From 99cddf78a2c1760c4fe45a3a78374eb9268aad1f Mon Sep 17 00:00:00 2001
From: Jillian Vogel <jill@opencraft.com>
Date: Wed, 30 Nov 2022 19:45:54 +1030
Subject: [PATCH] feat: adds superset docker services and open edx integrations

* install custom requirements for mysql and OAuth2
* configure Superset to use the Open edX mysql service
* install custom oauth2 manager and course permissions plugin
* init OAuth2 application on LMS
---
 README.rst                                    |  16 +-
 tutorsuperset/plugin.py                       | 134 ++++++++++++-
 .../superset/apps/docker/docker-bootstrap.sh  |  54 ++++++
 .../superset/apps/docker/docker-init.sh       |  79 ++++++++
 .../apps/docker/requirements-local.txt        |   2 +
 .../openedx_sso_security_manager.py           | 182 ++++++++++++++++++
 .../apps/pythonpath/superset_config.py        | 125 ++++++++++++
 .../apps/pythonpath/superset_config_docker.py |  76 ++++++++
 .../templates/superset/tasks/init.sh          |   9 +
 9 files changed, 670 insertions(+), 7 deletions(-)
 create mode 100755 tutorsuperset/templates/superset/apps/docker/docker-bootstrap.sh
 create mode 100755 tutorsuperset/templates/superset/apps/docker/docker-init.sh
 create mode 100644 tutorsuperset/templates/superset/apps/docker/requirements-local.txt
 create mode 100644 tutorsuperset/templates/superset/apps/pythonpath/openedx_sso_security_manager.py
 create mode 100644 tutorsuperset/templates/superset/apps/pythonpath/superset_config.py
 create mode 100644 tutorsuperset/templates/superset/apps/pythonpath/superset_config_docker.py
 create mode 100644 tutorsuperset/templates/superset/tasks/init.sh

diff --git a/README.rst b/README.rst
index 7387eb1..ba438df 100644
--- a/README.rst
+++ b/README.rst
@@ -6,7 +6,7 @@ Installation
 
 ::
 
-    pip install git+https://github.com/opencraft/tutor-contrib-superset
+    pip install git+https://github.com/open-craft/tutor-contrib-superset
 
 Usage
 -----
@@ -14,9 +14,21 @@ Usage
 ::
 
     tutor plugins enable superset
+    tutor local start superset-launcher
+
+    # Initialize superset data
+    tutor local start superset-init
+
+    # Set up SSO
+    tutor dev init --limit superset_service
+
+
+Connect to Superset's UI on the configured port (default is `:8088`):
+
+  http://local.overhang.io:8088
 
 
 License
 -------
 
-This software is licensed under the terms of the AGPLv3.
\ No newline at end of file
+This software is licensed under the terms of the AGPLv3.
