Impersonate database user when running queries

[xlows-1227]

The superset start with root and login with user abc
When I query a sql in sqllab (SQLAlchemy is presto)，it run with root in presto,How to run with abc??

[xrmx]

I think you are running queries with the credentials you set up on your datasources.

[xlows-1227]

It running queries with onlt root，i want to know how can i run with login user?

[juanpampliega]

Hi, I am also interested in knowing if this is possible.
For most datasources it doesn't make much sense but for Presto that we don't have authentication setup it would be nice for the query to be executed with the login user rather than the superset user.

[mistercrunch]

I don't think PyHive (the lib we use to connect to presto) allows for that, does it?

[mistercrunch]

Actually looks like it may be possible by just using a different connection string as in create_engine('presto://user@host:443/hive'). Would you assume that the superset username matches the presto username?

You'd want to add a configuration Boolean column impersonate_user to the Database model https://github.com/apache/incubator-superset/blob/master/superset/models/core.py#L526, along with a db migration script.

Then it would be a matter of changing there user here:
https://github.com/apache/incubator-superset/blob/master/superset/models/core.py#L580
something like

if self.impersonate_user:
    uri.user = g.user.username

[dmigo]

Would it be considered as a useful feature for Superset, or is it still an open question?
For us it is the only difference with the main repository. I would definitely like to work on a PR.

[mistercrunch]

Yes. Do it!

[dmigo]

@luoruixing this should work now.
@mistercrunch this one may be closed.

[MihailGershkovich]

We are just starting to use superset, and I hope I will be able to promote it in our company.
Probably my request is already resolved and I was just not able to find how to approach it, but in case it is not:

Sorry for another comment on a closed request, but do you plan to implement it for other DBMS aswell? I'd like to see this feature for postgres, so that we can leverage features like access rights on tables, row and column level security or policies. It would be even nicer, if something like "set role" would work.
Example: we limit the access to transactional data based on role membership (including inherited). Imagine, I belong to roles x, y, z and y is member of z. And we have a head of department y, and an analyst in department z, which belongs to y.
Then I can see transactional data and build statistics on all of them. However if I want to share my dashboards with head of department y and analyst of department z, I will have to copy them over and setup connections or build filtered dashboards for them. Otherwise they would see to much info (they would have access to confidential information and receive wrong statistics).
Now imagine head of department y wants to see stats and data for department z (he is allowed to), thus he would have to worry about his filters, etc. or he would need to have access to another set of dashboards, instead of changing his roles.
BR

[Asturias-sam]

what SQLAlchemy URI have you guys used for presto to Impersonate the logged on user.
Currently only the user who have configured the datasource is able to query for other it's shows

sqlalchemy.exc.OperationalError: (pyhive.exc.OperationalError) Unexpected status code 401
b'Access Denied: Invalid credentials'
[SQL: SHOW SCHEMAS]
(Background on this error at: http://sqlalche.me/e/e3q8)

From Presto side:
Password validation failed for user DN [superset@homeoffice.domain.com]: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839] ?