Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Epic] Add connection impersonation to Redshift #38445

Closed
2 tasks done
luizarakaki opened this issue Feb 5, 2024 · 5 comments
Closed
2 tasks done

[Epic] Add connection impersonation to Redshift #38445

luizarakaki opened this issue Feb 5, 2024 · 5 comments
Assignees
@iethree @noahmoss
Labels
Administration/Impersonation Role level security Database/Redshift .Epic Feature Implementation or Project .Team/AdminWebapp Admin and Webapp team Type:New Feature
Milestone
0.49

Comments

@luizarakaki
Copy link
Contributor

luizarakaki commented Feb 5, 2024
edited by calherries
Loading

We support connection impersonation for Snowflake and Postgres. We can extend support to Redshift too.

It behaves slightly differently from Postgres as it uses SET SESSION AUTHORIZATION and passes usernames instead of roles.

Product doc

Tasks
Beta Give feedback
@luizarakaki luizarakaki added the .Epic Feature Implementation or Project label Feb 6, 2024
This was referenced Feb 7, 2024
Merged
Closed
@iethree iethree mentioned this issue Feb 7, 2024
Merged
1 task
@noahmoss noahmoss added this to the 0.49 milestone Feb 8, 2024
@marcoquerque
Copy link

marcoquerque commented Feb 9, 2024
edited
Loading

In general, what are your thoughts on requiring the redshift user in the metabase connection be a super user to use this?

@luizarakaki
Copy link
Contributor Author

luizarakaki commented Feb 9, 2024
edited
Loading

Redshift connection impersonation uses SET SESSION AUTHORIZATION.
https://docs.aws.amazon.com/redshift/latest/dg/r_SET_SESSION_AUTHORIZATION.html

To run this command, the connection must use superuser

@marcoquerque
Copy link

And what is our general thoughts on the metabase redshift user being a superuser? are we concerned from a security perspective - can we confidently say every query will use this?

@luizarakaki
Copy link
Contributor Author

Queries from users in groups with impersonated connection, yes. But admins are never impersonated, so at least queries run by admin won't use this.

@calherries
Copy link
Contributor

Pretty sure this is closed by #38530, so I'm closing this to get it into the release notes. Please yell at me if not

@luizarakaki luizarakaki changed the title Add connection impersonation to Redshift [Epic] Add connection impersonation to Redshift Feb 14, 2024
@paoliniluis paoliniluis mentioned this issue Feb 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iethree iethree

@noahmoss noahmoss

Labels
Administration/Impersonation Role level security Database/Redshift .Epic Feature Implementation or Project .Team/AdminWebapp Admin and Webapp team Type:New Feature
Projects
None yet
Milestone
0.49
Development

No branches or pull requests
5 participants
@marcoquerque @iethree @luizarakaki @noahmoss @calherries