diff --git a/tutorsuperset/plugin.py b/tutorsuperset/plugin.py
index 34331f5..c535a5d 100644
--- a/tutorsuperset/plugin.py
+++ b/tutorsuperset/plugin.py
@@ -17,6 +17,21 @@
         # Each new setting is a pair: (setting_name, default_value).
         # Prefix your setting names with 'SUPERSET_'.
         ("SUPERSET_VERSION", __version__),
+        ("SUPERSET_TAG", "latest-dev"),
+        ("SUPERSET_HOST", "{{ LMS_HOST }}"),
+        ("SUPERSET_PORT", "8088"),
+        ("SUPERSET_DB_DIALECT", "mysql"),
+        ("SUPERSET_DB_HOST", "{{ MYSQL_HOST }}"),
+        ("SUPERSET_DB_PORT", "{{ MYSQL_PORT }}"),
+        ("SUPERSET_DB_NAME", "superset"),
+        ("SUPERSET_DB_USERNAME", "superset"),
+        ("SUPERSET_OAUTH2_BASE_URL", "{% if ENABLE_HTTPS %}https{% else %}http{% endif %}://{{ LMS_HOST }}"),
+        ("SUPERSET_OAUTH2_ACCESS_TOKEN_URL", "{{ SUPERSET_OAUTH2_BASE_URL }}/oauth2/access_token/"),
+        ("SUPERSET_OAUTH2_AUTHORIZE_URL", "{{ SUPERSET_OAUTH2_BASE_URL }}/oauth2/authorize/"),
+        ("SUPERSET_OPENEDX_USERNAME_URL", "{{ SUPERSET_OAUTH2_BASE_URL }}/api/user/v1/me"),
+        ("SUPERSET_OPENEDX_USER_PROFILE_URL", "{{ SUPERSET_OAUTH2_BASE_URL }}/api/user/v1/accounts/{username}"),
+        ("SUPERSET_OPENEDX_COURSES_LIST_URL",
+         "{{ SUPERSET_OAUTH2_BASE_URL }}/api/courses/v1/courses/?permissions={permission}&username={username}"),
     ]
 )
 
@@ -27,7 +42,10 @@
         # Each new setting is a pair: (setting_name, unique_generated_value).
         # Prefix your setting names with 'SUPERSET_'.
         # For example:
-        # ("SUPERSET_SECRET_KEY", "{{ 24|random_string }}"),
+        ("SUPERSET_SECRET_KEY", "{{ 24|random_string }}"),
+        ("SUPERSET_DB_PASSWORD", "{{ 24|random_string }}"),
+        ("SUPERSET_OAUTH2_CLIENT_ID", "{{ 16|random_string }}"),
+        ("SUPERSET_OAUTH2_CLIENT_SECRET", "{{ 16|random_string }}"),
     ]
 )
 
@@ -46,10 +64,10 @@
 ########################################
 
 # To run the script from templates/superset/tasks/myservice/init, add:
-# hooks.Filters.COMMANDS_INIT.add_item((
-#     "myservice",
-#     ("superset", "tasks", "myservice", "init"),
-# ))
+hooks.Filters.COMMANDS_INIT.add_item((
+    "superset_service",
+    ("superset", "tasks", "init.sh"),
+))
 
 
 ########################################
@@ -100,6 +118,112 @@
     ],
 )
 
+# docker-compose statements shared between the superset services
+SUPERSET_DOCKER_COMPOSE_SHARED = """
+  image: apache/superset:{{ SUPERSET_TAG }}
+  environment:
+    DATABASE_DIALECT: {{ SUPERSET_DB_DIALECT }}
+    DATABASE_HOST: {{ SUPERSET_DB_HOST }}
+    DATABASE_PORT: {{ SUPERSET_DB_PORT }}
+    DATABASE_DB: {{ SUPERSET_DB_NAME }}
+    DATABASE_HOST: {{ SUPERSET_DB_HOST }}
+    DATABASE_PASSWORD: {{ SUPERSET_DB_PASSWORD }}
+    DATABASE_USER: {{ SUPERSET_DB_USERNAME }}
+    OPENEDX_MYSQL_HOST: {{ MYSQL_HOST }}
+    OPENEDX_MYSQL_PORT: {{ MYSQL_PORT }}
+    OPENEDX_MYSQL_DATABASE: {{ OPENEDX_MYSQL_DATABASE }}
+    OPENEDX_MYSQL_USERNAME: {{ OPENEDX_MYSQL_USERNAME }}
+    OPENEDX_MYSQL_PASSWORD: {{ OPENEDX_MYSQL_PASSWORD }}
+    OAUTH2_CLIENT_ID: {{ SUPERSET_OAUTH2_CLIENT_ID }}
+    OAUTH2_CLIENT_SECRET: {{ SUPERSET_OAUTH2_CLIENT_SECRET }}
+    OAUTH2_BASE_URL: {{ SUPERSET_OAUTH2_BASE_URL }}
+    OAUTH2_ACCESS_TOKEN_URL: {{ SUPERSET_OAUTH2_ACCESS_TOKEN_URL }}
+    OAUTH2_AUTHORIZE_URL: {{ SUPERSET_OAUTH2_AUTHORIZE_URL }}
+    OPENEDX_USERNAME_URL: {{ SUPERSET_OPENEDX_USERNAME_URL }}
+    OPENEDX_USER_PROFILE_URL: {{ SUPERSET_OPENEDX_USER_PROFILE_URL }}
