Solved: Re: OAuth and Licensing [Looker Original]

lcatbt · 11-15-2024 12:42 AM

Hey everyone!

I have some OAuth questions which I could not find an answer for.

Setup: We use Looker Standard Platform (Original not Cloud Core).

I am asked to enable OAuth. Before that I need to verify:

1. When I provide the IAM role Looker Instance User (roles/looker.instanceUser) for a group/principal and I give the default role for new users in Looker zero permissions. Do I still need a viewer license for everyone who logs into Looker or only when I assign them viewer permissions or IAM Looker Viewer (roles/looker.viewer)?
2. Can I exclude usergroups via IAM to login to Looker via OAuth?

I would really appreciate an answer or a link. I have studied the documentation but couldn't find the answers.

All the best and thank you!

GavinW

1. Users without a role or permissions would not count as viewers for licensing purposes.

2. You should be able to create groups on the OAuth side that have differing permissions relating to accessing a specific tool like Looker. So you when a new user needs access, you would move/add them to the group with Looker access.

View solution in original post

GavinW

1. Users without a role or permissions would not count as viewers for licensing purposes.

2. You should be able to create groups on the OAuth side that have differing permissions relating to accessing a specific tool like Looker. So you when a new user needs access, you would move/add them to the group with Looker access.

lcatbt

Thank you, Gavin!

lcatbt

@GavinW Do you know, by chance, if the enablement of OAuth somehow influences the database connection? We currently run the connection over a service account. Is this somehow affected? And would it make sense to also set the database connection to OAuth? Thank you!

GavinW

If you connect via Oauth to GCP's Bigquery, then users will basically run Looker queries using their own personal credentials, rather than the current situation where everyone's queries are channelled through the service account.

Because each individual is running their own queries, there are implications for things like caching. You will also need another service account for PDTs to enable them to work. You can read details in the docs here.

lcatbt

Thanks a lot, @GavinW 🙏

lcatbt

Hey @GavinW , I'm sorry but I could not find the answer.
Enabling OAuth does not impact my embedded user, correct? Thank you!

GavinW

I think it might mean that your embed users that log in via a signed URL cannot access dashboards that rely on BigQuery connections set to use Oauth. However, I have found that there is a way to engineer around this, as shown in this demo code. I guess you could test switching to an Oauth connection and confirm that it does impact your embed users, and then build something like the linked code to get around it if there is an impact.