Spike: Investigate Apache Superset Permissions

[bmtcril]

Superset is currently a front-runner as an open source reporting and visualization tool to replace the Insights front end. One point of concern is that it may not adequately handle the permissions needed for multi-tenancy on a single Open edX install. We would like to get clarity on this issue and any possible related configuration challenges early on in our investigations.

References:
https://superset.apache.org/docs/security/
https://superset.apache.org/docs/installation/configuring-superset/#custom-oauth2-configuration

Acceptance Criteria:

Document each of the following steps as you go

• Stand up Superset in a development environment (preferably in a Tutor environment)
• Connect Superset's OAuth to LMS, documenting what was needed
• Connect Superset to the LMS MySQL database for testing purposes and generate a basic dashboard tracking enrollments by course, create additional test courses and test users as instructors as necessary
• Connect LMS permissions for instructors, and staff to Superset such that...
• You can SSO into Superset using the LMS as any of the instructor users and see only courses that you are an instructor on
• You cannot SSO into Superset as a learner with no instructor roles
• Staff users can see all courses
• Publish your results and notes here: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3447193740/Discovery+and+Design and link back to this ticket

[pomegranited]

assign me

[pomegranited]

WIP document: Investigate Apache Superset Permissions

[pomegranited]

@bmtcril I've finished the document Investigate Apache Superset Permissions, and moved my code customizations to open-craft/superset#1 to make them easier to use and discuss.

However, I hit a caching issue -- we'd need to customize the caching system to handle course-based data too, which will affect performance.

You cannot SSO into Superset as a learner with no instructor roles

I neglected to implement this part -- but I did make it so that users with no instructor roles can't see any enrollment data.

What do you think? Is this enough work for this investigation, or should I continue trying to sort out these remaining issues?

[pomegranited]

@bmtcril From our meeting today, I'm increasing the scope here to include:

• add custom user-based caching
• create Tutor plugin for Superset w SSO integration

And I'll include "You cannot SSO into Superset as a learner with no instructor roles" in this work as well.

[pomegranited]

@bmtcril

• add custom user-based caching

Good news! We don't have to write custom user-based caching: we just have to use the current_username() macro in our query, which by default, includes the current username in the cache key! ref apache/superset#6092 (comment)

See open-craft/superset@ecfa249 for the fix and doc change.

• You cannot SSO into Superset as a learner with no instructor roles

Supported this requirement with open-craft/superset@e8b1347

So all I need to do now is package this for Tutor :)

[bmtcril]

Fantastic news! Thanks for digging into this. I'm not sure how much Tutor plugin work you've done, but I found the docs at the Cookiecutter to be helpful. It may help to look at my Clickhouse plugin for reference as well.

[pomegranited]

This is my first Tutor plugin, so those references are very useful, thank you @bmtcril !

I've started this, but haven't finished it yet: openedx-unsupported/tutor-contrib-superset#1

[pomegranited]

Hey @bmtcril , I've got a working Tutor plugin for Superset!

Wanna try it out/review my PR? openedx-unsupported/tutor-contrib-superset#1

[pomegranited]

Merged openedx-unsupported/tutor-contrib-superset#1, so we're done here :) FYI @bmtcril