GitHub user ypandey-fluidata created a discussion: Apache Superset 6.0: Migration from Iframe Embedding to the Embedded SDK (@superset-ui/embedded-sdk)
**Context & Current State** We are currently migrating from Standard Iframe Embedding to the @superset-ui/embedded-sdk. - Current Issue: Our current iframe implementation relies on the Public role. When we restrict Public role permissions to secure the instance, the embedded dashboard fails to load because the iframe lacks a valid authentication context. - Goal: Fully transition to SDK-based embedding to leverage Guest Tokens and Row Level Security (RLS). This will allow us to move toward a "Zero-Trust" model by reducing the Public and Gamma roles to the absolute minimum metadata permissions required for initialization. **Environment** - Superset Version: 6.0 - Embedding Method: @superset-ui/embedded-sdk **Questions for Discussion** 1. Role Selection Strategy: For SDK-based embedding, is it considered best practice to inherit from the Gamma role or the Public role? We want to ensure that the "Guest User" has enough permissions to see the dashboard but zero permissions to browse the Superset internal UI. 2. Gamma vs. Custom Role: Should we use the default Gamma role as the base for our Guest Tokens, or is it recommended to create a dedicated "Custom Embedded" role with even more granular restrictions? 3. Minimum Permission Set: What is the "Minimum Viable Permission" list for the Public role to allow the SDK to bootstrap the guest session without exposing data to unauthenticated users? 4. Session Interference: Have others encountered "Session Bleed," where an active Admin session in the same browser interferes with the Guest Token permissions within the embedded SDK view? If so, what are the recommended cookie/same site configurations to prevent this? GitHub link: https://github.com/apache/superset/discussions/38461 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