+    OPENEDX_COURSES_LIST_URL: {{ SUPERSET_OPENEDX_COURSES_LIST_URL }}
+    SECRET_KEY: {{ SUPERSET_SECRET_KEY }}
+    PYTHONPATH: /app/pythonpath:/app/docker/pythonpath_dev
+    REDIS_HOST: superset_redis
+    REDIS_PORT: 6379
+    FLASK_ENV: production
+    SUPERSET_ENV: production
+    SUPERSET_LOAD_EXAMPLES: 0
+    CYPRESS_CONFIG: 0
+    SUPERSET_PORT: {{ SUPERSET_PORT }}
+  user: root
+  restart: unless-stopped
+  depends_on:
+    - mysql
+    - superset_redis
+  volumes:
+    - ../../env/plugins/superset/apps/docker:/app/docker
+    - ../../env/plugins/superset/apps/pythonpath:/app/pythonpath
+    - ../../env/plugins/superset/apps/superset_home:/app/superset_home
+"""
+
+hooks.Filters.ENV_PATCHES.add_item(
+    (
+        "local-docker-compose-services",
+        f"""
+# Modified from https://github.com/apache/superset/blob/969c963/docker-compose-non-dev.yml
+
+# FIXME -- should we use Open edX's redis service instead?
+superset_redis:
+  image: redis:latest
+  restart: unless-stopped
+  volumes:
+    - ../../data/superset/redis:/data
+
+superset_service:
+  {SUPERSET_DOCKER_COMPOSE_SHARED}
+  command: ["bash", "/app/docker/docker-bootstrap.sh", "app-gunicorn"]
+  ports:
+    - 8088:{{{{ SUPERSET_PORT }}}}
+
+superset_worker:
+  {SUPERSET_DOCKER_COMPOSE_SHARED}
+  command: ["bash", "/app/docker/docker-bootstrap.sh", "worker"]
+  healthcheck:
+    test: ["CMD-SHELL", "celery inspect ping -A superset.tasks.celery_app:app -d celery@$$HOSTNAME"]
+
+superset_worker-beat:
+  {SUPERSET_DOCKER_COMPOSE_SHARED}
+  command: ["bash", "/app/docker/docker-bootstrap.sh", "worker"]
+  healthcheck:
+    disable: true
+
+# All the superset services we need to run together
+superset-launcher:
+  image: apache/superset:{{{{ SUPERSET_TAG }}}}
+  command: ["bash"]
+  depends_on:
+    - superset_service
+    - superset_worker
+    - superset_worker-beat
+
+# One-off data initialization
+superset-init:
+  {SUPERSET_DOCKER_COMPOSE_SHARED}
+  command: ["bash", "/app/docker/docker-init.sh"]
+  healthcheck:
+    disable: true
+        """
+    )
+)
+
+hooks.Filters.ENV_PATCHES.add_item(
+    (
+        "local-docker-compose-jobs-services",
+        """
+superset_service-jobs:
+  image: apache/superset:{{ SUPERSET_TAG }}
+  depends_on:
+    - superset-launcher
+        """
+    )
+)
+
 
 ########################################
 # PATCH LOADING
diff --git a/tutorsuperset/templates/superset/apps/docker/docker-bootstrap.sh b/tutorsuperset/templates/superset/apps/docker/docker-bootstrap.sh
new file mode 100755
index 0000000..9ef31c0
--- /dev/null
+++ b/tutorsuperset/templates/superset/apps/docker/docker-bootstrap.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Copied from original:
+#
+# https://github.com/apache/superset/blob/969c963/docker/docker-bootstrap.sh
+
+set -eo pipefail
+
+REQUIREMENTS_LOCAL="/app/docker/requirements-local.txt"
+# If Cypress run – overwrite the password for admin and export env variables
+if [ "$CYPRESS_CONFIG" == "true" ]; then
+    export SUPERSET_CONFIG=tests.integration_tests.superset_test_config
+    export SUPERSET_TESTENV=true
+    export SUPERSET__SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://superset:superset@db:5432/superset
+fi
+#
+# Make sure we have dev requirements installed
+#
+if [ -f "${REQUIREMENTS_LOCAL}" ]; then
+  echo "Installing local overrides at ${REQUIREMENTS_LOCAL}"
+  pip install -r "${REQUIREMENTS_LOCAL}"
+else
+  echo "Skipping local overrides"
+fi
+
+if [[ "${1}" == "worker" ]]; then
+  echo "Starting Celery worker..."
