Superset Operator
- Commercial Systems
Channel | Revision | Published | Runs on |
---|---|---|---|
latest/stable | 35 | 02 Oct 2024 | |
latest/beta | 32 | 12 Sep 2024 | |
latest/edge | 35 | 02 Oct 2024 |
juju deploy superset-k8s --channel beta
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
This guide describes the implementation of security features such as encryption, authentication and HTML sanitisation.
Terminate TLS at ingress
Superset can terminate Transport Layer Security (TLS) at the ingress by leveraging the Nginx Ingress Integrator Charm.
Deploy this by running:
juju deploy nginx-ingress-integrator --trust
Using K8s secrets
You can use a self-signed or production-grade TLS certificate stored in a Kubernetes secret. The secret is then associated with the ingress to encrypt traffic between clients and the Superset User Interface (UI).
For self-signed certificates you can do the following:
- First generate a private key using
openssl
and a certificate signing request using they key you just created. Replace<YOUR_HOSTNAME>
with an appropriate hostname such assuperset-k8s.com
:
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/CN=<YOUR_HOSTNAME>"
- You can now sign this signing request, creating your self-signed certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile <(printf "subjectAltName=DNS:<YOUR_HOSTNAME>")
- Next, add this certificate and key as a Kubernetes secret to be used by the ingress:
kubectl create secret tls superset-tls --cert=server.crt --key=server.key
- You then need to provide the name of the Kubernetes secret to the Superset charm, along with the hostname you included in the certificate:
juju config superset-k8s tls-secret-name=superset-tls
juju config superset-k8s external-hostname=<YOUR_HOSTNAME>
- Finally, relate Superset with the Nginx Ingress Integrator to create your ingress resource:
juju relate superset-k8s nginx-ingress-integrator
If you have a production-grade certificate, skip to step 3.
Validate your ingress has been created with the TLS certificates:
kubectl get ingress
kubectl describe <YOUR_INGRESS_NAME>
The ingress has the format <relation_num>-<hostname>-ingress
. The describe
command should show something similar to the below, with the Kubernetes secret you configured in TLS
:
Name: relation-201-superset-k8s-com-ingress
Labels: app.juju.is/created-by=nginx-ingress-integrator
nginx-ingress-integrator.charm.juju.is/managed-by=nginx-ingress-integrator
Namespace: superset-model
Address: <list-of-ips>
Ingress Class: nginx-ingress-controller
Default backend: <default>
TLS:
superset-tls terminates superset-k8s.com
Enable Google Oauth
Enabling Google Oauth for Charmed Superset allows users to authenticate using their Google accounts, streamlining login and increasing security.
To enable Google Oauth, you need a Google project. You can create one here.
Obtain Oauth2 credentials
If you do not already have Oauth2 credentials set up then follow the steps below:
- Navigate to https://console.cloud.google.com/apis/credentials.
- Click
+ Create Credentials
. - Select
Oauth client ID
. - Select application type (
Web application
). - Name the application.
- Add an Authorized redirect URI (
https://<host>:8088/oauth-authorized/google
). - Create and download your client ID and client secret.
Apply Oauth configuration to Superset charm
Create a file oauth.yaml
using the Oauth2 credentials you obtained from Google, following the example below and replacing the values:
superset-k8s:
google-client-id: "client_id"
google-client-secret: "client_secret"
oauth-domain: "companydomain.com"
oauth-admin-email: "user@companydomain.com"
This file can now be applied to Charmed Superset with:
juju config superset-k8s --file=path/to/oauth.yaml
Configure the self-registraton role
By default, with Google Oauth, a Superset user account is automatically created following successful authentication. This user is provided the least privileged role of Public
, this role can then be elevated in the UI or via Application Programming Interface (API) by an Admin
user.
To change the role that is applied on self-registration, simply pass the role via the configuration parameter self-registration-role
. Superset’s standard roles and their associated permissions can be found here.
juju config superset-k8s self-registration-role=Alpha
Configuring HTML sanitisation
Superset supports the sanitisation of user-generated HTML content to prevent cross-site scripting (XSS)attacks. This ensures that any embedded HTML in dashboards or reports is safely displayed without executing malicious scripts. This is enabled in Charmed Superset by default.
[note]
Charmed Superset enables by default the sanitisation of HTML content.
[\note]
Some functionality, such as the CSS capabilities provided by the Handlebars plugin, requires the ability to render HTML elements and attributes such as style
and class
.
This can be carefully extended using the html-sanitization-schema-extensions
parameter.
For example, you can enable style
and class
as shown below in sanitization-extensions.json
:
{
"attributes": {
"*": ["style","className"],
},
"tagNames": ["style"],
}
This can be applied to Charmed Superset as follows:
juju config superset-k8s html-sanititization-schema-extensions=@sanitization-extensions.json