From e54353c4da71c16d6ca1e3d3906d3bcdc8d7d7a1 Mon Sep 17 00:00:00 2001 From: lindner-tj Date: Wed, 18 Sep 2024 21:32:21 +0200 Subject: [PATCH] docs: HTML embedding of charts/dashboards without authentication (#30032) Co-authored-by: Sam Firke --- .../configuration/networking-settings.mdx | 59 ++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/docs/docs/configuration/networking-settings.mdx b/docs/docs/configuration/networking-settings.mdx index 3993c8bfc46de..611b44cf0abcb 100644 --- a/docs/docs/configuration/networking-settings.mdx +++ b/docs/docs/configuration/networking-settings.mdx @@ -1,3 +1,4 @@ + --- title: Network and Security Settings sidebar_position: 7 @@ -24,9 +25,65 @@ The following keys in `superset_config.py` can be specified to configure CORS: ## HTTP headers Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) -Self-descried as a small Flask extension that handles setting HTTP headers that can help +Self-described as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. + +## HTML Embedding of Dashboards and Charts + +There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. + +### Embedding a Public Direct Link to a Dashboard + +This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domains to display Superset content. Then a dashboard can be made publicly accessible, i.e. **bypassing authentication**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML code. + +#### Changing flask-talisman CSP + +Add to `superset_config.py` the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section: +```python +TALISMAN_ENABLED = True +TALISMAN_CONFIG = { + "content_security_policy": { + ... + "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"], + ... +``` +Restart Superset for this configuration change to take effect. + +#### Making a Dashboard Public + +1. Add the `'DASHBOARD_RBAC': True` [Feature Flag](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md) to `superset_config.py` +2. Add the `Public` role to your dashboard as described [here](https://superset.apache.org/docs/using-superset/creating-your-first-dashboard/#manage-access-to-dashboards) + +#### Embedding a Public Dashboard + +Now anybody can directly access the dashboard's URL. You can embed it in an iframe like so: + +```html + +``` +#### Embedding a Chart + +A chart's embed code can be generated by going to a chart's edit view and then clicking at the top right on `...` > `Share` > `Embed code` + +### Enabling Embedding via the SDK + +Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". + +To enable this entry, add the following line to the `.env` file: + +```text +SUPERSET_FEATURE_EMBEDDED_SUPERSET=true +``` + ## CSRF settings Similarly, [flask-wtf](https://flask-wtf.readthedocs.io/en/0.15.x/config/) is used manage