Superset - Multi-Tennant By Row Level Security

This post demonstrates how to use Superset’s ROW_LEVEL_SECURITY feature to control access to data.

Enabling ROW_LEVEL_SECURITY in config file

To enable this feature, we must first add the following key and sets its value to true in our config file.

DEFAULT_FEATURE_FLAGS: Dict[str, bool] = {
    "ROW_LEVEL_SECURITY": True, # <-- Add this
}

A new item is now available on settings menu now, Row Level Security.

Sample User Data

Lets create a scenario in our system where table associates users with video streaming services and the movie genres they like.

DROP TABLE IF EXISTS user_genre_info;

CREATE TABLE user_genre_info(
  user_name VARCHAR(45) NOT NULL,
  stream VARCHAR(45) NOT NULL,
  unikey varchar(36) NOT NULL,
  genre VARCHAR(45) NOT NULL,
  created_ts TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP(3)
  )

INSERT INTO user_genre_info(user_name,stream,unikey,genre) 
VALUES
  ('mario','netflix','6b1c5d8f-a10c-11eb-9888-0242ac110006','comedy'),
  ('diego','netflix','6b1c5d9b-a10c-11eb-9888-0242ac110006','scifi'),
  ('mario','amazon','6b1c5d9e-a10c-11eb-9888-0242ac110006','comedy'),
  ('mario','netflix','6b1c5da1-a10c-11eb-9888-0242ac110006','romantic'),
  ('diego','amazon','6b1c5da3-a10c-11eb-9888-0242ac110006','action');

SELECT * FROM user_genre_info;

For this example, our intent is to restrict access to data based on streaming service. We want a user to see either service but not both.

Create A Superset Dataset For User table

To use this data in Superset, we must create a dataset and point it to the table created in the previous step.

Create Superset Users

For this feature, lets create a user for each streaming service.

Netflix User

Amazon User

Create A Role For Each Stream

Row level secuity is enforced via roles in Superset. Per our intent, lets create a role for each streaming service.

Netflix Role

Amazon Role

Create A Security Filter For Each Stream

Having both a user and a role for each streaming service, the next step is associating these using a ROW_SECURITY_LEVEL Filter in Superset.

Netflix Filter

Amazon Filter

Configuration done. We are ready to test our work.

Create A Chart

Lets create a simple chart that returns all the records in our table.

Checking Our Work

Login as each user previously created; notice data is restricted to its own streaming service.

Netflix Login Access

Amazon Login Access

Great job! Very powerful feature that can be leveraged to control row level access to data. Thanks for reading.