Password not replaced in SQLAlchemy URL when impersonation is enabled causing 401 Unauthorized

[nladuguie]

Hi everybody, we use Superset to execute queries on a PrestoDB cluster.
We activated the impersonation feature on our PrestoDB connection, because we want to identify which user run which query just for auditing.
But when this feature is activated, all queries run result in a HTTP 401 error.
FYI, we have securized our PrestoDB cluster with SSL access and LDAP authentifcation, so PrestoDB URL configured in Superset includes basic authentication with user:password inside it (see attached image).

This error appears right after saving the Presto datasource with those configurations.
After debugging Superset execution, I observed that the impersonation features only replaces the username inside URL but not the password.
So in the resulting impersonated URL, the current user name is associated with the configured password in the datasource, which is not correct.

Superset version

0.28.1

Expected results

Run query with impersonation feature enabled should replace password (is specified) in the datasource URL, like username is.

Actual results

Queries are run with the current username in the datasource URL which has replaced the configured default username of the datasource URL, but the password in the URL remains the default one configure on the datasource.
The attached image shows the error resulting in saving the datasource after having activated the impersonation feature.

Steps to reproduce

Configure PrestoDB datasource with SSL and username/password configured (like shown in attached image), activate impersonation feature, and save the datasource.

[Ryan-Miao]

I just create database named hive-username for everyone by using username:password@host:port/hive, so the user can login, then choose the db with their name.

The disadvantage is that DB link needs to be maintained, but it does work.

You can try

{
"metadata_params": {},
"engine_params": { "connect_args":{"auth": "LDAP"} },
"metadata_cache_timeout": {},
"schemas_allowed_for_csv_upload": []
}

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.

[haydenwhitehead]

I'm having the same problem with a PostgreSQL connection.
Once you enable "impersonate", the connection only works if the logged in user's password is the same as the database setup URI password.

[Asturias-sam]

@haydenwhitehead @nladuguie how you guys solved this issue facing similar issue #11359 ?

[tooptoop4]

https://github.com/apache/incubator-superset/pull/9422/files fixes it