sfirke commented on code in PR #30032: URL: https://github.com/apache/superset/pull/30032#discussion_r1735238165
########## docs/docs/configuration/networking-settings.mdx: ########## @@ -27,6 +28,59 @@ Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-descried as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. + +## HTML Embedding of Dashboards and Charts + +There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. + +### Enabling Embedding via the SDK + +Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". + +To enable this entry, add the following line to the `.env` file: + +```text +SUPERSET_FEATURE_EMBEDDED_SUPERSET=true +``` +### Embedding a Public Direct Link to a Dashboard + +This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domans to display Superset content. Then a dashbaord can be made publicly accessible, i.e. **bypassing any authentication mechanism**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML Code. Review Comment: ```suggestion This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domains to display Superset content. Then a dashboard can be made publicly accessible, i.e. **bypassing authentication**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML Code. ``` ########## docs/docs/configuration/networking-settings.mdx: ########## @@ -27,6 +28,59 @@ Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-descried as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. + +## HTML Embedding of Dashboards and Charts + +There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. + +### Enabling Embedding via the SDK + +Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". + +To enable this entry, add the following line to the `.env` file: + +```text +SUPERSET_FEATURE_EMBEDDED_SUPERSET=true +``` +### Embedding a Public Direct Link to a Dashboard + +This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domans to display Superset content. Then a dashbaord can be made publicly accessible, i.e. **bypassing any authentication mechanism**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML Code. + +#### Changing flask-talisman CSP + +Add to superset_config.py the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section: +```python +TALISMAN_ENABLED = True +TALISMAN_CONFIG = { + "content_security_policy": { + ... + "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"], + ... +``` +****This becomes active after fully restarting Superset. For Docker this means recreating the container.**** Review Comment: ```suggestion Restart Superset for this configuration change to take effect. ``` ########## docs/docs/configuration/networking-settings.mdx: ########## @@ -27,6 +28,59 @@ Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-descried as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. + +## HTML Embedding of Dashboards and Charts + +There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. + +### Enabling Embedding via the SDK + +Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". + +To enable this entry, add the following line to the `.env` file: + +```text +SUPERSET_FEATURE_EMBEDDED_SUPERSET=true +``` +### Embedding a Public Direct Link to a Dashboard + +This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domans to display Superset content. Then a dashbaord can be made publicly accessible, i.e. **bypassing any authentication mechanism**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML Code. + +#### Changing flask-talisman CSP + +Add to superset_config.py the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section: +```python +TALISMAN_ENABLED = True +TALISMAN_CONFIG = { + "content_security_policy": { + ... + "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"], + ... +``` +****This becomes active after fully restarting Superset. For Docker this means recreating the container.**** +#### Making a Dashboard Public +1. Add the `'DASHBOARD_RBAC': True` [Feature Flag](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md) to `superset_config.py` +2. Add the `Public` role to your dashboard as described [here](https://superset.apache.org/docs/using-superset/creating-your-first-dashboard/#manage-access-to-dashboards) + +#### Embedding a Public Dashboard + +Now anybody can directly access the dashboard's URL. You can embed it in an iframe like so: + +```html +<iframe + width="600" + height="400" + seamless + frameBorder="0" + scrolling="no" + src="https://superset.my-domain.com/superset/dashboard/10/?standalone=1&height=400"; +> +</iframe> +``` +#### Embedding a Chart + +Can be done simply by going to a chart's overview page and then clicking at the top right on `...` > `Share` > `Embed code` Review Comment: ```suggestion A chart's embed code can be generated by going to a chart's edit view and then clicking at the top right on `...` > `Share` > `Embed code` ``` ########## docs/docs/configuration/networking-settings.mdx: ########## @@ -27,6 +28,59 @@ Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-descried as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. + +## HTML Embedding of Dashboards and Charts + +There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. + +### Enabling Embedding via the SDK + +Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". Review Comment: If I follow correctly, I don't see this option on my Superset because I haven't yet enabled this Superset config feature. If that's right, could this instruction be moved below the feature flag instruction, so that users don't try this before it's possible? ########## docs/docs/configuration/networking-settings.mdx: ########## @@ -27,6 +28,59 @@ Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-descried as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. + +## HTML Embedding of Dashboards and Charts + +There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. + +### Enabling Embedding via the SDK + +Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". + +To enable this entry, add the following line to the `.env` file: Review Comment: ```suggestion To enable embedding via the SDK, add the following to your Superset configuration file: ``` I'm thinking this could go in `superset_config.py` and it could be confusing to imply it has to be in the `.env`? ########## docs/docs/configuration/networking-settings.mdx: ########## @@ -27,6 +28,59 @@ Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-descried as a small Flask extension that handles setting HTTP headers that can help Review Comment: ```suggestion Self-described as a small Flask extension that handles setting HTTP headers that can help ``` Might as well fix it while we're here ########## docs/docs/configuration/networking-settings.mdx: ########## @@ -27,6 +28,59 @@ Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-descried as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. + +## HTML Embedding of Dashboards and Charts + +There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. + +### Enabling Embedding via the SDK + +Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". + +To enable this entry, add the following line to the `.env` file: + +```text +SUPERSET_FEATURE_EMBEDDED_SUPERSET=true +``` +### Embedding a Public Direct Link to a Dashboard + +This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domans to display Superset content. Then a dashbaord can be made publicly accessible, i.e. **bypassing any authentication mechanism**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML Code. + +#### Changing flask-talisman CSP + +Add to superset_config.py the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section: Review Comment: ```suggestion Add to `superset_config.py` the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section: ``` I love how you didn't duplicate the TALISMAN_CONFIG here, so that we don't have to keep an extra copy of it up to date! ########## docs/docs/configuration/networking-settings.mdx: ########## @@ -27,6 +28,59 @@ Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-descried as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. + +## HTML Embedding of Dashboards and Charts + +There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. + +### Enabling Embedding via the SDK + +Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". + +To enable this entry, add the following line to the `.env` file: + +```text +SUPERSET_FEATURE_EMBEDDED_SUPERSET=true +``` +### Embedding a Public Direct Link to a Dashboard + +This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domans to display Superset content. Then a dashbaord can be made publicly accessible, i.e. **bypassing any authentication mechanism**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML Code. + +#### Changing flask-talisman CSP + +Add to superset_config.py the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section: +```python +TALISMAN_ENABLED = True +TALISMAN_CONFIG = { + "content_security_policy": { + ... + "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"], + ... +``` +****This becomes active after fully restarting Superset. For Docker this means recreating the container.**** +#### Making a Dashboard Public Review Comment: Something weird is happening with the markdown formatting here, the #### isn't rendering like it does above, the "as" in the "Add the public role ..." line looks odd. Maybe the **** breaks the subsequent formatting? ########## docs/docs/configuration/networking-settings.mdx: ########## @@ -27,6 +28,59 @@ Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-descried as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. + +## HTML Embedding of Dashboards and Charts + +There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. + +### Enabling Embedding via the SDK + +Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". + +To enable this entry, add the following line to the `.env` file: + +```text +SUPERSET_FEATURE_EMBEDDED_SUPERSET=true +``` +### Embedding a Public Direct Link to a Dashboard + +This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domans to display Superset content. Then a dashbaord can be made publicly accessible, i.e. **bypassing any authentication mechanism**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML Code. + +#### Changing flask-talisman CSP + +Add to superset_config.py the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section: +```python +TALISMAN_ENABLED = True +TALISMAN_CONFIG = { + "content_security_policy": { + ... + "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"], + ... +``` +****This becomes active after fully restarting Superset. For Docker this means recreating the container.**** +#### Making a Dashboard Public +1. Add the `'DASHBOARD_RBAC': True` [Feature Flag](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md) to `superset_config.py` +2. Add the `Public` role to your dashboard as described [here](https://superset.apache.org/docs/using-superset/creating-your-first-dashboard/#manage-access-to-dashboards) + +#### Embedding a Public Dashboard + +Now anybody can directly access the dashboard's URL. You can embed it in an iframe like so: + +```html +<iframe + width="600" + height="400" + seamless + frameBorder="0" + scrolling="no" + src="https://superset.my-domain.com/superset/dashboard/10/?standalone=1&height=400"; +> +</iframe> +``` +#### Embedding a Chart + +Can be done simply by going to a chart's overview page and then clicking at the top right on `...` > `Share` > `Embed code` Review Comment: Maybe the formatting problem is a quotation mark, see how the color changes to blue after chart' -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
