsenNZ I looked at it again. We can do this, if we additionally change the admin user for superset, adjust the regorules (which are added in this PR, so not breaking a former state), create a new dump and adjust the demo docs slightly.
Do you think its worth it?
| @@ -12,9 +12,9 @@ SET standard_conforming_strings = on; | |||
| -- | |||
|
|
|||
| CREATE ROLE postgres; | |||
| ALTER ROLE postgres WITH SUPERUSER INHERIT CREATEROLE CREATEDB LOGIN REPLICATION BYPASSRLS PASSWORD 'SCRAM-SHA-256$4096:XfE1S3tIVrPAwRXzqI/Ptw==$vacFUmkUUHcdejD7LOlHYax3gpEhEmObPcHVDtajYNY=:e+j2EaHndtOGxXISZsBR6Il+GViZc5R1d89AtPCRTCc='; | |||
| ALTER ROLE postgres WITH SUPERUSER INHERIT CREATEROLE CREATEDB LOGIN REPLICATION BYPASSRLS PASSWORD 'SCRAM-SHA-256$4096:sGx/aeHPQh2TYqDu/3VtKg==$MDwWvH8UgxEn/Nx2hZXAvw5ENCrSpXi6yRR7ZQ+QEF4=:sO4JMyhpvAYkbLKXUZLIuh6Q++k4IthhhbGarVxMVU8='; | |||
There was a problem hiding this comment.
curious what caused this to change. I guess the time?
There was a problem hiding this comment.
I assume this is due to the postgres instance specific salt, but I don't know for sure.
This extends the demo to use OPA also for Superset. The result is that you can add a new user in Keycloak, add it to a group and upon login, the user will have access to the datasets / charts / dashboards of that group.
This requires a new / adjusted dump - e.g. we shouldn't need Gamma_extended anymore as this is now handled by rego rules.