GitHub user dosubot[bot] added a comment to the discussion: How to securely embed individual filtered charts without dashboards in Superset 5.x?
<!-- Greeting --> Hi @fti-pdaspute! I'm [Dosu](https://go.dosu.dev/dosubot) and Iām helping the superset team. <!-- Answer --> You're correct that this is an intentional security change. In Superset 5.x, [guest tokens are designed exclusively for dashboards](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/guest_token.py#L31-L32) - the `GuestTokenResourceType` enum only defines `DASHBOARD` as a valid resource type. Here are your options: **Option 1: Wrap charts in single-chart dashboards (recommended for security)** Since guest tokens work with dashboards, create minimal dashboards containing only the chart you want to embed. This is the most mature approach and supports: - [Row-Level Security (RLS) rules](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/guest_token.py#L48-L53) for per-user filtering - [Automatic token expiration](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py#L1819) - Fine-grained access control Generate tokens via `POST /api/v1/security/guest_token/` and embed using the [Superset Embedded SDK](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/dashboards/api.py#L1593-L1759). **Option 2: Use PUBLIC_ROLE for anonymous access (simpler but less secure)** Configure the [built-in Public role](https://github.com/apache/superset/pull/36548) for anonymous access: ```python AUTH_ROLE_PUBLIC = "Public" PUBLIC_ROLE_LIKE = "Public" ``` Then grant the Public role access to specific datasets. Your existing chart permalinks (`/superset/explore/p/<key>`) will work, but all anonymous users get the same permissions with no RLS support. **Option 3: New chart permalink guest tokens (newest feature)** [A recent PR introduced chart permalinks with guest token authentication](https://github.com/apache/superset/pull/36933) via the `EMBEDDABLE_CHARTS` feature flag. This creates TTL-based permalinks with guest tokens specifically for charts. Enable with: ```python FEATURE_FLAGS = { "EMBEDDABLE_CHARTS": True, "EMBEDDED_SUPERSET": True } ``` **Regarding `/api/v1/chart/data`:** This [works with guest tokens but only for charts embedded within dashboards](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L2334-L2404) - you can't use it for standalone individual charts with guest tokens. For your use case (dynamic per-user filters without login), I'd recommend **Option 1** with RLS rules, or explore **Option 3** if you want direct chart embedding. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/5e9b1fd5-88e0-4081-9e2b-2cb8e241fce6?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/5e9b1fd5-88e0-4081-9e2b-2cb8e241fce6?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/5e9b1fd5-88e0-4081-9e2b-2cb8e241fce6?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/5e9b1fd5-88e0-4081-9e2b-2cb8e241fce6?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/5e9b1fd5-88e0-4081-9e2b-2cb8e241fce6?feedback_type=hallucination) | [Report š](https://app.dosu.dev/response-feedback/5e9b1fd5-88e0-4081-9e2b-2cb8e241fce6?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/5e9b1fd5-88e0-4081-9e2b-2cb8e241fce6?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=You%27re%20correct%20that%20this%20is%20an%20intentional%20security%20change.%20In%20Superset%205.x%2C%20%5Bguest%20tokens%20are%20designed%20exclusively%20for%20dashboards%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/guest_token.py%23L31-L32%29%20-%20the%20%60GuestTokenResourceType%60%20enum%20only%20defines%20%60DASHBOARD%60%20as%20a%20valid%20resource%20type.%0A%0AHere%20are%20your%20options%3A%0A%0A%2A%2AOption%201%3A%20Wrap%20charts%20in%20single-chart%20dashboards%20%28recommended%20for%20security%29%2A%2A%0A%0ASince%20guest%20tokens%20work%20with%20dashboards%2C%20create%20minimal%20dashboards%20containing%20only%20the%20chart%20you%20want%20to%20embed.%20This%20is%20the%20most%20matu re%20approach%20and%20supports%3A%0A-%20%5BRow-Level%20Security%20%28RLS%29%20rules%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/guest_token.py%23L48-L53%29%20for%20per-user%20filtering%0A-%20%5BAutomatic%20token%20expiration%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py%23L1819%29%0A-%20Fine-grained%20access%20control%0A%0AGenerate%20tokens%20via%20%60POST%20/api/v1/security/guest_token/%60%20and%20embed%20using%20the%20%5BSuperset%20Embedded%20SDK%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/dashboards/api.py%23L1593-L1759%29.%0A%0A%2A%2AOption%202%3A%20Use%20PUBLIC_ROLE%20for%20anonymous%20access%20%28simpler%20but%20less%20secure%29%2A%2A%0A%0AConfigure%20the%20%5Bbuilt-in%20Public%20role%5D%28https%3A//github.com/apache/superset/pull/36548%29%20for%20anonymous%20access%3A%0A%0A%60%60%60python%0AAUTH_ROLE_PU BLIC%20%3D%20%22Public%22%0APUBLIC_ROLE_LIKE%20%3D%20%22Public%22%0A%60%60%60%0A%0AThen%20grant%20the%20Public%20role%20access%20to%20specific%20datasets.%20Your%20existing%20chart%20permalinks%20%28%60/superset/explore/p/%3Ckey%3E%60%29%20will%20work%2C%20but%20all%20anonymous%20users%20get%20the%20same%20permissions%20with%20no%20RLS%20support.%0A%0A%2A%2AOption%203%3A%20New%20chart%20permalink%20guest%20tokens%20%28newest%20feature%29%2A%2A%0A%0A%5BA%20recent%20PR%20introduced%20chart%20permalinks%20with%20guest%20token%20authentication%5D%28https%3A//github.com/apache/superset/pull/36933%29%20via%20the%20%60EMBEDDABLE_CHARTS%60%20feature%20flag.%20This%20creates%20TTL-based%20permalinks%20with%20guest%20tokens%20specifically%20for%20charts.%20Enable%20with%3A%0A%0A%60%60%60python%0AFEATURE_FLAGS%20%3D%20%7B%0A%20%20%20%20%22EMBEDDABLE_CHARTS%22%3A%20True%2C%0A%20%20%20%20%22EMBEDDED_SUPERSET%22%3A%20True%0A%7D%0A%60%60%60%0A%0A%2A%2ARegarding%20%60/api/v1/chart/data%60%3A%2A%2A% 20This%20%5Bworks%20with%20guest%20tokens%20but%20only%20for%20charts%20embedded%20within%20dashboards%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py%23L2334-L2404%29%20-%20you%20can%27t%20use%20it%20for%20standalone%20individual%20charts%20with%20guest%20tokens.%0A%0AFor%20your%20use%20case%20%28dynamic%20per-user%20filters%20without%20login%29%2C%20I%27d%20recommend%20%2A%2AOption%201%2A%2A%20with%20RLS%20rules%2C%20or%20explore%20%2A%2AOption%203%2A%2A%20if%20you%20want%20direct%20chart%20embedding.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/38034) GitHub link: https://github.com/apache/superset/discussions/38034#discussioncomment-15839278 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
