Ability to generate public URLs for dashboards with fixed (and hidden) global parameters

Hi,

what an interesting discussion.

We really appreciate readash search and query capabilities.
I work for an environmental NGO and I use Redash to create dashboards related to physicochemical parameters of French Mediterranean lagoons (about 100) from 2010 to now.

I need to share my dashboard with 40 people, with only their own lagoons and ponds.
Actually I can’t do that because even i I can, as connected user, set parameters using dashboard widget, when I share the dashboard by url, the final reader will see another result…

So I think this would be a great feature.
As the possibility to support parameters in embeds or shared dashboards !

1 Like

This puts the responsibility on the user, which in many cases might not be fully aware of the possible risks.

But regardless of the security aspect adding the option to validate the input content (along with some presets for common patterns) is a good idea.

Why not create them “proper” users instead of giving them shared dashboards? I would assume that you wouldn’t mind that they see data about the other ponds/lagoons, or would you?

In fact it is a “problem”, not a huge one but a problem. I agree they could connect to the server, choose the dashboard and filter but it is not as easy to use" as it could be and by the way they don’t really want to see all their data.
Another way should consist to use a “connected_user_email” parameter in the query tool so the data would be filter.
Thanks for your attention and thanks for the work !

1 Like

Wanted to add a “+1” to this conversation and confirm that the scenario of selecting from set of predefined parameters would also work for our scenario: dashboards that are the same reports but varying by location, integrating the visualization into a product flow.

This ability would make redash particularly suitable for those of us that want an unopinioned BI/Reporting system that we can use as a data visualization extension of our products.

However, we do not have quite as strong a security requirement. For us this is just a convenience method for presenting slices of public-ish data.

We could make either option 1 or option 2 work (i.e. we could make a call with a private key to generate a secure token that could be used in a “signature check of the parameter” assuming that is what you meant). Proposal 2 sounds to me like s3 presigned urls conceptually: https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html (Which reminds me you could probably include an expiry timestamp if you want a concept of a “session duration” )

FWIW: I feel that, for many users, you could also make the case that it was appropriate due diligence from a security standpoint to just sanitize everything that comes in over the query string. This would protect the data source itself, and, would just require the person generating the dashboard share string to have a some understanding of the data. To deal with the original scenario of customers not seeing each others data the data itself could use “crypto unique” or “unguessable” id space for the customer ids. Which I think is almost equivalent because the proposals above still produce a URL that is “valid forever” (unless you add the timestamp). So maybe separate the concerns of sql injection from the concerns of access authorization.

2 Likes

Hello everyone,

We are currently looking for the same kind of solution for our redash.

Can you tell me if it is possible now or if there are other ideas we can try ?

Thanks everyone !

In terms of alternatives: we just did a really thin API on the data in python and created a web page to do charting. So not using redash, but, not too hard to set up either.

In terms of charting:

We have ended up using: http://jerairrest.github.io/react-chartjs-2/

But also were using this: https://nivo.rocks

I honestly prefer Nivo from a visualization standpoint

very interesting

what is the status of this request?

Bump. I’d like to know if there’s been any movement here. I’m looking for a way to give date-range control within the shared dashboard. We’re embedding the dashboards within iframes inside our own portal, and the other limitations of shared dashboards (no ability to view query, etc.) are actually very useful

My question answered by the V8 announcements. This is implemented! Huzzah!

@jamesmcm does V8 Beta cut the mustard for you?

1 Like

Hi @arikfr @chrismerck

Any suggestion on how to implement the key aspect of this request posed by James;

to allow for a hidden/locked parameter to be embedded in the url/token.

Use case:
We have 10 customers.
We have a SQL query where we filter customers so they only see their data…
We want to have generic query and have the customer field be populated via a parameter so that we dont have duplicate queries for each customer.
We want to embed the same dashboard for all 10 customer.
We dont want the user to be able to change the customer field/parameter. Technically customer parameter/field shouldn’t be visible to the user. But they can change other embedded parameters for the queries such as the date.
Chart IO has a similar feature where they embed the customer specific parameter in a JWT unique for each customer.

Respectfully,

1 Like

This feature isn’t available yet. But the team is now actively developing it. Keep an eye on the announcements in the forum early next year for when this becomes available.

3 Likes

Hello
I have the same problem as barkev today. I would like to know if this feature is now available.

It is not available yet. We will announce on the forum when it is released.

Thank you. I look forward to it.

1 Like

@ds218 any idea when it is expected to be ready?

1 Like

The answer is the same as always. We will announce it on the forum when it’s ready :smile:

1 Like

Just checking in, is this feature available now?

This previous answer still holds :smile_cat:

1 Like