Skip to main content

Superset

Apache Superset is the SQL and dashboard layer for tenant users. It provides SQL Lab for interactive queries, a chart builder, and shareable dashboards. All queries are routed through Trino and enforced by Ranger.

Components

ComponentDescription
Superset nodeThe web server — serves the UI and API. Horizontally scalable (configurable replica count).
Superset workerCelery worker for async query execution, chart caching, and scheduled reports. Horizontally scalable.
PostgreSQLBacking database for Superset's metadata — datasets, charts, dashboards, user preferences (via KubeBlocks).

Authentication

Superset uses Keycloak OIDC. On login, Keycloak realm roles are mapped to Superset roles:

Keycloak Realm RoleSuperset Client RoleSuperset Role
platform_admindashboard_admin, sql_editor_user, dashboard_editorAdmin
tenant_admindashboard_adminAdmin
data_engineersql_editor_user, dashboard_editorOp
data_analystsql_editor_user, dashboard_editorOp
data_stewardsql_editor_user, dashboard_editorOp
ml_engineersql_editor_userOp
business_userdashboard_viewerViewer

Superset role controls feature access (who can edit charts, run SQL). Ranger policy controls data access (what data can be queried). Both must allow an operation for a query to succeed.

Trino Datasource

Superset connects to Trino via Trino Gateway. The connection uses JWT authentication — Superset propagates the authenticated user's token to Trino so Ranger can enforce per-user data policies.

S3

The Superset worker has IRSA access to the workspace S3 bucket for chart screenshot caching. A custom Superset logo can also be supplied by uploading an image to a configurable S3 key in the workspace bucket and restarting the pods.

Go Deeper