Configure LDAP and Local User Login on Superset
In this short introduction, I will demonstrate how to integrate LDAP login to superset without canceling local user log-in.
Superset is one of the best open-source data exploration and visualization platforms. Integrating LDAP Users may ease the administration of Superset helping with account management.
Superset version: 2.1.0
Integrating LDAP to Superset
Superset is developed with the Python Flask library. As mentioned in Superset documentation: “ All the parameters and default values defined in https://github.com/apache/superset/blob/master/superset/config.py can be altered in your local superset_config.py"
default. Since superset_config.py
acts as a Flask configuration module, it can be used to alter the settings Flask itself”.
So in order to configure Superset we must first create a Python file (superset_config.py), add in PYTHONPATH, and change the following LDAP configuration variables given in the flask documentation.
superset_config.py (just for LDAP integration):
from flask_appbuilder.security.manager import AUTH_DB,AUTH_LDAP
AUTH_TYPE = AUTH_LDAP
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"
AUTH_LDAP_SERVER = "ldaps://server.yourdomain.com:636"
AUTH_LDAP_USE_TLS = False
AUTH_LDAP_BIND_USER = "CN=Surname\, Name,OU=ouSystemAccounts,DC=yourdomain,DC=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_SEARCH = "DC=your_domain,DC=com,DC=tr"
AUTH_LDAP_UID_FIELD = "sAMAccountName"
AUTH_LDAP_ALLOW_SELF_SIGNED=True
AUTH_LDAP_APPEND_DOMAIN=False
AUTH_LDAP_FIRSTNAME_FIELD="givenName"
AUTH_LDAP_LASTNAME_FIELD="sn"
AUTH_LDAP_USE_TLS=False
AUTH_USER_REGISTRATION=True
As stated in flask documentation, to run the LDAP package, we need to install python-ldap.
On Ubuntu, you can install it via:
apt update && apt install libldap2-dev
pip install python-ldap
This should enable LDAP integration on Superset. ,
Enabling Local Users Along With LDAP
By default activating LDAP user log-in on LDAP deactivate log-in for local users in Database. To active local users log-in we need a create a Custom Security Manager class that extends SupersetSecurityManager
as stated in Superset Documentation. This example is for OAuth2 Configuration but we can use it to configure LDAP. Let’s look and see how we can implement the same approach for LDAP. On the Flask source code under to BaseSecurityManager class which is extended by SupersetSecurityManager
we can see that to customize LDAP Authentication, we must overwrite the AuthLDAPView class and appoint it to “authldapview” parameter. AuthLDAPView class is located on views.py file and can see that only LDAP log-in is authorized. So we have to write a new one and overwrite it.
First, create a python file “custom_security_manager.py” Then write a class that will extend AuthLDAPView. After that, we will add it to our Custom Security Manager.
custom_security_manager.py :
from superset.security import SupersetSecurityManager
from flask_appbuilder.security.views import AuthLDAPView
from flask_appbuilder.security.views import expose
from flask import g, redirect, flash
from flask_appbuilder.security.forms import LoginForm_db
from flask_login import login_user
from flask_appbuilder._compat import as_unicode
class AuthLocalAndLDAPView(AuthLDAPView):
@expose("/login/", methods=["GET", "POST"])
def login(self):
if g.user is not None and g.user.is_authenticated:
return redirect(self.appbuilder.get_url_for_index)
form = LoginForm_db()
if form.validate_on_submit():
user = self.appbuilder.sm.auth_user_ldap(
form.username.data, form.password.data
)
if not user:
user = self.appbuilder.sm.auth_user_db(
form.username.data, form.password.data
)
if user:
login_user(user, remember=False)
return redirect(self.appbuilder.get_url_for_index)
else:
flash(as_unicode(self.invalid_login_message), "warning")
return redirect(self.appbuilder.get_url_for_login)
return self.render_template(
self.login_template, title=self.title, form=form, appbuilder=self.appbuilder
)
class CustomSecurityManager(SupersetSecurityManager):
authldapview = AuthLocalAndLDAPView
def __init__(self, appbuilder):
super(CustomSecurityManager, self).__init__(appbuilder)
Now we will import CustomSecurityManager class to “superset_config.py”file and use it as the default security manager.
superset_config.py:
import os
from superset.security import SupersetSecurityManager
from flask_appbuilder.security.manager import AUTH_DB,AUTH_LDAP
from custom_security_manager import CustomSecurityManager
AUTH_TYPE = AUTH_LDAP
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"
AUTH_LDAP_SERVER = "ldaps://server.yourdomain.com:636"
AUTH_LDAP_USE_TLS = False
AUTH_LDAP_BIND_USER = "CN=Surname\, Name,OU=ouSystemAccounts,DC=yourdomain,DC=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_SEARCH = "DC=your_domain,DC=com,DC=tr"
AUTH_LDAP_UID_FIELD = "sAMAccountName"
AUTH_LDAP_ALLOW_SELF_SIGNED=True
AUTH_LDAP_APPEND_DOMAIN=False
AUTH_LDAP_FIRSTNAME_FIELD="givenName"
AUTH_LDAP_LASTNAME_FIELD="sn"
AUTH_LDAP_USE_TLS=False
AUTH_USER_REGISTRATION=True
CUSTOM_SECURITY_MANAGER = CustomSecurityManager
Add both files to PYTHONPATH and you are good to go.
Allowing REST API login
If you are using api log-in to superset (for iframe usage for example) using LDAP log-in will cancel it. On Flask Documentation there is a parameter to activate REST API login. Just add the following parameter to superset_config.py to enable it.
AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS = True
Note:
- If you run Superset on Docker you can address this documentation to add superset_config to your directory.