Superset
Apache Superset is the SQL and dashboard layer for tenant users. It provides SQL Lab for interactive queries, a chart builder, and shareable dashboards. All queries are routed through Trino and enforced by Ranger.
Components
| Component | Description |
|---|---|
| Superset node | The web server — serves the UI and API. Horizontally scalable (configurable replica count). |
| Superset worker | Celery worker for async query execution, chart caching, and scheduled reports. Horizontally scalable. |
| PostgreSQL | Backing database for Superset's metadata — datasets, charts, dashboards, user preferences (via KubeBlocks). |
Authentication
Superset uses Keycloak OIDC. On login, Keycloak realm roles are mapped to Superset roles:
| Keycloak Realm Role | Superset Client Role | Superset Role |
|---|---|---|
platform_admin | dashboard_admin, sql_editor_user, dashboard_editor | Admin |
tenant_admin | dashboard_admin | Admin |
data_engineer | sql_editor_user, dashboard_editor | Op |
data_analyst | sql_editor_user, dashboard_editor | Op |
data_steward | sql_editor_user, dashboard_editor | Op |
ml_engineer | sql_editor_user | Op |
business_user | dashboard_viewer | Viewer |
Superset role controls feature access (who can edit charts, run SQL). Ranger policy controls data access (what data can be queried). Both must allow an operation for a query to succeed.
Trino Datasource
Superset connects to Trino via Trino Gateway. The connection uses JWT authentication — Superset propagates the authenticated user's token to Trino so Ranger can enforce per-user data policies.
S3
The Superset worker has IRSA access to the workspace S3 bucket for chart screenshot caching. A custom Superset logo can also be supplied by uploading an image to a configurable S3 key in the workspace bucket and restarting the pods.
Go Deeper
- Trino — the query engine Superset dispatches SQL to
- Ranger — enforces data access policies on every Superset query
- SQL Auth: Superset, Trino & Ranger — full auth and enforcement flow
- Data Access Management — managing who can query what