-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Card data cache in NGINX #3966
Comments
Hello guys from #1666 😈 |
Guys, I've made a complete solution. For remove cache when card is edited we can use lua:
The code in the first message has updated. It's complete solution for caching cards now. I don't need any headers from Metabase. Thanks for watching :) |
@anki-code Just be aware you might be leaking cached data, e.x. I like the idea of using an HTTP cache, as long as we could figure out the authentication issue. It might be possible with some careful combination of HTTP cache headers. |
@tlrobinson I'm not clearly understand about "leaking". Could you please give me more details? If you want to say that unauthorize requests to /api/card/*/query can replace the cache to wrong data — it's not. Because |
@anki-code Metabase's authentication/authorization checks won't be run for cached requests because it will be served directly from nginx, so an unauthenticated user could just try brute force every card's URL until they find ones that are cached. Try running loading a card in Metabase (to ensure it's cached) then run the same request (using curl or another http client) with the
As you can see I was able to get the cached data without being authenticated with a |
It seems it's possible to have an intermediate HTTP proxy cache a response but still validate the request is authorized by sending it to the origin server.
Basically This would require changes to Metabase itself. |
Another solution: Metabase and Proxy have a secret key and crypt the user group id and save to user cookie. When user opens the dashboard then Proxy decrypt cookie and set Pros: don't need additional request to Metabase server But this solution require changes to Metabase too. Yep, you're right. The solution above works for me only in private network. |
We'd want to keep all authentication/authorization logic in Metabase itself, especially as we add new permissions features like the upcoming collections. It would be preferable if the proxy didn't require special configuration. Proxying the request through to the backend won't add much latency since the nginx and Metabase will likely be on the same server/network. |
In certain cases, it could be enough to just check the JWT auth tokens already in the request (at least for google authenticated users, not sure if present for others) directly in nginx: https://github.com/auth0/nginx-jwt You can also make nginx do a seperate request to the backend with all the request headers intact which then expects a 200 or 304 response for access granted/denied. The request can then be served from cache, sent to another backend service etc. This way metabase would only need to check the current users permissions and leave response serving to nginx. See: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html Possibly could be combined well with @tlrobinson's answer. I have a little bit of experience with this, let me know if I could help. |
@tlrobinson, in response to #3966 (comment), if you test against the amendment to @anki-code's configuation given in response to your query on Stackoverflow, there will be no leakage. Each applicable request will be authenticated first before the request is served ... whether from cache or not as per standard Nginx configuration. |
For v.0.24.0
|
closing since we have a cache now and it works inside MB rather than via nginx. |
Hi guys! Thank you for great product!
I have many cards which have a data on yesterday and earlier. I try to found the way to cache cards data once a day and I've found the one — using NGINX reverse proxy cache as frontend for Metabase.
Warning! It's solution have security issue. Read posts below.
It works perfect — all cards data will cache and charts are loaded fast like crazy.
⬇️ Please click "like" instead of "+1" comment
The text was updated successfully, but these errors were encountered: