Enable auth in Datasette

owid / owid-datasette

An experiment of publishing articles and variable metadata as a datasette instance

12 stars 3 forks source link

Enable auth in Datasette #6

Open marcelgerber opened 1 year ago

marcelgerber commented 1 year ago

Just opening this issue as a way to keep track of what I just found, in a search through the Datasette plugin page:

We probably want to enable auth soon, so we can sync data tables like pageviews over without exposing them. For this, these three plugins sound super useful:

datasette-auth-github, where we can use GH as a auth provider, and grant access to all users that are part of the @owid organization
datasette-public, where we can specify a bunch of tables to be publicly accessible, without the need to log in
datasette-saved-queries, where users can save queries in their account

Gauravjadhav22 commented 1 year ago

I want to work on this kindly assign me ..

marcelgerber commented 1 year ago

Hi @Gauravjadhav22, you're welcome to work on this issue, of course. You should be able to pretty easily get our Datasette instance up & running using Docker. Something like this should work:

git clone https://github.com/owid/owid-datasette
docker compose up

Then, you can access the local datasette instance on http://localhost:8001.

danyx23 commented 1 year ago

Thank you @marcelgerber for looking into these! I agree that it will be good to add auth - but I think it would be better to add a datasette instance that is entirely private in addition to one that is entirely open but with limited content. The reason for this is that I think some features like arbitrary SQL are very valuable (e.g. to create more complex queries that are used in an observable notebook) but they seem to be incompatible with auth in datasette (i.e. you can blacklist certain tables if you don't allow arbitrary sql but that limits what it can be used for).

I think just adding another instance that is protected and has full content is easier and the running costs are very low (or 0 if we run on foundation). The main question is if we want to put it in a DO app and use the github auth plugin as you describe or if we should just put it on foundation and reach it via tailscale without auth. Do you have preferences?

marcelgerber commented 1 year ago

Ah right, I see. I thought Datasette would maybe be doing some pretty advanced stuff, where arbitrary SQL would still be possible, but only with a limited set of tables.

It looks like it's possible to have multiple databases, and have access control (and arbitrary SQL) for one but not the other. So that could indeed be an option to evaluate.

In terms of Tailscale vs GH, I actually prefer GH a bit because we would then be able to store queries in our accounts, which sounds very nice.