Authentication may prevent outsiders, but we need an authorization flow to control who could see what.
Steramlit simplifies one of the grandest difficulties of Data Scientists — Building an app to interact with their machine-learning models. It provides a set of declarative methods to create web components.
But security is a problem when you share Streamlit apps with others. Streamlit has a built-in solution to restrict access to users. But it’s far from perfect.
In a previous post, I shared how we can use Django’s authentication framework to improve the security of Streamlit apps.
This post continues the previous one and covers more granular access control strategies for your Streamlit app. I suggest you read the first one before diving into this.
Why do we need authorization control?
A login screen prevents unidentified people from accessing the system. We call it user authentication.
Yet, authentication is only one, but an essential item on your security checklist. There are several ways you could improve this.
For instance, you could put an IP restriction on your firewall. But doing so put’s a high-level rule on blocking a mass of people.
What if you want a granular control?
Say you need to show employees only a specific part of the dashboard. But you may decide to offer a team-level dashboard and individual ones to the team leads.
The ability to do this is access control.
We’ve already discussed why Stramlit’s suggested user authentication flow isn’t good enough for production-grade apps. We’ve used Django to bridge the gap.
Streamlit also has no option for authorization. Let’s go ahead and extend the Django authentication to handle permissions.
Controlling dashboard permissions with Django.
The plan is simple.
Assign users to specific groups. A user can be in multiple groups too. We can do this in the admin interface.
Then in the Streamlit app, we check for the group membership of the logged-in user.
If this check is passed, we’ll render the dashboard. Otherwise, we’ll display a message saying, “You cannot view this dashboard.”
But don’t we need the groups in the first place? Let’s start there.
Create user groups in the Django admin console.
If you’re following the previous post, you’d now have a Django app running, and you can access the admin portal.
We’ve also created users. In the same way, let’s click the add button next to “Group” and add the following groups.
- Data Science Team
- Finance Team
Create users in the Django admin console.
We’ve already seen how to add new users from the admin console in our last post. Let’s add some users with the following group memberships.
- A — Manager
- B — Member of the Data Science team
- C — Member of the Finance team
- D — No team membership.
You can assign them by moving groups from available to chosen sections. You can find this section on the user creation page as soon as you click ‘save.’
Check permissions in the Streamlit app
Lastly, we adjust our streamlit app code to check for group membership.
If a user (A) is a member of the Managers group, they can access all the dashboards. The app requires no further permissions.
If a user (B & C) has only a team membership, they can access their Team’s dashboard. But not other dashboards.
Finally, users (D) who don’t belong to any group can log in. Yet they can’t access any dashboard.
The adjusted streamlit app code will look like this:
In the above code, the critical ones are,
- line #30: storing Django user object on session
- line #65: the condition that checks the manager or data science team membership
- line #74: the condition that matches the manager or finance team membership
Let’s run our app and see if permissions are working correctly. To start the server, let’s run:
If we check the app on the browser, this is how it works for all four users.
We’ve further extended our Streamlit app to handle permissions in this post.
We’re benefiting from its admin interface by using Django’s inbuilt permission system. We can use this interface to create new users and user groups and manage group memberships.
As we saw in the previous post, Streamlit is still young. It takes time to develop its authentication and authorization system. Until then, we can use Django to build production-grade apps more securely.
Not a Medium member yet? Please use this link to become a member because I earn a commission for referring at no extra cost for you.