search

trinodb / grafana-trino

The Trino datasource allows to query and visualize Trino data from within Grafana.
Apache License 2.0
35 stars 10 forks source link

Add Support for Per-Query-User-Information / Impersonation #257

Closed FabianScheidt closed 2 months ago

FabianScheidt commented 3 months ago

One of the awesome features in Trino is that the session user can be different from the authenticated user. This allows the authenticated user to impersonate other users.

This PR adds a settings that allows to impersonate the current Grafana user, so we can use the same connection and dashboards for users with different permissions (similar to what we can do with Apache Superset). If enabled, the current user login will be passed as X-Trino-User.

Hope you find this useful and consider merging. I'm happy to make changes if needed.

Fixes #251

cla-bot[bot] commented 3 months ago

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

cla-bot[bot] commented 3 months ago

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

nineinchnick commented 3 months ago

@cla-bot check

cla-bot[bot] commented 3 months ago

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

cla-bot[bot] commented 3 months ago

The cla-bot has been summoned, and re-checked this pull request!

FabianScheidt commented 2 months ago

Seems like my CLA has been processed :)

@cla-bot check

cla-bot[bot] commented 2 months ago

The cla-bot has been summoned, and re-checked this pull request!

nineinchnick commented 2 months ago

I'll test this manually, merge this and do a new release somewhere over the weekend.

FabianScheidt commented 2 months ago

Oh, if you need a test setup, here's mine: It's the Example HTTP Connector with File-based access control. If you build a dashboard for the numbers table, admin should be able to see all contents. If you impersonate alice, she should only see even numbers.

example-http.properties 
connector.name=example-http
metadata-uri=https://trino-http-example.s3.eu-central-1.amazonaws.com/example-metadata.json
access-control.properties 
access-control.name=file
security.config-file=/etc/trino/rules.json
rules.json 
{
  "tables": [
    {
      "user": "alice",
      "catalog": "example-http",
      "schema": "example",
      "table": "numbers",
      "privileges": ["SELECT"],
      "filter": "value % 2 = 0"
    },
    {
      "user": "alice",
      "privileges": ["SELECT"]
    },
    {
      "user": "admin",
      "privileges": ["SELECT"]
    }
  ],
  "impersonation": [
    {
      "original_role": "admin",
      "new_user": ".*",
      "allow": true
    }
  ]
}
nineinchnick commented 2 months ago

1.0.7 was just accepted by Grafana and published in their catalog, thanks again!