Puppet Class: profile::superset

Defined in:

modules/profile/manifests/superset.pp

Overview

secret_key

flask secret key

password_mapping

Hash of sqlalchemy URIs to passwords. This will be used for the SQLALCHEMY_CUSTOM_PASSWORD_STORE, to allow for passwords to external databases to be provided via configuration, rather than the web UI.

ldap_proxy_enabled

If true, an Apache HTTP proxy will be configured to authenticate users with WMF (labs) LDAP. Only users in the 'wmf' and 'nda' LDAP groups will be allowed to authenticate. This will configure superset with AUTH_TYPE = AUTH_REMOTE_USER, and the authenticated HTTP remote user will be used to log into superset.

statsd

statsd host:port

Parameters:

• workers (Any) (defaults to: hiera('profile::superset::workers', 1))
• database_uri (Any) (defaults to: hiera('profile::superset::database_uri', 'sqlite:////var/lib/superset/superset.db'))
• database_password (Any) (defaults to: hiera('profile::superset::database_password', undef))
• admin_user (Any) (defaults to: hiera('profile::superset::admin_user', 'admin'))
• admin_password (Any) (defaults to: hiera('profile::superset::admin_password', 'admin'))
• secret_key (Any) (defaults to: hiera('profile::superset::secret_key', 'not_really_a_secret_key'))
• ldap_proxy_enabled (Any) (defaults to: hiera('profile::superset::ldap_proxy_enabled', false))
• statsd (Any) (defaults to: hiera('statsd', undef))
• presto_cluster (Any) (defaults to: hiera('profile::superset::presto_cluster', undef))
• gunicorn_app (Any) (defaults to: lookup('profile::superset::gunicorn_app', { 'default_value' => 'superset.app:create_app()' }))
• enable_cas (Boolean) (defaults to: lookup('profile::superset::enable_cas'))

# File 'modules/profile/manifests/superset.pp', line 38

class profile::superset(
    $workers            = hiera('profile::superset::workers', 1),
    $database_uri       = hiera('profile::superset::database_uri', 'sqlite:////var/lib/superset/superset.db'),
    $database_password  = hiera('profile::superset::database_password', undef),
    $admin_user         = hiera('profile::superset::admin_user', 'admin'),
    $admin_password     = hiera('profile::superset::admin_password', 'admin'),
    $secret_key         = hiera('profile::superset::secret_key', 'not_really_a_secret_key'),
    $ldap_proxy_enabled = hiera('profile::superset::ldap_proxy_enabled', false),
    $statsd             = hiera('statsd', undef),
    $presto_cluster     = hiera('profile::superset::presto_cluster', undef),
    $gunicorn_app       = lookup('profile::superset::gunicorn_app', { 'default_value' => 'superset.app:create_app()' }),
    Boolean $enable_cas = lookup('profile::superset::enable_cas'),
) {

    require_package('libmariadb3')

    # If given $database_password, insert it into $database_uri.
    $full_database_uri = $database_password ? {
        undef   => $database_uri,
        default => regsubst($database_uri, '(\w+)://(\w*)@(.*)', "\\1://\\2:${database_password}@\\3")
    }

    if $ldap_proxy_enabled {
        # Include the Superset HTTP WMF LDAP auth proxy
        include ::profile::superset::proxy

        # Use AUTH_REMOTE_USER if we are using
        # LDAP authenticated HTTP proxy.
        $auth_type = 'AUTH_REMOTE_USER'
        # Allow authenticated users (via ldap) to auto register
        # for superset in the 'Alpha' role.
        $auth_settings = {
            'AUTH_USER_REGISTRATION'        => 'True',
            'AUTH_USER_REGISTRATION_ROLE'   => 'Alpha',
        }
    }
    else {
        $auth_type = undef
        $auth_settings = undef
    }

    if $::realm == 'production' {
        # Use MySQL research user to access mysql DBs.
        include ::passwords::mysql::research
        $password_mapping = {
            # MediaWiki analytics slave database.
            "mysql://${::passwords::mysql::research::user}@analytics-store.eqiad.wmnet" =>
                $::passwords::mysql::research::pass,
            # EventLogging mysql slave database.
            "mysql://${::passwords::mysql::research::user}@analytics-slave.eqiad.wmnet/log" =>
                $::passwords::mysql::research::pass,
            # new cluster, staging
            "mysql://${::passwords::mysql::research::user}@staging-db-analytics.eqiad.wmnet:3350/staging" =>
                $::passwords::mysql::research::pass,
            # new cluster, wikishared
            "mysql://${::passwords::mysql::research::user}@dbstore1005.eqiad.wmnet:3320/wikishared" =>
                $::passwords::mysql::research::pass,
        }

        if $presto_cluster {
            file { '/etc/superset/presto_ca':
                ensure => 'directory',
                owner  => 'root',
                group  => 'root',
                mode   => '0755',
            }
            file { '/etc/superset/presto_ca/ca.crt.pem':
                content => secret("certificates/presto_${presto_cluster}/root_ca/ca.crt.pem"),
                owner   => 'root',
                group   => 'root',
                mode    => '0444',
                require => Class['::superset'],
            }
        }
    }
    else {
        $password_mapping = undef
    }

    class { '::superset':
        workers          => $workers,
        worker_class     => 'gevent',
        database_uri     => $full_database_uri,
        secret_key       => $secret_key,
        admin_user       => $admin_user,
        admin_password   => $admin_password,
        auth_type        => $auth_type,
        auth_settings    => $auth_settings,
        password_mapping => $password_mapping,
        statsd           => $statsd,
        gunicorn_app     => $gunicorn_app,
        enable_cas       => $enable_cas,
    }

    monitoring::service { 'superset':
        description   => 'superset',
        check_command => "check_tcp!${::superset::port}",
        require       => Class['::superset'],
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Analytics/Systems/Superset',
    }

}