Impersonation with webapps#

By default, webapps require users to be authenticated. For more details and options, please see Public webapps.

It is essential to consider the security and permission aspects of impersonation while using webapps. You can refer to this documentation to learn more about these aspects.

Each time a user uses a webapp, the code is executed on behalf of a user, defined by the “Run backend as” parameter configured in the webapp settings, as illustrated in Figure 1. Therefore, the actions performed by the user are attributed to the user mentioned in the “Run backend as” parameter.

For example, if user U1 runs a webapp with the “Run backend as” parameter set to A1, the actions taken by U1 will be identified as actions taken by the user A1. If you need the actions being identified as actions taken by user U1, you must make an impersonation call.

Webapps can be accessed by any user with the necessary permissions, such as “Read dashboards” or “Read project content” after successfully logging in. You can refer to the Public webapps page if you require further information.

Impersonation usage#

Impersonation calls work on any web framework so that you can use your preferred web framework. Creating a simple webapp allows you to test, evaluate, and understand how impersonation works. When a job starts, Dataiku logs it. Then, you can observe impersonation by examining a Dataiku project’s interface and jobs section.

To test impersonation, you will create a web application that builds a dataset (i.e., starts a job). You can observe impersonation by examining a Dataiku project’s interface or the jobs section. To carry out this task, you will use the Dataiku TShirts project. To do so:

On the top left corner, click + New project > Learning projects > Dataiku TShirts.
On the top navigation bar, navigate to the </> > Webapp section.
Click on + New Webapp and select Code Webapp.
Select the library with which you want to build your webapp. For standard webapps, you can choose either Flask or FastAPI as backend framework. Examples are provided for both.

The webapp aims to build a dataset present in the project; for example, you will build the web_history_prepared dataset.

Implementation#

The code presented demonstrates how to access user information and retrieve their name. The button action will launch a build of a Dataset, using impersonation so that the Dataset build is done as the end-user.

HTML Code#

<h1>Impersonation Demo</h1>

<h2>Welcome: <span id="identified_user"></span></h2>

<div class="build_dataset">
    <form id="form-dataset" novalidate>
        <button type="button" class="main-blue-button" id="build-button">Build the dataset</button>
    </form>
</div>

Javascript code#

/*
 * For more information, refer to the "Javascript API" documentation:
 * https://doc.dataiku.com/dss/latest/api/js/index.html
 */

let buildButton = document.getElementById('build-button');
let identifiedUser = document.getElementById('identified_user')

buildButton.addEventListener('click', function (event) {
    datasetToBuild = "web_history_prepared"
    $.get(getWebAppBackendUrl("/build_dataset"), {datasetToBuild: datasetToBuild});
});

// When loading, get the user information
$.getJSON(getWebAppBackendUrl('/get_user_name'), function (data) {
    identifiedUser.textContent = data;
});

Backend code#

import dataiku
from flask import request, jsonify

import logging

logger = logging.getLogger(__name__)


# Example:
# As the Python webapp backend is a Flask app, refer to the Flask
# documentation for more information about how to adapt this
# example to your needs.
# From JavaScript, you can access the defined endpoints using
# getWebAppBackendUrl('get_user_name')

@app.route('/get_user_name')
def get_user_name():
    logger.info("In it")
    logger.info(request)
    # Get user information from the request
    headers = dict(request.headers)
    auth_info = dataiku.api_client().get_auth_info_from_browser_headers(headers)
    return (json.dumps(auth_info.get("associatedDSSUser")))

@app.route('/build_dataset')
def build_dataset():
    dataset = request.args.get('datasetToBuild')
    logger.info("Impersonation begins...")
    # Launch the build of a Dataset using impersonation.
    # This Dataset build will be done as the end-user.
    with dataiku.WebappImpersonationContext() as context:
        # Each time you need to do impersonation, you need to obtain a client.
        local_client = dataiku.api_client()
        project = local_client.get_default_project()
        outdataset = project.get_dataset(dataset)
        outdataset.build()

    logger.info("Impersonation ends...")
    resp = jsonify(success=True)
    return resp

HTML Code#

<h1>Impersonation Demo</h1>

<h2>Welcome: <span id="identified_user"></span></h2>

<div class="build_dataset">
    <form id="form-dataset" novalidate>
        <button type="button" class="main-blue-button" id="build-button">Build the dataset</button>
    </form>
</div>

Javascript code#

/*
 * For more information, refer to the "Javascript API" documentation:
 * https://doc.dataiku.com/dss/latest/api/js/index.html
 */

let buildButton = document.getElementById('build-button');
let identifiedUser = document.getElementById('identified_user')

buildButton.addEventListener('click', function (event) {
    datasetToBuild = "web_history_prepared"
    $.get(getWebAppBackendUrl("/build_dataset"), {datasetToBuild: datasetToBuild});
});

// When loading, get the user information
$.getJSON(getWebAppBackendUrl('/get_user_name'), function (data) {
    identifiedUser.textContent = data;
});

