Powered by Looker is a neat way to share data with the world. If you’re interested in creating a proof of concept, I highly recommend checking out this post.
If you’re having issues with your embedded Looks and/or dashboards, making sure the embed URL is properly constructed is a good place to start. Creating an application to write a URL is not something we currently do, but there is some example code here.
To check URL construction, I always run through these steps (more on each to later):
To run through these checks, I find it helpful to have a couple of tools easily available:
If a dashboard or Look does not live on the production version of your instance (outside of developer mode), then you will not be able to get this to work. If you can’t find it, on production, make sure it’s created, saved, committed, and pushed.
A complete walk through of Looker’s permissioning system is outside of the scope of this post, but I highly recommend this document. It’s great. If you’re looking to limit data access, this is a great resource.
Simply put, if a user doesn’t have access and permissions to see the Look, they’ll get a 404. For example, if the embedded user doesn’t have see_lookml_dashboards
and the embeded dashboard is a LookML dashboard, we got problems.
The API call should produce an encoded URL that takes the form:
https://do.main.com/login/embed/%2Fembed%2Fitem_name_here?nonce=%22something%22&time=some_time_value&session_length=some_other_time_value&external_user_id=%22an_id%22&permissions=%5B%22permission_one%22%2C%22permission_two%22%2C%22permission_three%22...%22%2C%22permission_n-1%22%2C%22permission_n%22%5D&models=%5B%22model_one%22%2C%22model_two%22%2C%22model_three%22...%22%2C%22model_n-1%22%2C%22model_n%22%5D&access_filters=%7B%22model_one%22%3A%7B%22view_name.field_name%22%3A%22value%22%7D%2C%22model_two%22%3A%7B%22other_view_name.other_field_name%22%3A%22other_value%22%7D%7D&first_name=%22a_first_name%22&last_name=%22a_last_name%22&force_logout_login=true_or_false&signature=some_signature
We’ll go over each parameter, but the basic form is an address plus key-value pairs containing some information. Decoded, an embed URL should to look like this:
https://do.main.com/login/embed//embed/item_name_here?nonce="something"&time=some_time_value&session_length=some_other_time_value&external_user_id="an_id"&permissions=["permission_one","permission_two","permission_three"...","permission_n-1","permission_n"]&models=["model_one","model_two","model_three"...","model_n-1","model_n"]&access_filters={"model_one":{"view_name.field_name":"value"},"model_two":{"other_view_name.other_field_name":"other_value"}}&first_name="a_first_name"&last_name="a_last_name"&force_logout_login=true_or_false&signature=some_signature
This should look something like https://do.main.com/login/embed/%2Fembed%2Fitem_name_here?
(not decoded)
do.main
is your Looker instance’s domainitem_name_here
is the name of your dashboard or Look. A LookML dashboard will be something like dashboards%2Fmodel_name_here%2Fdashboard_name_here
and a user-defined dashboard will be something like dashboards%2Fdashboard_number_here%20F
nonce
is a value that identifies this request (16 character hexadecimal string). It shouldn’t be re-used (it’s a single sign-on) and should come from by a secure random number generator.time
is a timestamp to identify when the session begins. I don’t believe it allows for decimal values, but I could be mistakensession_length
is how long a user should be authenticated (in seconds). Pick something reasonable (no more than 30 days)external_user_id
is Looker instance user ID of the user being authenticatedpermissions
should be a grouping of Looker permissions. Something like this might work permissions=%5b%22see_user_dashboards%22%2c%22see_lookml_dashboards%22%2c%22access_data%22%2c%22see_looks
models
is a group of models your user will have access to. Make sure they’re spelled correctly and in quotes. Something like this might work models=%5B%22faa%22%2C%22thelook%22%5D
access_filters
should be the group of access_filter_fields that are applied to your instance. If you don’t use them, something like this should work access_filters%3D%7B%22faa%22%3A%7B%7D%2C%22thelook%22%3A%7B%7D%7D
. If you use them, try this access_filters={"faa":{"aircraft.tail_number":"1"},"thelook":{"users.user_id":"2"}}
a_first_name
will be the first name of your authenticated Looker user, as displayed in Lookera_last_name
will be the last name of your authenticated Looker user, as displayed in Lookerforce_logout_login
determines whether currently logged-in users will be logged out before authentication. I recommend setting this to true
, at least for testing purposessome_signature
will be generated by your code. It is used by Looker to verify that the secret used to sign the request is valid and that the parameters that are present in the request are identical to those that were signed when the signature was generated.If anything’s spelled incorrectly, we’ll run into trouble. Typos happen (I type dimesnion
more often than I care to admit), so make sure all model names, files, etc. are spelled properly.
%20f
and only take %20F
as an encoded /
/
s, {
s, and company straighthttps://
This was written and tested on Looker release 3.20.