-
Notifications
You must be signed in to change notification settings - Fork 13.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SIP-91] - Enable SSH Tunneling on Database Connections #21789
Comments
A few comments: In (1.i.b) it would be nice to explain that you're planning to add a configuration flag to prevent users from connecting to databases in localhost. There are plenty of legit cases for that, so it should be off by default. It probably only makes sense to turn this on for multi-tenant Superset deploymend (Preset, eg). Though I think this is outside the scope of this SIP, and you could leave it out. For the table schema: class TunnelConfig(Schema):
database_id: int # fk
ssh_server: str, # IP address
ssh_username: str, # username for ssh
ssh_password: str, # password
remote_server_address: Tuple[str, int] # (REMOTE_SERVER_IP, 443)
ssh_pkey: Optional[str],
ssh_private_key_password: Optional[str]
My suggestion for the schema would be: class SSHTunnelConfig(Schema):
database_id: int
server_host: str
server_port: int
username: str
password: Optional[str]
private_key: Optional[str]
private_key_password: Optional[str]
bind_host: str
bind_port: int This would map to the following SSH command: ssh -p ${server_port} :${bind_host}:${bind_port} ${username}@${server_host} |
@hughhhh Can we change the title to Enable SSH Tunneling on Database Connections? SSH Tunneling is a generic concept that may be applied in many parts of the application and this SIP is just one part. +1 to @betodealmeida's comments |
This looks good with above comments. Thanks @hughhhh! |
Agree with @betodealmeida on this. We should provide a "hook" that would allow folks to override the connection building on their own. If localhost access needs to be blocked, for instance, that logic would land in each custom manager's implementation. Ideally, we would follow a similar pattern as FAB's |
@craig-rueda I'll make sure to build in hook mechanism to allow devs to override the credentials in their ssh tunnel before generating their tunnel |
Have we considered other alternatives without using ContextManager? For example, using the Current ContextManager implementation would still create a new SSH connection whenever a new db connection is created. The downstream code for DbEngineSpec will look much cleaner if you can hide that complexity within the DbEngineSpec itself. |
Closing as approved, and updating the project board! Please continue to reference this issue in related PRs whenever relevant! |
Motivation
Users are currently blocked on setting up ssh tunneling entirely through superset. This is causing us to lose potential users to leverage this product as their analytics tool.
Proposed Change
Describe how the feature will be implemented, or the problem will be solved. If possible, include mocks, screenshots, or screencasts (even if from different tools).
@contextmanager
aroundget_sqla_engine()
localhost
1. checking for host name for that resolve to [localhost](http://localhost) as well (library) [there will be a feature flag that will users to override this)
server
object thatsshtunnel
package returns in the contextmanagerwith
formatDatabase
(fk: database_id)TunnelConfig
TunnelConfig
table for a specific databaseencrypted_credentials.ssh_tunnel
enable tunnel and deconstruct before returningsslmode=verify-ca
it will ignore the names in the certificates.sslmode=verify-full
would fail in this case.New or Changed Public Interfaces
Describe any new additions to the model, views or
REST
endpoints. Describe any changes to existing visualizations, dashboards and React components. Describe changes that affect the Superset CLI and how Superset is deployed.I will be creating a new table name
ssh_tunnel_config
. This table will hold all the necessary information for the client to establish the connection to any Database living between the proxy.bind_host
+bind_port
will be built based upon the information provided in thesqlalchemy_uri
.New dependencies
We'll be leveraging
sshtunnel
pip package to help establish connections.https://pypi.org/project/sshtunnel/
The text was updated successfully, but these errors were encountered: