Puppet Class: profile::superset

Defined in:
modules/profile/manifests/superset.pp

Overview

secret_key

flask secret key

password_mapping

Hash of sqlalchemy URIs to passwords. This will be used for the SQLALCHEMY_CUSTOM_PASSWORD_STORE, to allow for passwords to external databases to be provided via configuration, rather than the web UI.

ldap_proxy_enabled

If true, an Apache HTTP proxy will be configured to authenticate users with WMF (labs) LDAP. Only users in the 'wmf' and 'nda' LDAP groups will be allowed to authenticate. This will configure superset with AUTH_TYPE = AUTH_REMOTE_USER, and the authenticated HTTP remote user will be used to log into superset.

statsd

statsd host:port

Parameters:

  • workers (Any) (defaults to: hiera('profile::superset::workers', 1))
  • database_uri (Any) (defaults to: hiera('profile::superset::database_uri', 'sqlite:////var/lib/superset/superset.db'))
  • database_password (Any) (defaults to: hiera('profile::superset::database_password', undef))
  • admin_user (Any) (defaults to: hiera('profile::superset::admin_user', 'admin'))
  • admin_password (Any) (defaults to: hiera('profile::superset::admin_password', 'admin'))
  • secret_key (Any) (defaults to: hiera('profile::superset::secret_key', 'not_really_a_secret_key'))
  • ldap_proxy_enabled (Any) (defaults to: hiera('profile::superset::ldap_proxy_enabled', false))
  • statsd (Any) (defaults to: hiera('statsd', undef))
  • presto_cluster (Any) (defaults to: hiera('profile::superset::presto_cluster', undef))
  • gunicorn_app (Any) (defaults to: lookup('profile::superset::gunicorn_app', { 'default_value' => 'superset.app:create_app()' }))
  • enable_cas (Boolean) (defaults to: lookup('profile::superset::enable_cas'))


38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# File 'modules/profile/manifests/superset.pp', line 38

class profile::superset(
    $workers            = hiera('profile::superset::workers', 1),
    $database_uri       = hiera('profile::superset::database_uri', 'sqlite:////var/lib/superset/superset.db'),
    $database_password  = hiera('profile::superset::database_password', undef),
    $admin_user         = hiera('profile::superset::admin_user', 'admin'),
    $admin_password     = hiera('profile::superset::admin_password', 'admin'),
    $secret_key         = hiera('profile::superset::secret_key', 'not_really_a_secret_key'),
    $ldap_proxy_enabled = hiera('profile::superset::ldap_proxy_enabled', false),
    $statsd             = hiera('statsd', undef),
    $presto_cluster     = hiera('profile::superset::presto_cluster', undef),
    $gunicorn_app       = lookup('profile::superset::gunicorn_app', { 'default_value' => 'superset.app:create_app()' }),
    Boolean $enable_cas = lookup('profile::superset::enable_cas'),
) {

    require_package('libmariadb3')

    # If given $database_password, insert it into $database_uri.
    $full_database_uri = $database_password ? {
        undef   => $database_uri,
        default => regsubst($database_uri, '(\w+)://(\w*)@(.*)', "\\1://\\2:${database_password}@\\3")
    }

    if $ldap_proxy_enabled {
        # Include the Superset HTTP WMF LDAP auth proxy
        include ::profile::superset::proxy

        # Use AUTH_REMOTE_USER if we are using
        # LDAP authenticated HTTP proxy.
        $auth_type = 'AUTH_REMOTE_USER'
        # Allow authenticated users (via ldap) to auto register
        # for superset in the 'Alpha' role.
        $auth_settings = {
            'AUTH_USER_REGISTRATION'        => 'True',
            'AUTH_USER_REGISTRATION_ROLE'   => 'Alpha',
        }
    }
    else {
        $auth_type = undef
        $auth_settings = undef
    }

    if $::realm == 'production' {
        # Use MySQL research user to access mysql DBs.
        include ::passwords::mysql::research
        $password_mapping = {
            # MediaWiki analytics slave database.
            "mysql://${::passwords::mysql::research::user}@analytics-store.eqiad.wmnet" =>
                $::passwords::mysql::research::pass,
            # EventLogging mysql slave database.
            "mysql://${::passwords::mysql::research::user}@analytics-slave.eqiad.wmnet/log" =>
                $::passwords::mysql::research::pass,
            # new cluster, staging
            "mysql://${::passwords::mysql::research::user}@staging-db-analytics.eqiad.wmnet:3350/staging" =>
                $::passwords::mysql::research::pass,
            # new cluster, wikishared
            "mysql://${::passwords::mysql::research::user}@dbstore1005.eqiad.wmnet:3320/wikishared" =>
                $::passwords::mysql::research::pass,
        }

        if $presto_cluster {
            file { '/etc/superset/presto_ca':
                ensure => 'directory',
                owner  => 'root',
                group  => 'root',
                mode   => '0755',
            }
            file { '/etc/superset/presto_ca/ca.crt.pem':
                content => secret("certificates/presto_${presto_cluster}/root_ca/ca.crt.pem"),
                owner   => 'root',
                group   => 'root',
                mode    => '0444',
                require => Class['::superset'],
            }
        }
    }
    else {
        $password_mapping = undef
    }

    class { '::superset':
        workers          => $workers,
        worker_class     => 'gevent',
        database_uri     => $full_database_uri,
        secret_key       => $secret_key,
        admin_user       => $admin_user,
        admin_password   => $admin_password,
        auth_type        => $auth_type,
        auth_settings    => $auth_settings,
        password_mapping => $password_mapping,
        statsd           => $statsd,
        gunicorn_app     => $gunicorn_app,
        enable_cas       => $enable_cas,
    }

    monitoring::service { 'superset':
        description   => 'superset',
        check_command => "check_tcp!${::superset::port}",
        require       => Class['::superset'],
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Analytics/Systems/Superset',
    }

}