Superset用户集成方案2
superset 认证分析
superset基于flask-appbuilder开发,security基于flask_appbuilder.security,翻阅其代码,
找到入口: superset/__init__.py:
custom_sm = app.config.get('CUSTOM_SECURITY_MANAGER') or SupersetSecurityManager if not issubclass(custom_sm, SupersetSecurityManager): raise Exception( """Your CUSTOM_SECURITY_MANAGER must now extend SupersetSecurityManager, not FAB's security manager. See [4565] in UPDATING.md""") appbuilder = AppBuilder( app, db.session, base_template='superset/base.html', indexview=MyIndexView, security_manager_class=custom_sm, update_perms=get_update_perms_flag(), ) security_manager = appbuilder.sm
默认使用SupersetSecurityManager,继承自SecurityManager:
class SupersetSecurityManager(SecurityManager): def get_schema_perm(self, database, schema): if schema: return '[{}].[{}]'.format(database, schema) def can_access(self, permission_name, view_name): """Protecting from has_access failing from missing perms/view""" user = g.user if user.is_anonymous: return self.is_item_public(permission_name, view_name) return self._has_view_access(user, permission_name, view_name) ...
我们再来看SecurityManager及父类,发现,登录是通过auth_view来控制的,默认是AUTH_DB,也就是AuthDBView。
""" Override if you want your own Authentication LDAP view """ authdbview = AuthDBView if self.auth_type == AUTH_DB: self.user_view = self.userdbmodelview self.auth_view = self.authdbview() @property def get_url_for_login(self): return url_for('%s.%s' % (self.sm.auth_view.endpoint, 'login'))
再来看authdbview:
class AuthDBView(AuthView): login_template = 'appbuilder/general/security/login_db.html' @expose('/login/', methods=['GET', 'POST']) def login(self): if g.user is not None and g.user.is_authenticated: return redirect(self.appbuilder.get_url_for_index) form = LoginForm_db() if form.validate_on_submit(): user = self.appbuilder.sm.auth_user_db(form.username.data, form.password.data) if not user: flash(as_unicode(self.invalid_login_message), 'warning') return redirect(self.appbuilder.get_url_for_login) login_user(user, remember=False) return redirect(self.appbuilder.get_url_for_index) return self.render_template(self.login_template, title=self.title, form=form, appbuilder=self.appbuilder)
对外提供'/login/'接口,读取HTTP POST里的用户名,密码,然后调用auth_user_db验证,验证通过调用login_user生成认证信息。
因此,我们可以自定义AuthDBView,改为从我们自己的应用认证即可。
使用jwt来验证superset
自定义CustomAuthDBView,继承自AuthDBView,登录时可以通过cookie或者url参数传入jwt token,然后验证通过的话,自动登录,。
import jwt import json class CustomAuthDBView(AuthDBView): login_template = 'appbuilder/general/security/login_db.html' @expose('/login/', methods=['GET', 'POST']) def login(self): token = request.args.get('token') if not token: token = request.cookies.get('access_token') if token is not None: jwt_payload = jwt.decode(token,'secret',algorithms=['RS256']) user_name = jwt_payload.get("user_name") user = self.appbuilder.sm.find_user(username=user_name) if not user: role_admin = self.appbuilder.sm.find_role('Admin') user = self.appbuilder.sm.add_user(user_name, user_name, 'aimind', user_name + "@aimind.com", role_admin, password = "aimind" + user_name) if user: login_user(user, remember=False) redirect_url = request.args.get('redirect') if not redirect_url: redirect_url = self.appbuilder.get_url_for_index return redirect(redirect_url) else: return super(CustomAuthDBView,self).login() else: flash('Unable to auto login', 'warning') return super(CustomAuthDBView,self).login()
如果用户不存在,通过self.appbuilder.sm.add_user自动添加用户。
然后再引入这个CustomAuthDBView,
class CustomSecurityManager(SupersetSecurityManager): authdbview = CustomAuthDBView
最后,再引入这个CustomSecurityManager,在superset_config.py 里增加:
from aimind_security import CustomSecurityManager CUSTOM_SECURITY_MANAGER = CustomSecurityManager
在应用里集成superset
集成就简单了,访问,'SUPER_SET_URL/login/?token=jwt_token' 即可,可以通过iframe无缝集成。
转载于:https://www.cnblogs.com/xiaoqi/p/intergate-superset.html
