hughhhh opened a new issue, #21789: URL: https://github.com/apache/superset/issues/21789
*Please make sure you are familiar with the SIP process documented* (here)[https://github.com/apache/superset/issues/5602]. The SIP number should be the next number after the latest SIP listed [here](https://github.com/apache/superset/issues?q=is%3Aissue+label%3Asip). ## [SIP-\<number>] Proposal for <title> ### Motivation Users are currently blocked on setting up ssh tunneling entirely through superset. This is causing us to lose potential users to leverage this product as their analytics tool. ### Proposed Change Describe how the feature will be implemented, or the problem will be solved. If possible, include mocks, screenshots, or screencasts (even if from different tools). 1. wrap `@contextmanager` around `get_sqla_engine()` 1. @contextmanager logic for blocking `localhost` 1. Does the DB have ssh tunnel metadata associated with it (stored in a separate table or column)? If it has, create the tunnel binding on 127.0.0.1 and a random port, replace the host and port in the SQLAlchemy URI with 127.0.0.1 and the port that the ssh tunnel created. 2. If the DB has no ssh tunnel metadata, check the host of the SQL Alchemy URI. If it's localhost or some variation (127.0.0.1, ::1, 0:0:0:0:0:0:0:1, etc.) then block it (unless the config allows). 1. checking for host name for that resolve to [[localhost](http://localhost/)](http://localhost) as well (library) ```python @contextmanager def get_sqla_engine() # enable ssh # check if ssh tunnel enabled # true -> create tunnel with creds # false -> verify that user isn't connecting to localhost (under config flag) yield engine # tear down ssh ``` 2. Refactor all the places trying to create_engine to have new `with` format ```python with get_sqla_engine as engine: # use engine with ssh tunnel created ``` 3. Define schema that is needed for the client to properly SSH tunnel to a remote host ```python class TunnelConfig(Schema): database_id: int # fk ssh_server: str, # IP address ssh_username: str, # username for ssh ssh_password: str, # password remote_server_address: Tuple[str, int] # (REMOTE_SERVER_IP, 443) ssh_pkey: Optional[str], ssh_private_key_password: Optional[str] # can we use a socket file to define what workspace are allowed to connect # does the library handle creating socket files + what happens when the remote_bind_address ``` 1. Create table for TunnelConfig that mapped to `Database` (fk: database_id) 1. migration required and schema should match `TunnelConfig` 2. Create tunnel using information provided in the `TunnelConfig` table for a specific database ```python with sshtunnel.open_tunnel( # ... ) as server: ``` 3. Inside get_sqla_engine with ssh if current db has `encrypted_credentials.ssh_tunnel` enable tunnel and deconstruct before returning 1. if doing 2, we’d leave the connection open for this client 4. Managing SSL with ssh tunnel 1. if ssh tunnel is enabled + ssl we need allow the certificates to be ignored 2. For Postgres if you pass `sslmode=verify-ca` it will ignore the names in the certificates. `sslmode=verify-full` would fail in this case. ### New or Changed Public Interfaces Describe any new additions to the model, views or `REST` endpoints. Describe any changes to existing visualizations, dashboards and React components. Describe changes that affect the Superset CLI and how Superset is deployed. I will be creating a new table name `ssh_tunnel_config`. This table will hold all the necessary information for the client to establish the connection to any Database living between the proxy. ```python class TunnelConfig(Schema): database_id: int # fk ssh_server: str, # IP address ssh_username: str, # username for ssh ssh_password: str, # password remote_server_address: Tuple[str, int] # (REMOTE_SERVER_IP, 443) ssh_pkey: Optional[str], ssh_private_key_password: Optional[str] # can we use a socket file to define what workspace are allowed to connect # does the library handle creating socket files + what happens when the remote_bind_address ``` ### New dependencies Describe any `npm`/`PyPI` packages that are required. Are they actively maintained? What are their licenses? ### Migration Plan and Compatibility Describe any database migrations that are necessary, or updates to stored URLs. ### Rejected Alternatives Describe alternative approaches that were considered and rejected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
