4ae0bc9ade
Implements a comprehensive security system for Superset extensions: Backend: - Add EXTENSIONS_TRUST_CONFIG to superset_config.py for admin control - Create ExtensionSecurityManager for trust validation and signature verification - Support Ed25519 signatures for extension manifests - Integrate trust validation into extension loading pipeline CLI: - Add `generate-keys` command for creating Ed25519 signing keypairs - Add `sign` command and `--sign` option to `bundle` for manifest signing Frontend: - Add WASM support to webpack config for QuickJS sandbox - Update Extension interface with trust-related fields - ExtensionsManager now uses backend-validated trust levels Documentation: - Add Administrator Configuration guide for trust settings - Add Extension Signing guide for developers - Update security.md and sandbox.md with cross-references - Add Security subcategory to sidebar Tests: - Add 21 unit tests for trust validation and signature verification Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
3.6 KiB
title, sidebar_position
| title | sidebar_position |
|---|---|
| Security | 9 |
Security
By default, extensions are disabled and must be explicitly enabled by setting the ENABLE_EXTENSIONS feature flag. Built-in extensions are included as part of the Superset codebase and are held to the same security standards and review processes as the rest of the application.
Extension Sandboxing
Superset provides a tiered sandbox architecture for running extensions with varying levels of trust and isolation. Extensions can declare their trust level and permissions in their manifest, and Superset will load them in the appropriate sandbox:
- Core (Tier 1): Trusted extensions run in the main context with full access
- Iframe (Tier 2): Semi-trusted extensions run in browser-sandboxed iframes
- WASM (Tier 3): Untrusted logic runs in WebAssembly sandboxes
For detailed information about the sandbox system, see Extension Sandboxing.
Trust Model
Administrators are responsible for evaluating and verifying the security of any extensions they choose to install. Superset's sandbox system provides defense-in-depth:
- Core extensions require explicit trust configuration and optionally signature verification
- Iframe-sandboxed extensions are isolated by the browser's same-origin policy
- WASM-sandboxed extensions have no access to browser APIs
A directory of community extensions is available in the Community Extensions page. Note that these extensions are not vetted by the Apache Superset project—administrators must evaluate each extension before installation.
Extension Signing
Extensions can be cryptographically signed to verify their authenticity and integrity. This is required for extensions that need core trust level in production environments with signature verification enabled.
- Developers: See Extension Signing to learn how to sign your extensions
- Administrators: See Administrator Configuration to configure trusted signers
Administrator Configuration
Superset provides extensive configuration options for controlling extension trust levels, signature verification, and security policies. Key settings include:
- Trusted extensions list: Extensions allowed to run as
core - Signature verification: Require valid signatures for core trust
- Default trust level: Sandbox level for unlisted extensions
For complete configuration details, see Administrator Configuration.
Security Reporting
Any performance or security vulnerabilities introduced by external extensions should be reported directly to the extension author, not as Superset vulnerabilities.
Any security concerns regarding built-in extensions (included in Superset's monorepo) should be reported to the Superset Security mailing list for triage and resolution by maintainers.