search

dacort / metabase-athena-driver

An Amazon Athena driver for Metabase 0.32 and later
Apache License 2.0
225 stars 32 forks source link

Have multiple sets of permissions using different roles #117

Closed juliansteger-sc closed 1 year ago

juliansteger-sc commented 1 year ago

We would like to grant different user groups access to different tables, but at the same time want them to be able to use native SQL queries.

This is not possible with one role as users can query any table via native SQL that's allowed via the role, independent of MB permissions.

Is it possible to create a second Athena connection, using or 'assuming' a different role? I guess we could use IAM users, but then we would have to manage static secrets.

Thanks

dacort commented 1 year ago

How are you running Metabase today? If it's just on something like ECS, then I don't think there would be a way to associate another IAM role. If you're running on EC2, you could potentially use PropertiesFileCredentialsProvider or ProfileCredentialsProvider, but you'd still have to maintain credentials on the instance itself.

The JDBC configuration guide on the Athena docs ( https://docs.aws.amazon.com/athena/latest/ug/connect-with-jdbc.html ) has more details.

juliansteger-sc commented 1 year ago

thanks @dacort yes, we are running on ECS, maybe there could be a way to specify another role for the connection, which would then need to be assumed whenever a call is made via this connection? Not sure if this is technically feasible.

For now we will go with a technical iam user, with appropriate use of aws:calledVia and aws:SourceVpce context keys this should be quite safe and only be usable from within the vpc. The only issue we faced is that when setting up a second athena connection we are receiving an error:

PreparedStatement stmt2541324561 was not found in WorkGroup [...] this turned out to be caused by our policy

{
            "Sid": "Athena",
            "Effect": "Allow",
            "Action": [
                "athena:StopQueryExecution",
                "athena:StartQueryExecution",
                "athena:ListQueryExecutions",
                "athena:ListNamedQueries",
                "athena:GetWorkGroup",
                "athena:GetQueryResultsStream",
                "athena:GetQueryResults",
                "athena:GetQueryExecution",
                "athena:GetNamedQuery",
                "athena:BatchGetQueryExecution",
                "athena:BatchGetNamedQuery",
                "athena:ListWorkGroups",
                "athena:ListTagsForResource",
                "athena:ListTableMetadata",
                "athena:ListDatabases",
                "athena:ListDataCatalogs",
                "athena:GetPreparedStatement",
                "athena:DeletePreparedStatement",
                "athena:CreatePreparedStatement"
            ],
            "Resource": "arn:aws:athena:eu-central-1:123456789111:workgroup/our-workgroup-name",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": [
                        "vpc-99djeudef2f1d0341"
                    ]
                }
            }
        }

when moving the PreparedStatement actions out and removing the condition aws:SourceVpc then it worked, so it seems those actions are not compatible with aws:SourceVpc(e). Not sure why though, there's no limitation mentioned in AWS Docs.

dacort commented 1 year ago

Closing as part of cleanup now that Athena is officially supported by Metabase. Any future issues can be asked about on their forum or with a detailed bug report.