Impersonation with webapps#

Concepts#

Webapps can be accessed by any user with the necessary permissions, such as “Read dashboards” or “Read project content” after successfully logging in. You can refer to the Public webapps page if you require further information.

Each time a user uses a webapp, the code is executed on behalf of a user, defined by the “Run backend as” parameter configured in the webapp settings, as illustrated in Figure 1. Therefore, the actions performed by the user are attributed to the user mentioned in the “Run backend as” parameter.

For example, if user U1 runs a webapp with the “Run backend as” parameter set to A1, the actions taken by U1 will be identified as actions taken by the user A1. If you need the actions being identified as actions taken by user U1, you must make an impersonation call.

It is essential to consider the security and permission aspects of impersonation while using webapps. You can refer to this documentation to learn more about these aspects.

Impersonation usage#

Impersonation calls work on any web framework so that you can use your preferred web framework. Creating a simple webapp allows you to test, evaluate, and understand how impersonation works. When a job starts, Dataiku logs it. Then, you can observe impersonation by examining a Dataiku project’s interface and jobs section.

To test impersonation, you will create a web application that builds a dataset (i.e., starts a job). You can observe impersonation by examining a Dataiku project’s interface or the jobs section. To carry out this task, you will use the Dataiku TShirts project. To do so:

On the top left corner, click + New project > Sample project > Dataiku TShirts.
On the top navigation bar, navigate to the </> > Webapp section.
Click on + New Webapp and select Code Webapp.
Select the library with which you want to build your webapp.

The webapp aims to build a dataset present in the project; for example, you will build the web_history_prepared dataset.

Implementation#

Codes presented show two ways of getting user information, but there is only one way to do impersonation. You can also get user information by using the impersonation mode.

HTML Code#

<h1>Impersonation Demo</h1>

<h2>Welcome: <span id="identified_user"></span></h2>

<div class="build_dataset">
    <form id="form-dataset" novalidate>
        <button type="button" class="main-blue-button" id="build-button">Build the dataset</button>
    </form>
</div>

Javascript code#

/*
 * For more information, refer to the "Javascript API" documentation:
 * https://doc.dataiku.com/dss/latest/api/js/index.html
 */

let buildButton = document.getElementById('build-button');
let identifiedUser = document.getElementById('identified_user')

buildButton.addEventListener('click', function (event) {
    datasetToBuild = "web_history_prepared"
    $.get(getWebAppBackendUrl("/buil_dataset"), {datasetToBuild: datasetToBuild});
});

// When loading, get the user information
$.getJSON(getWebAppBackendUrl('/get_user_name'), function (data) {
    identifiedUser.textContent = data;
});

Backend code#

import dataiku
import pandas as pd
from flask import request, jsonify

import logging

logger = logging.getLogger(__name__)


# Example:
# As the Python webapp backend is a Flask app, refer to the Flask
# documentation for more information about how to adapt this
# example to your needs.
# From JavaScript, you can access the defined endpoints using
# getWebAppBackendUrl('first_api_call')

@app.route('/get_user_name')
def get_user_name():
    logger.info("In it")
    logger.info(request)
    # Get user information from the request (can be done with impersonation)
    headers = dict(request.headers)
    auth_info = dataiku.api_client().get_auth_info_from_browser_headers(headers)
    return (json.dumps(auth_info.get("associatedDSSUser")))

    # Example of impersonation usage


#    with dataiku.WebappImpersonationContext() as ctx:
#        logger.info('impersonation')
#        # Using this context, your actions here will be impersonated.
#        client = dataiku.api_client()
#        user = client.get_own_user()
#        settings = user.get_settings()
#        logger.info(settings.get_raw())
#        return json.dumps(settings.get_raw().get('displayName'))


@app.route('/buil_dataset')
def build_dataset():
    dataset = request.args.get('datasetToBuild')
    logger.info("Impersonation begins...")
    with dataiku.WebappImpersonationContext() as context:
        # Each time your need to do impersonation, you need to obtain a client.
        # Dash cannot store objects that are not in JSON format.
        local_client = dataiku.api_client()
        project = local_client.get_default_project()
        outdataset = project.get_dataset(dataset)
        outdataset.build()

    logger.info("Impersonation ends...")
    resp = jsonify(success=True)
    return resp

Dash code#

from dash import html, Input, Output
from dash.exceptions import PreventUpdate
from flask import request
import logging
import dataiku

logger = logging.getLogger(__name__)

dataset_to_build = "web_history_prepared"

