Allow Public Access to Embedded Visualizations with Parameters


#1

We have redash running on an internal company network, and it’s only accessible from the offices or VPN. We’ve got about 2000 employees, and we want to embed parameterized visualizations on another internal web page to show metrics/details based on the page it’s on.

We’ve gotten everything working except to see an embedded visualization, you must be logged in. I understand the risks associated with potential injection, however this is an internal tool and queries are running against a read only database.

Has anyone implemented something like this, or does anyone have ideas on how we could get around the login part? We technically can forward via proxy a header with each person’s email address quite easily… but I’m pretty sure remote login requires you actually click “login” before you can see anything, so it wouldn’t work on embeds unless everyone at the company went to Redash and logged in (we don’t want this).

Any help, suggestions or ideas is appreciated!


#2

Walked trough Redash code to check for low hanging fruits in your case, and settings/init.py has this part: view code

Haven’t tested it, but seems this might be what you are looking for? Or at least in right direction.


#3

Thanks for looking into it. That might be our best option. It still requires you click “remote login” and stuff before you can actually view anything though. I might try and edit the code for that to take place automatically.

Please let me know if anyone else has an ideas.


#4

Temporarily solved.

One option that worked was removing required login for embeds. In Query_results.py, the following lines were commented out:

if query is not None and query_result is not None and self.current_user.is_api_user():
    if query.query_hash != query_result.query_hash:
        abort(404, message='No cached result found for this query.')

This isn’t ideal, but it works as we are on an internal network, and we wanted to have “public” urls for internal use. ALSO important to realize, our visualizations are reading from a read-only database, so no worries about anyone malicious dropping tables or things. I made a few other minor code changes, so let me know if the above change by itself doesn’t work. Any thoughts anyone might have are appreciated.