+  celery --app=superset.tasks.celery_app:app worker -Ofair -l INFO
+elif [[ "${1}" == "beat" ]]; then
+  echo "Starting Celery beat..."
+  celery --app=superset.tasks.celery_app:app beat --pidfile /tmp/celerybeat.pid -l INFO -s "${SUPERSET_HOME}"/celerybeat-schedule
+elif [[ "${1}" == "app" ]]; then
+  echo "Starting web app..."
+  flask run -p 8088 --with-threads --reload --debugger --host=0.0.0.0
+elif [[ "${1}" == "app-gunicorn" ]]; then
+  echo "Starting web app..."
+  /usr/bin/run-server.sh
+fi
diff --git a/tutorsuperset/templates/superset/apps/docker/docker-init.sh b/tutorsuperset/templates/superset/apps/docker/docker-init.sh
new file mode 100755
index 0000000..618276d
--- /dev/null
+++ b/tutorsuperset/templates/superset/apps/docker/docker-init.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Modified from original:
+#
+# https://github.com/apache/superset/blob/969c963/docker/docker-init.sh
+
+set -e
+
+STEP_CNT=4
+
+echo_step() {
+cat <<EOF
+
+######################################################################
+
+
+Init Step ${1}/${STEP_CNT} [${2}] -- ${3}
+
+
+######################################################################
+
+EOF
+}
+# Initialize the database
+echo_step "1" "Starting" "Applying DB migrations"
+superset db upgrade
+echo_step "1" "Complete" "Applying DB migrations"
+
+# If Cypress run – overwrite the password for admin and export env variables
+if [ "$CYPRESS_CONFIG" == "true" ]; then
+    ADMIN_USERNAME="admin"
+    ADMIN_PASSWORD="general"
+    export SUPERSET_CONFIG=tests.integration_tests.superset_test_config
+    export SUPERSET_TESTENV=true
+    export SUPERSET__SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://superset:superset@db:5432/superset
+# Create an admin user
+echo_step "2" "Starting" "Setting up admin user ( $ADMIN_USERNAME / $ADMIN_PASSWORD )"
+superset fab create-admin \
+              --username $ADMIN_USERNAME \
+              --firstname Superset \
+              --lastname Admin \
+              --email admin@superset.com \
+              --password $ADMIN_PASSWORD
+echo_step "2" "Complete" "Setting up admin user"
+fi
+
+# Create default roles and permissions
+echo_step "3" "Starting" "Setting up roles and perms"
+superset init
+echo_step "3" "Complete" "Setting up roles and perms"
+
+if [ "$SUPERSET_LOAD_EXAMPLES" = "yes" ]; then
+    # Load some data to play with
+    echo_step "4" "Starting" "Loading examples"
+    # If Cypress run which consumes superset_test_config – load required data for tests
+    if [ "$CYPRESS_CONFIG" == "true" ]; then
+        superset load_test_users
+        superset load_examples --load-test-data
+    else
+        superset load_examples
+    fi
+    echo_step "4" "Complete" "Loading examples"
+fi
diff --git a/tutorsuperset/templates/superset/apps/docker/requirements-local.txt b/tutorsuperset/templates/superset/apps/docker/requirements-local.txt
new file mode 100644
index 0000000..77e2839
--- /dev/null
+++ b/tutorsuperset/templates/superset/apps/docker/requirements-local.txt
@@ -0,0 +1,2 @@
+authlib  # OAuth2
+mysqlclient
diff --git a/tutorsuperset/templates/superset/apps/pythonpath/openedx_sso_security_manager.py b/tutorsuperset/templates/superset/apps/pythonpath/openedx_sso_security_manager.py
new file mode 100644
index 0000000..eabeec9
--- /dev/null
+++ b/tutorsuperset/templates/superset/apps/pythonpath/openedx_sso_security_manager.py
@@ -0,0 +1,182 @@
+from collections import namedtuple
+import logging
+import MySQLdb
+
+from flask import current_app, session
+from superset.security import SupersetSecurityManager
+from superset.extensions import security_manager
+from superset.utils.core import get_username
+from superset.utils.memoized import memoized
+
+
+class OpenEdxSsoSecurityManager(SupersetSecurityManager):
+
+    def set_oauth_session(self, provider, oauth_response):
+        """
+        Store the ouath token in the session for later retrieval.
+        """
+        res = super().set_oauth_session(provider, oauth_response)
+
+        # TODO: better to save to a database
+        if provider == "openedxsso":
+            session["oauth_token"] = oauth_response
+        return res
+
+    def oauth_user_info(self, provider, response=None):
+        if provider == 'openedxsso':
+            oauth_remote = self.appbuilder.sm.oauth_remotes[provider]
+            username_url = current_app.config['OPENEDX_USERNAME_URL']
+            me = oauth_remote.get(username_url).json()
+            logging.debug(f"{username_url}: {me}")
+            username = me['username']
+
+            user_profile_url = current_app.config['OPENEDX_USER_PROFILE_URL'].format(username=username)
+            user_profile = oauth_remote.get(user_profile_url).json()
+            logging.debug(f"{user_profile_url}: {user_profile}")
+
+            user_roles = get_user_roles(username)
+            logging.debug(f"user_roles: {user_roles}")
+
+            return {
+                'name': user_profile['name'],
+                'email': user_profile['email'],
+                'id': user_profile['username'],
+                'username': user_profile['username'],
+                'first_name': '',
+                'last_name': '',
+                'role_keys': user_roles,
+            }
+
+
+def get_user_roles(username):
+    """
+    Returns the Superset roles that should be associated with the given user.
+    """
+    user_access = _fetch_user_access(username)
+    logging.debug(f"user access: {user_access}")
+
+    if user_access.is_superuser:
+        return ["admin", "alpha", "openedx"]
+    elif user_access.is_staff:
+        return ["alpha", "openedx"]
+    else:
+        # User has to have staff access to one or more courses to view any content here.
+        courses = _get_courses(username)
+        if courses:
+            return ["gamma", "openedx"]
+        return []
+
+
+ALL_COURSES = "1 = 1"
+NO_COURSES = "1 = 0"
+
+def can_view_courses(username, field_name='course_id'):
+    """
+    Returns SQL WHERE clause which restricts access to the courses the current user has staff access to.
+    """
+    user = security_manager.get_user_by_username(username)
+    if user:
+        user_roles = security_manager.get_user_roles(user)
+    else:
+        user_roles = []
+    logging.debug(f"can_view_courses: {username} roles: {user_roles}")
+
+    # Users with no roles don't get to see any courses
+    if not user_roles:
+        return NO_COURSES
+
+    # Superusers and global staff have access to all courses
+    if ("Admin" in user_roles) or ("Alpha" in user_roles):
+        return ALL_COURSES
+
+    # Everyone else only has access if they're staff on a course.
+    courses = _get_courses(username)
+    logging.debug(f"{username} is course staff on {courses}")
+
+    # FIXME: what happens when the list of courses grows beyond what the query will handle?
