GitHub user dosubot[bot] added a comment to the discussion: Querying on data set
<!-- Answer --> Here’s a step-by-step checklist for setting up RLS (Row Level Security) with guest tokens for embedded charts in Superset, ensuring filtering happens at the database query level: 1. **Config file changes**: - Enable the `EMBEDDED_SUPERSET` feature flag in your `superset_config.py` (or `superset_config_docker.py` if using Docker). - Set up CORS settings (`ENABLE_CORS`, `ALLOWED_DOMAINS`) if embedding from another domain. - Make sure your guest token secret, algorithm, and audience are configured as needed. - If using Docker, config overrides must go in `./docker/pythonpath_dev/superset_config_docker.py` on the host, not `/app/superset/config.py` inside the container. [details](https://github.com/apache/superset/issues/33702) 2. **Guest token API**: - When creating the guest token, include user-specific attributes in the `user` object (e.g., `user_id`). - Example: ```python guest_token = security_manager.create_guest_access_token( user={ "username": "external_user", "attributes": { "user_id": "12345" } }, resources=[{"type": "dashboard", "id": "dashboard-uuid"}], rls=[] ) ``` - The `rls` field can be used to pass explicit RLS rules, but for dynamic user filtering, using attributes is preferred. [example](https://github.com/apache/superset/issues/33922) 3. **Dataset SQL changes**: - In your dataset’s SQL, reference the user attribute using the Jinja macro (if available in your version): ```sql SELECT * FROM your_table WHERE user_id = '{{ get_guest_user_attribute("user_id") }}' ``` - If the macro is not available, use the standard Jinja macros like `current_user_id` if your setup supports it. - Make sure the column referenced in your filter exists in the dataset, or you’ll get SQL errors. [example](https://github.com/apache/superset/issues/32869) 4. **Superset UI (RLS section)**: - You can define RLS rules in the Superset UI via the RLS modal for the dataset. The modal now has a simplified clause input. - RLS rules can also be managed via the REST API. - If you’re using dynamic user attributes in SQL, you may not need to define extra RLS rules in the UI for user-specific filtering, but you can use the UI for static or role-based rules. [UI update](https://github.com/apache/superset/pull/33942) 5. **Other notes**: - RLS only applies to datasets, not to charts created directly from SQL Lab unless you save the query as a dataset first. [reference](https://github.com/apache/superset/issues/33346) - Guest tokens automatically have access to datasets used in the dashboard they’re created for; you don’t need to grant explicit dataset access. [reference](https://github.com/apache/superset/issues/26201) - The `can_set_embedded` permission must be granted to the user/role for embedding dashboards. [reference](https://github.com/apache/superset/issues/33702) If you follow these steps, user-specific filtering should be pushed down to the database query level for embedded charts. If you run into issues, double-check the feature flags, dataset column names, and that your guest token includes the correct attributes. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/129d9bd4-5ddb-4f1d-a2be-778a829752e4?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/129d9bd4-5ddb-4f1d-a2be-778a829752e4?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/129d9bd4-5ddb-4f1d-a2be-778a829752e4?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/129d9bd4-5ddb-4f1d-a2be-778a829752e4?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/129d9bd4-5ddb-4f1d-a2be-778a829752e4?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/129d9bd4-5ddb-4f1d-a2be-778a829752e4?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/129d9bd4-5ddb-4f1d-a2be-778a829752e4?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34132) GitHub link: https://github.com/apache/superset/discussions/34132#discussioncomment-13730436 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