Backend code#

import dataiku
from fastapi import Request
from fastapi.responses import JSONResponse

import logging

logger = logging.getLogger(__name__)


# Example:
# As the Python webapp backend is a FastAPI app, refer to the FastAPI
# documentation for more information about how to adapt this
# example to your needs.
# From JavaScript, you can access the defined endpoints using
# getWebAppBackendUrl('get_user_name')

@app.get("/get_user_name")
async def get_user_name(request: Request):
    logger.info("In it")
    logger.info(request)
    # Get user information from the request (can be done with impersonation)
    headers = dict(request.headers)
    auth_info = dataiku.api_client().get_auth_info_from_browser_headers(headers)
    return JSONResponse(content=auth_info.get("associatedDSSUser"))

@app.get("/build_dataset")
async def build_dataset(datasetToBuild: str):
    logger.info("Impersonation begins...")
    # Launch the build of a Dataset using impersonation.
    # This Dataset build will be done as the end-user.
    with dataiku.WebappImpersonationContext() as context:
        # Each time you need to do impersonation, you need to obtain a client.
        local_client = dataiku.api_client()
        project = local_client.get_default_project()
        outdataset = project.get_dataset(datasetToBuild)
        outdataset.build()

    logger.info("Impersonation ends...")
    return JSONResponse(content={"success": True})

Dash code#

from dash import html, Input, Output
from dash.exceptions import PreventUpdate
from flask import request
import logging
import dataiku

logger = logging.getLogger(__name__)

dataset_to_build = "web_history_prepared"

# build your Dash app
app.layout = html.Div([
    html.H1("Impersonation Demo", style={'text-align': 'center'}),
    html.H3([
        html.Span("Welcome: "),
        html.Span(id="identified_user")
    ]),
    html.Button('Build the dataset', id='submit-val', n_clicks=0)
])


@app.callback(
    Output('identified_user', 'children'),
    Input('identified_user', 'children')
)
def load_user_credentials(children):
    if children:
        raise PreventUpdate
    else:
        # Get user info from request (can be done with impersonation)
        request_headers = dict(request.headers)
        auth_info = dataiku.api_client().get_auth_info_from_browser_headers(request_headers)
        return auth_info.get("associatedDSSUser")

@app.callback(
    Output('submit-val', 'n_clicks'),
    Input('submit-val', 'n_clicks'),
    prevent_initial_call=True
)
def update_output(n_clicks):
    logger.info("Impersonation begins...")
    # Launch the build of a Dataset using impersonation.
    # This Dataset build will be done as the end-user.
    with dataiku.WebappImpersonationContext() as context:
        # Each time your need to do impersonation, you need to obtain a client.
        local_client = dataiku.api_client()
        project = local_client.get_default_project()
        outdataset = project.get_dataset(dataset_to_build)
        outdataset.build()

    logger.info("Impersonation ends...")
    raise PreventUpdate

Bokeh code#

import dataiku

from functools import partial

from bokeh.io import curdoc
from bokeh.models import Div, Button
from bokeh.layouts import layout
from dataiku.webapps.run_bokeh import get_session_headers

import logging

logger = logging.getLogger(__name__)

dataset_to_build = "web_history_prepared"


def build_dataset(dataset):
    logger.info('impersonation')
    with dataiku.WebappImpersonationContext() as ctx:
        local_client = dataiku.api_client()
        project = local_client.get_default_project()
        outdataset = project.get_dataset(dataset)
        outdataset.build()


def application():
    title = Div(text="""<h1>Impersonation Demo</h1>""")

    # Get user form http request (can be done with user impersonation)
    headers = get_session_headers(curdoc().session_context.id)
    auth_info = dataiku.api_client().get_auth_info_from_browser_headers(headers)
    user = auth_info.get('associatedDSSUser')
    subtitle = Div(text=f"""<h2>Welcome: <span id="identified_user">{user}</span></h2>""")

    button = Button(label="Build the dataset")
    button.on_event('button_click', partial(build_dataset, dataset=dataset_to_build))

    app = layout([title, subtitle, button])
    curdoc().add_root(app)

    curdoc().title = "Impersonation"


application()

Streamlit code#

# tested with Streamlit 1.50.0
import streamlit as st

import dataiku
import logging

logger = logging.getLogger(__name__)

dataset_to_build = "web_history_prepared"


def build_dataset(dataset):
    # Launch the build of a Dataset using impersonation.
    # This Dataset build will be done as the end-user.
    with dataiku.WebappImpersonationContext() as context:
        local_client = dataiku.api_client()
        project = local_client.get_default_project()
        outdataset = project.get_dataset(dataset_to_build)
        outdataset.build()

st.title('Impersonation Demo')
request_headers = dict(st.context.headers)
auth_info = dataiku.api_client().get_auth_info_from_browser_headers(request_headers)
st.subheader(f"Welcome: {auth_info.get('authIdentifier')}")

st.button("Build the dataset", on_click=build_dataset, args=[dataset_to_build])

Wrapping Up#

Congratulations! You know how to use and implement impersonation for web applications. Permissions and impersonation are critical points for web application security.