+    if courses:
+        course_id_list = ", ".join(
+            f'"{course_id}"' for course_id in courses
+        )
+        return f"{field_name} in ({course_id_list})"
+    else:
+        # If you're not course staff on any courses, you don't get to see any.
+        return NO_COURSES
+
+
+UserAccess = namedtuple(
+    "UserAccess", ["username", "is_superuser", "is_staff"]
+)
+
+
+def _fetch_user_access(username):
+    """
+    Fetches the given user's access details from the Open edX User database
+    (since Open edX doesn't have an API for this).
+    """
+    cxn = _connect_openedx_db()
+    cursor = cxn.cursor()
+
+    query = "SELECT is_staff, is_superuser FROM auth_user WHERE username=%s"
+    if cursor.execute(query, (username,)):
+        (is_staff, is_superuser) = cursor.fetchone()
+        user_access = UserAccess(
+            username=username,
+            is_superuser=is_superuser,
+            is_staff=is_staff,
+        )
+    else:
+        user_access = UserAccess(
+            username=username,
+            is_superuser=False,
+            is_staff=False,
+        )
+
+    cursor.close()
+    cxn.close()
+    return user_access
+
+
+def _connect_openedx_db():
+    """
+    Return an open connection to the Open edX MySQL database.
+    """
+    return MySQLdb.connect(**current_app.config['OPENEDX_DATABASE'])
+
+
+@memoized
+def _get_courses(username, permission="staff", next_url=None):
+    """
+    Returns the list of courses the current user has access to.
+    """
+    courses = []
+
+    provider = session.get("oauth_provider")
+    oauth_remote = security_manager.oauth_remotes.get(provider)
+    if not oauth_remote:
+        logging.error("No OAuth2 provider? expected openedx")
+        return courses
+
+    # TODO: write/import client code to handle refreshing expired tokens.
+    token = session.get("oauth_token", {})
+    if not token:
+        logging.error("No access_token? expected one provided by openedx")
+        return courses
+
+    courses_url = current_app.config['OPENEDX_COURSES_LIST_URL'].format(username=username, permission=permission)
+    url = next_url or courses_url
+    response = oauth_remote.get(url, token=token).json()
+
+    for course in response.get('results', []):
+        course_id = course.get('course_id')
+        if course_id:
+            courses.append(course_id)
+
+    # Recurse to iterate over all the pages of results
+    if response.get("next"):
+        next_courses = _get_courses(username, permission=permission, next_url=response['next'])
+        for course_id in next_courses:
+            courses.append(course_id)
+
+    logging.debug(f"{username} has {permission} access to {courses}")
+    return courses
diff --git a/tutorsuperset/templates/superset/apps/pythonpath/superset_config.py b/tutorsuperset/templates/superset/apps/pythonpath/superset_config.py
new file mode 100644
index 0000000..3ab0219
--- /dev/null
+++ b/tutorsuperset/templates/superset/apps/pythonpath/superset_config.py
@@ -0,0 +1,125 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# This file is included in the final Docker image and SHOULD be overridden when
+# deploying the image to prod. Settings configured here are intended for use in local
+# development environments. Also note that superset_config_docker.py is imported
+# as a final step as a means to override "defaults" configured here
+#
+"""
+Modified from original:
+
+https://github.com/apache/superset/blob/969c963/docker/pythonpath_dev/superset_config.py
+"""
+import os
+from datetime import timedelta
+from typing import Optional
+
+from cachelib.file import FileSystemCache
+from celery.schedules import crontab
+
+
+def get_env_variable(var_name: str, default: Optional[str] = None) -> str:
+    """Get the environment variable or raise exception."""
+    try:
+        return os.environ[var_name]
+    except KeyError:
+        if default is not None:
+            return default
+        else:
+            error_msg = "The environment variable {} was missing, abort...".format(
+                var_name
+            )
+            raise EnvironmentError(error_msg)
+
+
+DATABASE_DIALECT = get_env_variable("DATABASE_DIALECT")
+DATABASE_USER = get_env_variable("DATABASE_USER")
+DATABASE_PASSWORD = get_env_variable("DATABASE_PASSWORD")
+DATABASE_HOST = get_env_variable("DATABASE_HOST")
+DATABASE_PORT = get_env_variable("DATABASE_PORT")
+DATABASE_DB = get_env_variable("DATABASE_DB")
+
+# The SQLAlchemy connection string.
