Closed rico-elb closed 2 months ago
This is a very reasonable request. Usually, this is solved by setting the session user connection property.
I started looking into this. There's some support for it in Grafana: https://grafana.com/developers/plugin-tools/create-a-plugin/extend-a-plugin/add-authentication-for-data-source-plugins#forward-oauth-identity-for-the-logged-in-user
What we need to figure out is if we can access these headers when opening up a connection, to set the session user, instead of later, when executing queries.
Hello Everyone,
Some context As a user of Starburst, we need to be able to impersonate Grafana's connected users to execute request on Starburst. Because we apply access policies with Ranger on Starburst and want to be able to apply the right access of the user who is connected to Grafana. We don't want to use a generic service account, as we can't figure who exactly perform the request, and we need that information for two reasons:
For now, the user configured on the Grafana's Data Source configuration is the one which perform the request on Starburst.
So, what we are looking for:
Some search on what could be done (maybe) to achieve that Unfortunately, I don't have suffisiant knowlegde to make the dev myself for this. That's why I come here...
But here the things I think are needed to be done/implemented (even if I don't know exactly where):
constructor(....) { this.impersonationNeeded = instanceSettings.jsonData.impersonationNeeded || false; this.connectedUser = instanceSettings.username; }
doRequest(options: any) { options.headers = options.headers || {};
}
db.Query("SELECT * FROM foobar WHERE id=?", 1, sql.Named("X-Trino-User", string()))