Skip to content

feat(end-to-end-security): add superset OPA#407

Open
sweb wants to merge 3 commits into
mainfrom
feat/e2e-superset-opa
Open

feat(end-to-end-security): add superset OPA#407
sweb wants to merge 3 commits into
mainfrom
feat/e2e-superset-opa

Conversation

@sweb

@sweb sweb commented Jun 5, 2026

Copy link
Copy Markdown
Member

This extends the demo to use OPA also for Superset. The result is that you can add a new user in Keycloak, add it to a group and upon login, the user will have access to the datasets / charts / dashboards of that group.

This requires a new / adjusted dump - e.g. we shouldn't need Gamma_extended anymore as this is now handled by rego rules.

@sweb sweb force-pushed the feat/e2e-superset-opa branch 2 times, most recently from 406b26d to 6564a81 Compare July 6, 2026 09:39
@sweb sweb force-pushed the feat/e2e-superset-opa branch from 6564a81 to fe8881a Compare July 6, 2026 11:17
@sweb sweb marked this pull request as ready for review July 6, 2026 11:49
@sweb sweb force-pushed the feat/e2e-superset-opa branch from 354ab4a to b607bdd Compare July 6, 2026 11:52
@sbernauer sbernauer moved this to Development: Waiting for Review in Stackable Engineering Jul 6, 2026
"subGroups" : [ ]
} ],
"users" : [ {
"username" : "admin",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be something more specific to superset?

Suggested change
"username" : "admin",
"username" : "superset_admin",

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the admin user name is predefined by superset and as far as I suspect we need to match the user name in Keycloak - however I can give it a try to see whether we can rename it.

@@ -12,9 +12,9 @@ SET standard_conforming_strings = on;
--

CREATE ROLE postgres;
ALTER ROLE postgres WITH SUPERUSER INHERIT CREATEROLE CREATEDB LOGIN REPLICATION BYPASSRLS PASSWORD 'SCRAM-SHA-256$4096:XfE1S3tIVrPAwRXzqI/Ptw==$vacFUmkUUHcdejD7LOlHYax3gpEhEmObPcHVDtajYNY=:e+j2EaHndtOGxXISZsBR6Il+GViZc5R1d89AtPCRTCc=';
ALTER ROLE postgres WITH SUPERUSER INHERIT CREATEROLE CREATEDB LOGIN REPLICATION BYPASSRLS PASSWORD 'SCRAM-SHA-256$4096:sGx/aeHPQh2TYqDu/3VtKg==$MDwWvH8UgxEn/Nx2hZXAvw5ENCrSpXi6yRR7ZQ+QEF4=:sO4JMyhpvAYkbLKXUZLIuh6Q++k4IthhhbGarVxMVU8=';

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curious what caused this to change. I guess the time?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this is due to the postgres instance specific salt, but I don't know for sure.

@NickLarsenNZ NickLarsenNZ left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NickLarsenNZ NickLarsenNZ moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Jul 6, 2026

@sbernauer sbernauer left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Development: In Review

Development

Successfully merging this pull request may close these issues.

3 participants