Puppet Class: profile::superset

Defined in:
modules/profile/manifests/superset.pp

Overview

secret_key

flask secret key

password_mapping

Hash of sqlalchemy URIs to passwords. This will be used for the SQLALCHEMY_CUSTOM_PASSWORD_STORE, to allow for passwords to external databases to be provided via configuration, rather than the web UI.

ldap_proxy_enabled

If true, an Apache HTTP proxy will be configured to authenticate users with WMF (labs) LDAP. Only users in the 'wmf' and 'nda' LDAP groups will be allowed to authenticate. This will configure superset with AUTH_TYPE = AUTH_REMOTE_USER, and the authenticated HTTP remote user will be used to log into superset.

statsd

statsd host:port

metadata_cache_uri

If set, this is used to configure the superset metadata cache. Multiple backends are available but only memcached is supported here.

data_cache_uri

If set, this is used to configure the superset data cache with the results of queries. Multiple backends are available but only memcached is supported here.

Parameters:

  • workers (Integer) (defaults to: lookup('profile::superset::workers', { 'default_value' => 1 }))
  • database_uri (String) (defaults to: lookup('profile::superset::database_uri', { 'default_value' => 'sqlite:////var/lib/superset/superset.db' }))
  • database_password (Optional[String]) (defaults to: lookup('profile::superset::database_password', { 'default_value' => undef }))
  • admin_user (String) (defaults to: lookup('profile::superset::admin_user', { 'default_value' => 'admin' }))
  • admin_password (String) (defaults to: lookup('profile::superset::admin_password', { 'default_value' => 'admin' }))
  • secret_key (String) (defaults to: lookup('profile::superset::secret_key', { 'default_value' => 'not_really_a_secret_key' }))
  • ldap_proxy_enabled (Boolean) (defaults to: lookup('profile::superset::ldap_proxy_enabled', { 'default_value' => false }))
  • statsd (Optional[String]) (defaults to: lookup('statsd', { 'default_value' => undef }))
  • gunicorn_app (String) (defaults to: lookup('profile::superset::gunicorn_app', { 'default_value' => 'superset.app:create_app()' }))
  • enable_cas (Boolean) (defaults to: lookup('profile::superset::enable_cas'))
  • metadata_cache_uri (Optional[String]) (defaults to: lookup('profile::superset::metadata_cache_uri', { 'default_value' => undef }))
  • data_cache_uri (Optional[String]) (defaults to: lookup('profile::superset::data_cache_uri', { 'default_value' => undef })) 


46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
 
# File 'modules/profile/manifests/superset.pp', line 46

class profile::superset(
    Integer $workers                     = lookup('profile::superset::workers', { 'default_value' => 1 }),
    String $database_uri                 = lookup('profile::superset::database_uri', { 'default_value' => 'sqlite:////var/lib/superset/superset.db' }),
    Optional[String] $database_password  = lookup('profile::superset::database_password', { 'default_value' => undef }),
    String $admin_user                   = lookup('profile::superset::admin_user', { 'default_value' => 'admin' }),
    String $admin_password               = lookup('profile::superset::admin_password', { 'default_value' => 'admin' }),
    String $secret_key                   = lookup('profile::superset::secret_key', { 'default_value' => 'not_really_a_secret_key' }),
    Boolean $ldap_proxy_enabled          = lookup('profile::superset::ldap_proxy_enabled', { 'default_value' => false }),
    Optional[String] $statsd             = lookup('statsd', { 'default_value' => undef }),
    String $gunicorn_app                 = lookup('profile::superset::gunicorn_app', { 'default_value' => 'superset.app:create_app()' }),
    Boolean $enable_cas                  = lookup('profile::superset::enable_cas'),
    Optional[String] $metadata_cache_uri = lookup('profile::superset::metadata_cache_uri', { 'default_value' => undef }),
    Optional[String] $data_cache_uri     = lookup('profile::superset::data_cache_uri', { 'default_value' => undef })
) {

    ensure_packages('libmariadb3')

    # If given $database_password, insert it into $database_uri.
    $full_database_uri = $database_password ? {
        undef   => $database_uri,
        default => regsubst($database_uri, '(\w+)://(\w*)@(.*)', "\\1://\\2:${database_password}@\\3")
    }

    if $ldap_proxy_enabled {
        # Include the Superset HTTP WMF LDAP auth proxy
        include ::profile::superset::proxy

        # Use AUTH_REMOTE_USER if we are using
        # LDAP authenticated HTTP proxy.
        $auth_type = 'AUTH_REMOTE_USER'
        # Allow authenticated users (via ldap) to auto register
        # for superset in the 'Alpha' role.
        $auth_settings = {
            'AUTH_USER_REGISTRATION'        => 'True',
            'AUTH_USER_REGISTRATION_ROLE'   => 'Alpha',
        }
    }
    else {
        $auth_type = undef
        $auth_settings = undef
    }

    if $::realm == 'production' {
        # Use MySQL research user to access mysql DBs.
        include ::passwords::mysql::research
        $password_mapping = {
            # MediaWiki analytics slave database.
            "mysql://${::passwords::mysql::research::user}@analytics-store.eqiad.wmnet" =>
                $::passwords::mysql::research::pass,
            # EventLogging mysql slave database.
            "mysql://${::passwords::mysql::research::user}@analytics-slave.eqiad.wmnet/log" =>
                $::passwords::mysql::research::pass,
            # new cluster, staging
            "mysql://${::passwords::mysql::research::user}@staging-db-analytics.eqiad.wmnet:3350/staging" =>
                $::passwords::mysql::research::pass,
            # new cluster, wikishared
            "mysql://${::passwords::mysql::research::user}@dbstore1005.eqiad.wmnet:3320/wikishared" =>
                $::passwords::mysql::research::pass,
        }
    }
    else {
        $password_mapping = undef
    }

    class { '::superset':
        workers            => $workers,
        worker_class       => 'gevent',
        database_uri       => $full_database_uri,
        secret_key         => $secret_key,
        admin_user         => $admin_user,
        admin_password     => $admin_password,
        auth_type          => $auth_type,
        auth_settings      => $auth_settings,
        password_mapping   => $password_mapping,
        statsd             => $statsd,
        gunicorn_app       => $gunicorn_app,
        enable_cas         => $enable_cas,
        metadata_cache_uri => $metadata_cache_uri,
        data_cache_uri     => $data_cache_uri,
    }

    monitoring::service { 'superset':
        description   => 'superset',
        check_command => "check_tcp!${::superset::port}",
        require       => Class['::superset'],
        contact_group => 'victorops-analytics',
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Analytics/Systems/Superset',
    }

    file { '/usr/local/bin/check_superset_http':
        ensure => present,
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/superset/check_superset_http.sh',
    }


    if $enable_cas {
        $user_header = 'X-Cas-Uid'
    } else {
        $user_header = 'X-Remote-User'
    }

    nrpe::monitor_service { 'check_superset_http':
        nrpe_command  => "/usr/local/bin/check_superset_http ${user_header}",
        description   => 'Check that superset http server is responding ok',
        require       => File['/usr/local/bin/check_superset_http'],
        contact_group => 'victorops-analytics',
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Analytics/Systems/Superset',
    }
}