Schema mapping with Redshift column level security

Hey there,

Our team has been using Redash internally for awhile now. Thank you for the awesome product.

We recently switched over to use Redshift column level security, which enables granting “select” access to a specific subset of columns in a table. It looks like this breaks the schema mapping functions in Redash though, as none of the tables setup from the new schema with column level security are showing up in the Redash UI.

Is there a potential workaround for this, or would this require adding a fix in the Redash code to support this?

  • Michael

I don’t know Redshift very well. But I think it behaves like Postgres and uses the query runner:

This code builds the schema. Maybe an answer is apparent? I assume that if your permissions are set properly in Redshift then the schema will appear in Redash. Have you double-checked? If so, you might need to edit this Python file.

Thanks for getting back to me. Yes, you’re correct in that Redshift is based on Postgres.

I figured out the specific code that is causing the issue:

Specifically, this block here:

Basically, Redshift doesn’t have an internal function for “partial” select grant queries. The default is HAS_TABLE_PRIVILEGE(), which only checks if the user has full “select” access to the table. Since the Redash user only has access to some of the columns, this function returns false and the schema doesn’t show up in the UI.

I’m not sure of what the best solution should be, but in the meantime, I figured out a rather hacky workaround to avoid touching / customizing the Redash code for us. I noticed that the block I mentioned above will return true if the table’s schema is listed as a Redshift external schema. So I hacked SVV_EXTERNAL_SCHEMAS, which is a view, to include the schema that won’t show up. I don’t know yet how stable this is, but the schema now shows in the UI.

1 Like

Nice hack! Maybe the Redash code could be adjusted using a CASE for tables where column restrictions are in effect.

Thanks! Yeah, that’s possible. I haven’t been able to figure out a clean way to query Redshift though to detect if column restrictions are in effect.