Spike: Investigate Apache Superset Permissions

[bmtcril]

Superset is currently a front-runner as an open source reporting and visualization tool to replace the Insights front end. One point of concern is that it may not adequately handle the permissions needed for multi-tenancy on a single Open edX install. We would like to get clarity on this issue and any possible related configuration challenges early on in our investigations.

References: https://superset.apache.org/docs/security/ https://superset.apache.org/docs/installation/configuring-superset/#custom-oauth2-configuration

Acceptance Criteria:

Document each of the following steps as you go

• [x] Stand up Superset in a development environment (preferably in a Tutor environment)
• [x] Connect Superset's OAuth to LMS, documenting what was needed
• [x] Connect Superset to the LMS MySQL database for testing purposes and generate a basic dashboard tracking enrollments by course, create additional test courses and test users as instructors as necessary
• [x] Connect LMS permissions for instructors, and staff to Superset such that...
• [x] You can SSO into Superset using the LMS as any of the instructor users and see only courses that you are an instructor on
• [x] You cannot SSO into Superset as a learner with no instructor roles
• [x] Staff users can see all courses
• [x] Publish your results and notes here: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3447193740/Discovery+and+Design and link back to this ticket

[pomegranited]

assign me

[pomegranited]

WIP document: Investigate Apache Superset Permissions

[pomegranited]

@bmtcril I've finished the document Investigate Apache Superset Permissions, and moved my code customizations to https://github.com/open-craft/superset/pull/1 to make them easier to use and discuss.

However, I hit a caching issue -- we'd need to customize the caching system to handle course-based data too, which will affect performance.

You cannot SSO into Superset as a learner with no instructor roles

I neglected to implement this part -- but I did make it so that users with no instructor roles can't see any enrollment data.

What do you think? Is this enough work for this investigation, or should I continue trying to sort out these remaining issues?

[pomegranited]

@bmtcril From our meeting today, I'm increasing the scope here to include:

• add custom user-based caching
• create Tutor plugin for Superset w SSO integration

And I'll include "You cannot SSO into Superset as a learner with no instructor roles" in this work as well.

[pomegranited]

@bmtcril

• add custom user-based caching

Good news! We don't have to write custom user-based caching: we just have to use the current_username() macro in our query, which by default, includes the current username in the cache key! ref https://github.com/apache/superset/issues/6092#issuecomment-559828355

See https://github.com/open-craft/superset/pull/1/commits/ecfa2498302248d53a7a73d4d4e3c1b90b03e380 for the fix and doc change.

• You cannot SSO into Superset as a learner with no instructor roles

Supported this requirement with https://github.com/open-craft/superset/pull/1/commits/e8b13471052e628baa0f96b1b45fa2a483fbd56e

So all I need to do now is package this for Tutor :)

[bmtcril]

Fantastic news! Thanks for digging into this. I'm not sure how much Tutor plugin work you've done, but I found the docs at the Cookiecutter to be helpful. It may help to look at my Clickhouse plugin for reference as well.

[pomegranited]

This is my first Tutor plugin, so those references are very useful, thank you @bmtcril !

I've started this, but haven't finished it yet: https://github.com/open-craft/tutor-contrib-superset/pull/1

[pomegranited]

Hey @bmtcril , I've got a working Tutor plugin for Superset!

Wanna try it out/review my PR? https://github.com/open-craft/tutor-contrib-superset/pull/1

[pomegranited]

Merged https://github.com/open-craft/tutor-contrib-superset/pull/1, so we're done here :) FYI @bmtcril