+SQLALCHEMY_DATABASE_URI = "%s://%s:%s@%s:%s/%s" % (
+    DATABASE_DIALECT,
+    DATABASE_USER,
+    DATABASE_PASSWORD,
+    DATABASE_HOST,
+    DATABASE_PORT,
+    DATABASE_DB,
+)
+
+REDIS_HOST = get_env_variable("REDIS_HOST")
+REDIS_PORT = get_env_variable("REDIS_PORT")
+REDIS_CELERY_DB = get_env_variable("REDIS_CELERY_DB", "0")
+REDIS_RESULTS_DB = get_env_variable("REDIS_RESULTS_DB", "1")
+
+RESULTS_BACKEND = FileSystemCache("/app/superset_home/sqllab")
+
+CACHE_CONFIG = {
+    "CACHE_TYPE": "redis",
+    "CACHE_DEFAULT_TIMEOUT": 300,
+    "CACHE_KEY_PREFIX": "superset_",
+    "CACHE_REDIS_HOST": REDIS_HOST,
+    "CACHE_REDIS_PORT": REDIS_PORT,
+    "CACHE_REDIS_DB": REDIS_RESULTS_DB,
+}
+DATA_CACHE_CONFIG = CACHE_CONFIG
+
+
+class CeleryConfig(object):
+    BROKER_URL = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"
+    CELERY_IMPORTS = ("superset.sql_lab",)
+    CELERY_RESULT_BACKEND = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_RESULTS_DB}"
+    CELERYD_LOG_LEVEL = "DEBUG"
+    CELERYD_PREFETCH_MULTIPLIER = 1
+    CELERY_ACKS_LATE = False
+    CELERYBEAT_SCHEDULE = {
+        "reports.scheduler": {
+            "task": "reports.scheduler",
+            "schedule": crontab(minute="*", hour="*"),
+        },
+        "reports.prune_log": {
+            "task": "reports.prune_log",
+            "schedule": crontab(minute=10, hour=0),
+        },
+    }
+
+
+CELERY_CONFIG = CeleryConfig
+
+FEATURE_FLAGS = {"ALERT_REPORTS": True}
+ALERT_REPORTS_NOTIFICATION_DRY_RUN = True
+WEBDRIVER_BASEURL = "http://superset:8088/"
+# The base URL for the email report hyperlinks.
+WEBDRIVER_BASEURL_USER_FRIENDLY = WEBDRIVER_BASEURL
+
+SQLLAB_CTAS_NO_LIMIT = True
+
+#
+# Optionally import superset_config_docker.py (which will have been included on
+# the PYTHONPATH) in order to allow for local settings to be overridden
+#
+try:
+    import superset_config_docker
+    from superset_config_docker import *  # noqa
+
+    print(f"Loaded your Docker configuration at " f"[{superset_config_docker.__file__}]")
+except ImportError:
+    print("Using default Docker config...")
