dosubot[bot] commented on issue #36592: URL: https://github.com/apache/superset/issues/36592#issuecomment-3646578531
<!-- Answer --> This is a known and unresolved limitation in Superset: when using impersonation with ClickHouse, Superset only sets the username in the connection string, not the password. User passwords are stored hashed/encoded (e.g., scrypt) and cannot be decoded for use in the connection URL, so authentication fails if the database requires both username and password for each user. There is no secure, built-in workaround for this—manually setting the password works but is not scalable or secure. Superset maintainers recommend using a service account for database connections and managing access via Superset roles and permissions, since per-user database impersonation with password is not supported for ClickHouse. This issue is confirmed to be unresolved in the latest versions and discussed in detail in several issues, including [#17074](https://github.com/apache/superset/issues/17074), [#20455](https://github.com/apache/superset/issues/20455), [#28214](https://github.com/apache/superset/issu es/28214), and [#36019](https://github.com/apache/superset/issues/36019). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/379377ae-22bf-4644-a404-2a897cef7805?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/379377ae-22bf-4644-a404-2a897cef7805?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/379377ae-22bf-4644-a404-2a897cef7805?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/379377ae-22bf-4644-a404-2a897cef7805?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/379377ae-22bf-4644-a404-2a897cef7805?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/379377ae-22bf-4644-a404-2a897cef7805?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/379377ae-22bf-4644-a404-2a897cef7805?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=This%20is%20a%20known%20and%20unresolved%20limitation%20in%20Superset%3A%20when%20using%20impersonation%20with%20ClickHouse%2C%20Superset%20only%20sets%20the%20username%20in%20the%20connection%20string%2C%20not%20the%20password.%20User%20passwords%20are%20stored%20hashed/encoded%20%28e.g.%2C%20scrypt%29%20and%20cannot%20be%20decoded%20for%20use%20in%20the%20connection%20URL%2C%20so%20authentication%20fails%20if%20the%20database%20requires%20both%20username%20and%20password%20for%20each%20user.%20There%20is%20no%20secure%2C%20built-in%20workaround%20for%20this%E2%80%94manually%20setting%20the%20password%20works%20but%20is%20not%20scalable%20or%20secure.%20Superset%20maintainers%20recommend%20using%20a%20service%20account%20for%20database%20connectio ns%20and%20managing%20access%20via%20Superset%20roles%20and%20permissions%2C%20since%20per-user%20database%20impersonation%20with%20password%20is%20not%20supported%20for%20ClickHouse.%20This%20issue%20is%20confirmed%20to%20be%20unresolved%20in%20the%20latest%20versions%20and%20discussed%20in%20detail%20in%20several%20issues%2C%20including%20%5B%2317074%5D%28https%3A//github.com/apache/superset/issues/17074%29%2C%20%5B%2320455%5D%28https%3A//github.com/apache/superset/issues/20455%29%2C%20%5B%2328214%5D%28https%3A//github.com/apache/superset/issues/28214%29%2C%20and%20%5B%2336019%5D%28https%3A//github.com/apache/superset/issues/36019%29.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36592) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