# build your Dash app
app.layout = html.Div([
    html.H1("Impersonation Demo", style={'text-align': 'center'}),
    html.H3([
        html.Span("Welcome: "),
        html.Span(id="identified_user")
    ]),
    html.Button('Build the dataset', id='submit-val', n_clicks=0)
])


@app.callback(
    Output('identified_user', 'children'),
    Input('identified_user', 'children')
)
def load_user_credentials(children):
    if children:
        raise PreventUpdate
    else:
        # Get user info from request (can be done with impersonation)
        request_headers = dict(request.headers)
        auth_info = dataiku.api_client().get_auth_info_from_browser_headers(request_headers)
        return auth_info.get("associatedDSSUser")

        #    with dataiku.WebappImpersonationContext() as ctx:
        #        # Using this context, your actions here will be impersonated.
        #        client = dataiku.api_client()
        #        user = client.get_own_user()
        #        settings = user.get_settings()
        #        return settings.get_raw().get('displayName')


@app.callback(
    Output('submit-val', 'n_clicks'),
    Input('submit-val', 'n_clicks'),
    prevent_initial_call=True
)
def update_output(n_clicks):
    logger.info("Impersonation begins...")
    with dataiku.WebappImpersonationContext() as context:
        # Each time your need to do impersonation, you need to obtain a client.
        # Dash cannot store objects that are not in JSON format.
        local_client = dataiku.api_client()
        project = local_client.get_default_project()
        outdataset = project.get_dataset(dataset_to_build)
        outdataset.build()

    logger.info("Impersonation ends...")
    raise PreventUpdate

Bokeh code#

import dataiku

from functools import partial

from bokeh.io import curdoc
from bokeh.models import Div, Button
from bokeh.layouts import layout
from dataiku.webapps.run_bokeh import get_session_headers

import logging

logger = logging.getLogger(__name__)

dataset_to_build = "web_history_prepared"


def build_dataset(dataset):
    logger.info('impersonation')
    with dataiku.WebappImpersonationContext() as ctx:
        local_client = dataiku.api_client()
        project = local_client.get_default_project()
        outdataset = project.get_dataset(dataset)
        outdataset.build()


def application():
    title = Div(text="""<h1>Impersonation Demo</h1>""")

    # Get user form http request (can be done with user impersonation)
    headers = get_session_headers(curdoc().session_context.id)
    auth_info = dataiku.api_client().get_auth_info_from_browser_headers(headers)
    user = auth_info.get('associatedDSSUser')
    subtitle = Div(text=f"""<h2>Welcome: <span id="identified_user">{user}</span></h2>""")

    button = Button(label="Build the dataset")
    button.on_event('button_click', partial(build_dataset, dataset=dataset_to_build))

    app = layout([title, subtitle, button])
    curdoc().add_root(app)

    curdoc().title = "Impersonation"


application()

Streamlit code#

import streamlit as st
import pandas as pd
import numpy as np
import altair as alt
import json

import dataiku
import logging

logger = logging.getLogger(__name__)

from streamlit.scriptrunner.script_run_context import get_script_run_ctx
from streamlit.server.server import Server

dataset_to_build = "web_history_prepared"


def get_headers():
    # Get headers
    session_id = get_script_run_ctx().session_id
    server = Server.get_current()
    session_info = server._get_session_info(session_id)
    if session_info.ws is None:
        # At first page load, this is None (at least until #4099 is fixed)
        st.markdown("Unable to get session websocket. Please refresh the page.")
        st.stop()
    headers = dict(session_info.ws.request.headers)
    logger.info(headers)
    return headers


def build_dataset(dataset):
    user = dataiku.api_client().get_user(auth_info.get('authIdentifier'))
    client_as_user = user.get_client_as()
    project = client_as_user.get_default_project()
    outdataset = project.get_dataset(dataset_to_build)
    outdataset.build()


st.title('Impersonation Demo')
request_headers = get_headers()
auth_info = dataiku.api_client().get_auth_info_from_browser_headers(request_headers)
st.subheader(f"Welcome: {auth_info.get('authIdentifier')}")

st.button("Build the dataset", on_click=build_dataset, args=[dataset_to_build])

Wrapping Up#

Congratulations! You know how to use and implement impersonation for web applications. Permissions and impersonation are critical points for web application security.