diff --git a/tutorsuperset/templates/superset/apps/pythonpath/superset_config_docker.py b/tutorsuperset/templates/superset/apps/pythonpath/superset_config_docker.py
new file mode 100644
index 0000000..e2b183c
--- /dev/null
+++ b/tutorsuperset/templates/superset/apps/pythonpath/superset_config_docker.py
@@ -0,0 +1,76 @@
+import os
+from flask_appbuilder.security.manager import AUTH_OAUTH
+
+# Application secret key
+
+SECRET_KEY = os.environ["SECRET_KEY"]
+
+# Credentials for connecting to the Open edX MySQL database
+OPENEDX_DATABASE = {
+    'host': os.environ["OPENEDX_MYSQL_HOST"],
+    'port': os.environ["OPENEDX_MYSQL_PORT"],
+    'database': os.environ["OPENEDX_MYSQL_DATABASE"],
+    'user': os.environ["OPENEDX_MYSQL_USERNAME"],
+    'password': os.environ["OPENEDX_MYSQL_PASSWORD"],
+}
+
+# Set the authentication type to OAuth
+AUTH_TYPE = AUTH_OAUTH
+
+OAUTH_PROVIDERS = [
+    {   'name':'openedxsso',
+        'token_key':'access_token', # Name of the token in the response of access_token_url
+        'icon':'fa-address-card',   # Icon for the provider
+        'remote_app': {
+            'client_id': os.environ["OAUTH2_CLIENT_ID"],
+            'client_secret': os.environ["OAUTH2_CLIENT_SECRET"],
+            'client_kwargs':{
+                'scope': 'read'               # Scope for the Authorization
+            },
+            'access_token_method':'POST',    # HTTP Method to call access_token_url
+            'access_token_params':{        # Additional parameters for calls to access_token_url
+                'client_id': os.environ["OAUTH2_CLIENT_ID"],
+            },
+            'access_token_headers':{    # Additional headers for calls to access_token_url
+                'Authorization': 'Basic Base64EncodedClientIdAndSecret'
+            },
+            'api_base_url': os.environ["OAUTH2_BASE_URL"],
+            'access_token_url': os.environ["OAUTH2_ACCESS_TOKEN_URL"],
+            'authorize_url': os.environ["OAUTH2_AUTHORIZE_URL"],
+        }
+    }
+]
+
+# Will allow user self registration, allowing to create Flask users from Authorized User
+AUTH_USER_REGISTRATION = True
+
+# The default user self registration role
+AUTH_USER_REGISTRATION_ROLE = "Gamma"
+
+# Should we replace ALL the user's roles each login, or only on registration?
+AUTH_ROLES_SYNC_AT_LOGIN = True
+
+# map from the values of `userinfo["role_keys"]` to a list of Superset roles
+# cf https://superset.apache.org/docs/security/#roles
+AUTH_ROLES_MAPPING = {
+    "admin": ["Admin"],      # Superusers
+    "alpha": ["Alpha"],      # Global staff
+    "gamma": ["Gamma"],      # Course staff
+    "openedx": ["Open edX"], # Open edX datastore, manually created
+    "public": ["Public"],    # AKA anonymous users
+}
+
+from openedx_sso_security_manager import OpenEdxSsoSecurityManager, can_view_courses
+CUSTOM_SECURITY_MANAGER = OpenEdxSsoSecurityManager
+
+
+# Enable use of variables in datasets/queries
+FEATURE_FLAGS = {
+    "ALERT_REPORTS": True,
+    "ENABLE_TEMPLATE_PROCESSING": True,
+}
+
+# Add this custom template processor which returns the list of courses the current user can access
+JINJA_CONTEXT_ADDONS = {
+    'can_view_courses': can_view_courses
+}
diff --git a/tutorsuperset/templates/superset/tasks/init.sh b/tutorsuperset/templates/superset/tasks/init.sh
new file mode 100644
index 0000000..00c6845
--- /dev/null
+++ b/tutorsuperset/templates/superset/tasks/init.sh
@@ -0,0 +1,9 @@
+# Create a DOT applicaton so Superset can use Open edX authenticatioon
+./manage.py lms manage_user superset superset@apache
+./manage.py lms create_dot_application \
+    --grant-type authorization-code \
+    --redirect-uris "{% if ENABLE_HTTPS %}https{% else %}http{% endif %}://{{ SUPERSET_HOST }}:{{ SUPERSET_PORT }}/oauth-authorized/openedxsso" \
+    --client-id {{ SUPERSET_OAUTH2_CLIENT_ID }} \
+    --client-secret {{ SUPERSET_OAUTH2_CLIENT_SECRET }} \
+    --scopes user_id \
+    superset-sso superset