Closed Bug 1363523 Opened 8 years ago Closed 8 years ago

Create user in Redash for metrics insights API access

Categories

(Data Platform and Tools :: General, enhancement)

Product:
Data Platform and Tools
Component:
General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: hcrince, Assigned: robotblake, NeedInfo)

Details

(Whiteboard: [DataOps])

Metric Insights (vendor for Mozilla Data Collective) requires an LDAP account to enable integration features with redash and metrics.mozilla.com The service will be executing a generic screen capture feature that will allow us to grab the embed links and produce a screenshot daily and update the tile view with the most up to date info - we need a service account/LDAP login for Metric Insights to execute against that.
How will this authentication flow work? Is it from Metric Insights to metrics.mozilla.com or from metrics.mozilla.com to Metric Insights? The direction in which this flows and whether MFA is required and how automated this is will help guide towards the proper solution here and what type of account is needed in which system.
If this is just a screen shot, can redash produce it and export it such that no login is needed?
HI :jeff,:jabba I reached out to MI team to get questions answered. What is the authentication workflow? MI -> Re:dash is the desired auth flow. Metric Insights will need to login to Redash with an LDAP account. MI will try and login to redash like a regular users with this account. can redash produce screenshot and export it such that no login is needed ? Comment from MI team : "Looking at the github source, Re:dash doesn't seem to have an embed API or an API method to create a screenshot. However, it might be possible to just use the public dashboard URL to embed the re:dash resource in MI via an iframe. We won't know for certain until we can test it out, however, as we've never used Re:dash and still know very little about it's functionality. " Let us know what your thoughts are. Thanks.
HI Jabba, Let me know if you need any more info from the MI support team. Thanks.
Flags: needinfo?(jdow)
Per IRC, the site where redash lives is http://sql.telemetry.mozilla.org/ and this site appears to just use Google Authentication. So my thought here is that we don't actually need an LDAP account for this to work, but either a generic google account that gets granted permission to log into this site, or a google account with @mozilla.com (if the permissions are restricted to just our org). My suggestion would be to try a generic free google account and get the permissions updated to allow that account to do the authentication to the re:dash site *or* work with the Gsuite team to get a non-ldap google account to do this auth flow. :jen - is this possible?
Flags: needinfo?(jdow) → needinfo?(jhayashi)
Assignee: infra → spatil
We have a test Google domain, can we test this out in our test domain? Once we figure out the minimum permissions they need in the test domain, I can duplicate this in prod.
Flags: needinfo?(jhayashi)
Requested Jen to provide generic google account.
Hi Shraddha - I created a google account (metricinsights@test.mozilla.com), but I don't see how you'll be able to authenticate to it because you'll need an LDAP account to authenticate successfully. If you do get an shared ldap account created to get pass authentication, that burns a license. Is there another alternative? I thought we created Oauth credentials for metricsinsight so you wouldn't need to log in?
HI, I tried creating a free google account to access "http://sql.telemetry.mozilla.org/" since the one Jen created mandates LDAP. I am still not able to authenticate free account to - http://sql.telemetry.mozilla.org/ for re:dash or metrics.mozilla.com Does this free account needs to be existing/added to both the applications for auth sake?
Flags: needinfo?(jdow)
Hi Jen, I reached out to Rob Miller who manages re:dash in order to understand the authentication. "if we have a mozilla.com address then it should be able to access STMO (re:dash) with that.To get access to STMO you'll need a full @mozilla.com address, one that works w LDAP. All mozilla.com addresses do work w LDAP.... those are equivalent. All @mozilla.com addresses have access to STMO " Now if we go back to the google account (metricinsights@test.mozilla.com) you set up, its missing the LDAP part. And i am not sure how to get that set or rather what is the process to do so? what about licensing part you mentioned?
Flags: needinfo?(jhayashi)
Hi Shraddha - You'll need to get approval from Security for the ldap account. Then the account will have to be created in the shared_access OU in LDAP. It will use a Google license, which I was hoping we could avoid.
Flags: needinfo?(jhayashi)
(In reply to Shraddha Patil [:Shraddha Patil] from comment #10) > Hi Jen, > > I reached out to Rob Miller who manages re:dash in order to understand the > authentication. > "if we have a mozilla.com address then it should be able to access STMO > (re:dash) with that.To get access to STMO you'll need a full @mozilla.com > address, one that works w LDAP. All mozilla.com addresses do work w LDAP.... > those are equivalent. All @mozilla.com addresses have access to STMO " > > Now if we go back to the google account (metricinsights@test.mozilla.com) > you set up, its missing the LDAP part. And i am not sure how to get that set > or rather what is the process to do so? what about licensing part you > mentioned? Is this something that can be changed to allow a non-@mozilla.com account?
Flags: needinfo?(jdow)
Status: NEW → ASSIGNED
Assignee: spatil → bimsland
Summary: Add LDAP User Metric Insights → Create user in Redash for metrics insights API access
Component: Infrastructure: LDAP → Telemetry Server
Product: Infrastructure & Operations → Webtools
QA Contact: jdow
Version: unspecified → other
Component: Telemetry Server → Redash (STMO)
Product: Webtools → Data Platform and Tools
Whiteboard: [SvcOps]
Version: other → unspecified
Whiteboard: [SvcOps] → [DataOps]
I'm trying to remember if this ended up being resolved by using an API key, I vaguely remember creating a user and handing off the key.
Flags: needinfo?(spatil)
Flags: needinfo?(jhayashi)
Hi - I believe this was setup with Josephine Tanumijaya and Grayson Stebbins from metricsinsights. We created the the API key under the tableau@mozilla.com account owned by the data team and enabled the Drive API.
Flags: needinfo?(jhayashi)
Adding Josephine so she can confirm it's working.
Flags: needinfo?(jtanumijaya)
Hi Blake & Jen, yes MDC can access re:dash and gdrive, it's still in development but both connections work. Thanks!
Flags: needinfo?(jtanumijaya)
Per Josephine's comment last, the user (our ask) is created and we have taken this further. Thank you for helping. Closing bug.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Per Josephine comments last, closing bug as our ask is fulfilled. Thank you for helping.
Status: RESOLVED → VERIFIED
Component: Redash (STMO) → General
You need to log in before you can comment on or make changes to this bug.