brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6302fa0661b319a819b57c5a83202ec63766095c
oam/knowledge base/redash.md
Michele Cereda 6302fa0661 chore(kb/redash): dump authentication notes
2026-01-12 13:08:59 +01:00

6.2 KiB
Raw Blame History

Redash

TODO

Intro

  1. TL;DR
  2. Authentication
    1. Password
    2. Google OAuth
    3. LDAP or Active Directory
  3. API
  4. Further readings
    1. Sources

TL;DR

Settings are read by redash.settings from environment variables.
Most installations set them in /opt/redash/.env. Official container images require that .env file in the root directory.
Reference available variables from Environment Variables Settings.

Refer How to Upgrade when upgrading a self-hosted instance.

Updating dependencies (DB, redis cache) versions directly seems to work, but mind that they do require downtime.
Redash will temporarily lose connection to them during the update's downtime period, then properly connect back to them without issues once they are up again.

Authentication

Refer Authentication Settings.

Authentication options are configured through a mix of Environment variables and UI (under Settings > General).

Important

Only admins can view and change authentication settings.
Some authentication options will not appear in the UI until the corresponding environment variables have been set.

Redash uses the Password method by default.

Password

Redash authenticates users with their email address and password.

This is configured in the settings' Password Login section.
After one enables an alternative authentication method, they can disable login via password.

Redash stores the hashes of those user passwords that were created through its default password configuration.

Authenticating through SAML or Google Login for the first time creates a user record, but does not store a password hash.
This is called Just-in-Time (JIT) provisioning.
These users can only log-in through third-party authentication services.

When using Password Login and subsequently enable Google OAuth or SAML 2.0, it is possible for that user to log-in to Redash using a single email address but two passwords (their Google/SAML password, and their local Redash password).

Tip

Prefer disabling Password Login if users are expected to authenticate through third-party authentication services.

Google OAuth

Allow any user with a Google account from the designated domains to login to Redash.
If the user doesn't have an account yet, Redash will create one automatically.

To enable this method:

  1. Register the Redash instance with your Google organization by:
    1. Creating a developers project if one does not exist already, and following the Create Credentials flow in that case.
      The setup will give back a client id and a client secret. Note them down, as those will be used later.
    2. Setting the Authorized Redirect URLs to http(s)://${REDASH_BASEURL}/oauth/google_callback.
    3. Set the instance's REDASH_GOOGLE_CLIENT_ID and REDASH_GOOGLE_CLIENT_SECRET environment variables to the credentials given back by the setup step above.
    4. Restart the Redash instance.

Only visitors with an existing Redash account can sign-in using the Google Login flow.
As for the Password method, visitors without an account cannot login unless they receive an invitation from an admin.

Optionally configure Redash to allow any user from a specified domain to login by completing the Allowed Google Apps Domains box in Settings > General.
Redash will create an account automatically for them on first login, if one does not already exist.

LDAP or Active Directory

Refer LDAP/AD Authentication.

API

Refer API.

Prefer acting on them via getredash/redash-toolbelt.

Data sources 
GET /api/data_sources
GET /api/data_sources/42

POST /api/data_sources
{
  "name": "some data source",
  "type": "pg",
  "options": {
    "host": "db.fqdn",
    "port": 5432,
    "dbname": "postgres",
    "user": "postgres",
    "password": "someStr0ngPa$$w0rd",
  }
}

curl --request 'GET' --url 'https://redash.example.org/api/data_sources' --header 'Authorization: Key AA…99'

curl --request 'POST' --url 'https://redash.example.org/api/data_sources' --header 'Authorization: Key AA…99' \
  --data '{
    "name": "some data source",
    "type": "pg",
    "options": {
      "host": "db.fqdn",
      "port": 5432,
      "dbname": "postgres",
      "user": "postgres",
      "password": "someStr0ngPa$$w0rd",
    }
  }'

from redash_toolbelt import Redash
from requests import Response

data_source_name: str = 'some data source'
data_source_type: str = 'pg'
data_source_options: object = {
    host = 'db.fqdn',
    port = 5432,  # must be int
    dbname = 'postgres',
    user = 'postgres',
    password = 'someStr0ngPa$$w0rd',
}

response: Response = redash.create_data_source(data_source_name, data_source_type, data_source_options)

Further readings

Sources