-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable reading global profiler settings not only by admins and bots #17042
Comments
cc @TeddyCr as you've been working on global profiler config |
Hello @mgorsk1 thanks for the detail, could you share a bit more about the below? I would love to understand this flow a bit better.
|
Sure, we enable our users to use om profiling workflows themselves from within their personal jupiter notebooks. In such case they connect to appropriate systems using their personal credentials and authenticate against om api using their personal jwt tokens |
Ok I see, what you mean. let's take a look. I'll mark it as 1.6, but we'll try to tackle it for a minor 1.5.x release. |
* fix: custom properties folder name in generation to match expected package name (i.e. customProperties -- uppercase P) * fix: allow non admin/bot to read profiler global config with the right permission * style: ran java linting * fix: custom properties import casing
* fix: custom properties folder name in generation to match expected package name (i.e. customProperties -- uppercase P) * fix: allow non admin/bot to read profiler global config with the right permission * style: ran java linting * fix: custom properties import casing
* fix: custom properties folder name in generation to match expected package name (i.e. customProperties -- uppercase P) * fix: allow non admin/bot to read profiler global config with the right permission * style: ran java linting * fix: custom properties import casing
* fix: custom properties folder name in generation to match expected package name (i.e. customProperties -- uppercase P) * fix: allow non admin/bot to read profiler global config with the right permission * style: ran java linting * fix: custom properties import casing
Is your feature request related to a problem? Please describe.
We have a feature on our platform where we enable users to execute profiling jobs themselves. We provide curated workflow template, users update table and schema name and execute ad-hoc jobs for their tables. This was working fine until we upgraded to OM 1.4.0.0, where #15889 was introduced. Now, regular users (not admins or bots) cannot execute profiling jobs as they get 403 error on fetching global profiler config.
Describe the solution you'd like
Requesting global profiler config (
get /api/v1/system/settings/profilerConfiguration
) is not restricted only to admins and bots. Proposed approaches:ProfilerConfig
(or more genericSystemSettings
) with operationscreate
edit
read
like with other resourcesWhat's particularly interesting about aforementioned implementation is that
authorizeAdminOrBot
method is used only once throughout whole OM service - in said endpoint.Describe alternatives you've considered
Since we are grouping permissions using Teams/Groups (we have Teams A, B, C and we assign users to their respective teams, then we assign DatabaseSchema owner to a team. For example schema
transactions
fromTrino
service is owned by team A and all members of team A can edit metadata in transactions schema tables) we considered extending functionality of OpenMetadata with scoped bot users (so we could create botX
that would be a member of teamA
- this bot would inherit permissions of the team but would be treated as bot) #15891.Additional context
We follow shift-left paradigm, so instead of running profiling jobs within OM Airflow, we instead allow users to do this with their personal credentials and on their own desired cadence. This is very important security-wise, as our OM instance service connections cannot use accounts (NPAs) that have access to actual data so moving this responsibility to end users is our only way to get profiling data into OM.
The text was updated successfully, but these errors were encountered: