-
Notifications
You must be signed in to change notification settings - Fork 13.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(presto): add support for user impersonation #13214
feat(presto): add support for user impersonation #13214
Conversation
@rijojoseph07 would it be add to add a test duplicating the bug to both verify the fix and prevent future regressions? |
@willbarrett I am trying to write a unit test for this but struggling to get connect_params from the SQLAlchemy engine object to check if the new I have tested this code in our environment and is running in our prod system. |
A way forward if it's not possible to get the connect args out of SQLAlchemy would be to mock the |
@willbarrett Thanks for your suggestion. I have added a unit test by mocking |
Codecov Report
@@ Coverage Diff @@
## master #13214 +/- ##
===========================================
+ Coverage 53.06% 66.67% +13.61%
===========================================
Files 489 493 +4
Lines 17314 29168 +11854
Branches 4482 0 -4482
===========================================
+ Hits 9187 19447 +10260
- Misses 8127 9721 +1594
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
@willbarrett @villebro Can you guys please review this PR. Thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @rijojoseph07! I think what we should do is refactor the existing get_configuration_for_impersonation
to be more in line with the new method you're proposing - get_configuration_for_impersonation
is just mutating the configuration
parameter in connect_args
, but this seems highly specific to Hive, and it really should be mutating connect_args
(the parent). Instead of adding the proposed method, let's rather change the existing logic so that BaseEngineSpec
has a method update_connect_args_for_impersonation
, which for Hive then just adds the configuration
property like before, and for Presto adds the principal_username
property.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor change request
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few last comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@rijojoseph07, I have upgraded to superset v1.1.0 & updated my connection settings & have corresponding impersonation settings in Presto as well. However, when clicking Impersonate logged in User button on the database settings it throws an exception on the UI and nothing is visible in the backend logs. Details below:
This is very useful feature which I have been waiting for a long time. Any help in debugging this further will be of great help. Also, please let me know if you need any further information to understand the problem. |
Hi @DRavikanth, were you able to connect using admin credentials without impersonation? Also it will be helpful if you can run superset in debug mode and share the logs. If possible share the complete connection extras after masking sensitive data. |
Yes the admin credentials without impersonation works with no issues.
I'm running Superset in debug mode and I don't see any logs associated with
this.
Thanks,
Ravi
…On Mon, May 3, 2021 at 22:46 rijojoseph07 ***@***.***> wrote:
Hi @DRavikanth <https://github.com/DRavikanth>, were you able to connect
using admin credentials without impersonation? Also it will be helpful if
you can run superset in debug mode and share the logs.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13214 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACRGFYILCSOHKHUGPSLITI3TL6C2PANCNFSM4X2W3ZIA>
.
|
@DRavikanth I just test this feature with superset 1.1.0 and presto 347 and it is working fine. Can you please check if impersonation is happening working as expected from the presto side via cli (this support was recently added to presto so you may have to upgrade presto)? My connection URL looks like this : presto://presto-dns:443/hive/dev Extra : { I use ranger with presto, and have enabled impersonation from ranger. You can also check presto server logs to see if your request is reaching presto. |
@rijojoseph07 I have exactly what you are testing against. I don't have Ranger. However, I don't think that's an issue. The only difference I see is the Presto version. I am using 341 and from the documentation I see impersonation is supported in that version. I don't see any request being coming into the presto coordinator logs as well when the exception was initiated. I think this is failing in the UI itself and debug logs of Superset doesn't show anything related to this. I am looking into the UI Console and see the following: In Response: Request seems to be good though. Any help in debugging this further? |
@DRavikanth Can you please confirm if the user which is creating this dataset with impersonation exist is a valid user for presto ? |
@rijojoseph07, Yes, the user(admin is the user name in this case) creating this connection in Superset does exist in Presto and is enabled with impersonation. Please note that, I am able to login to Presto and execute the queries using this admin user with no issues. Also, please note that, if I uncheck Impersonation option in connection object, everything works as expected i.e the dashboards built on top of this connection will load the dashboards/charts from Presto. |
@DRavikanth Can we connect over slack to discuss this in detail? Please join superset slack channel. |
That would be great. I am on superset slack with user ID ravioravi. Can you
ping me?
Thanks,
Ravi
…On Tue, May 4, 2021 at 23:52 rijojoseph07 ***@***.***> wrote:
@DRavikanth <https://github.com/DRavikanth> Can we connect over slack to
discuss this in detail? Please join superset slack channel.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13214 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACRGFYJB7Y5LPAQWUKJ37VTTMDTJVANCNFSM4X2W3ZIA>
.
|
SUMMARY
Fix for issue #11359, #9406
When using LDAP authentication with presto/trino, the current behavior is just to modify the URL to replace the username which will result in an unauthorized exception. This PR will fix this by updating the connection argument with the effective user.
TEST PLAN
Step 1: Setup database connection to presto without credentials in URL.
Step 2: Provide admin(who can impersonate as any other user in presto) credentials in connection properties via extras
Step 3: Enable impersonation for the database connection.
Step 4: Log in with a different user and run the query via SQL lab and you will see the principal user as admin and user as the logged-in user in presto UI.
ADDITIONAL INFORMATION