Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: impersonate with email prefix #28770

Merged
merged 1 commit into from
May 30, 2024
Merged

feat: impersonate with email prefix #28770

merged 1 commit into from
May 30, 2024

Conversation

betodealmeida
Copy link
Member

SUMMARY

This PR adds a new feature flag, IMPERSONATE_WITH_EMAIL_PREFIX. When the flag is on (default is off) the user impersonation functionality will use the email prefix as the username, instead of the actual username.

This is useful for deployments using OAuth2 for login, where the username might be something like:

> SELECT username, email FROM ab_user;
google-oauth2|633391720998176487074, beto@example.org

With the feature flag on the impersonation would use beto as the username passed to the database.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A

TESTING INSTRUCTIONS

Added unit tests.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@dosubot dosubot bot added the authentication Related to authentication label May 29, 2024
@betodealmeida betodealmeida force-pushed the impersonate_email_prefix branch 3 times, most recently from 72c8198 to a552dce Compare May 29, 2024 22:39
@john-bodley
Copy link
Member

@betodealmeida given this seems to be associated with OAuth are there existing OAuth related feature flags/configurations which could be leveraged?

eschutho
eschutho approved these changes May 30, 2024
View reviewed changes
Copy link
Member

@eschutho eschutho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but pending after @john-bodley's question is answered.

@betodealmeida
Copy link
Member Author

@betodealmeida given this seems to be associated with OAuth are there existing OAuth related feature flags/configurations which could be leveraged?

To clarify, the OAuth I mention here is for authentication, not authorization (#20300).

We could do something like:

from flask_appbuilder.security.manager import AUTH_REMOTE_USER

if config.AUTH_TYPE == AUTH_REMOTE_USER:
    # use email prefix instead of username

But I'm not familiar with all types of OAuth login, so I'd rather not assume that's always true.

@betodealmeida betodealmeida merged commit 0070097 into master May 30, 2024
30 checks passed
EnxDev pushed a commit to EnxDev/superset that referenced this pull request May 31, 2024
@betodealmeida @EnxDev
feat: impersonate with email prefix (apache#28770)
c23847f
eschutho pushed a commit that referenced this pull request Jun 5, 2024
@betodealmeida @sadpandajoe
feat: impersonate with email prefix (#28770)
64db275 
(cherry picked from commit 0070097)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eschutho eschutho eschutho approved these changes

Assignees
No one assigned
Labels
authentication Related to authentication size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@betodealmeida @john-bodley @eschutho