Solved: Re: 1 Dashboard, multiple user dynamic connection

P1eter1 · 10-03-2024 05:37 AM

Hello, I know everyone is facing the same problem and no accurate answers are given.

I have 2 service account (1 for fine grain, the other masked ) because i am using policy tags in Big Query.

On looker, i should create 2 connections because each has different service account.

My question is :.

1-Depending on the user attribute, how would i change which connection to use?

2-If not the connection to change., how would I have 1 dashboard reading 1 explore but to point if user attribute['db.'] = true, use connection general else user connection masked or something similar.

Because there must be a way to separate the users without creating multiple explore. dashboard, etc.

Thank you

Kevin_F_McCarth

Hello P1eter1

Core a version of Looker which runs natively on GCP infrastructure. Because you don't see the option Andy mentioned, I'd assume you are on 'Classic' rather than Core. One quick way to double check if you are on core or not: If you are an admin you can check whether Labs admin page is present on the instance (Labs page is not currently provided on Core).

FWIW, as an alternate avenue if you are unable to achieve the dynamic connection settings here you require...
While you cannot have one (technically) dashboard use different models or connections dynamically based on a user, I have seen customers with similar needs use singular lookml_dashboard definitions with different models (which in turn have different connections).

Queries from a lookml dashboard will by default use the model that the dashboard has been included in. So, if you remove all model parameters from dashboard lookml and include the dashboard in both models (which could each include the relevant explores), you get two copies of the lookml_dashboard using their respective models (and thus respective connections -> service accounts). Not a simple solution because you are having to use/maintain lookml dashboards, but with some additional processes in place for publishing dashboards, that approach can work if it's absolutely required.

- Kevin

View solution in original post

andy4

This still might be a challenge with Looker Original, but Looker Core has an elegant solution. You can parameterize which service account to impersonate based on a user attribute by clicking the button I highlighted in this screenshot.

With Looker Original, you are limited to using liquid references to user attributes in the "additional params" section of the edit connection interface. This documentation of the BigQuery JDBC driver (on page 16 under the heading "Using a Google Service Account") has an example JDBC connection string which includes a service account. I'm confirming internally whether you can parameterize this and will confirm soon!

If it's possible, it would follow a similar pattern to selecting a warehouse with a snowflake connection, documented here.

P1eter1

Hi andy thank you again. Is the image provided related to the newest looker version? I have looker 24.6. Could it be the impersonation will be seen in looker 24.14?

P1eter1

Hi Andy,

Thank you for the support I have been having a hard time trying to figure it out. From dynamic connection in the model file to trying tons of stuff. Regarding the image sent, i have a different configuration than yours .Does it mean I have Standard Looker?

It seems I have to upload a file a service JSON file since there is a required info near authorization.

are you suggesting that rather than uploading a file, I try to add the service account in the JDBC additional parameter. And from there use the user attribute (if applicable) to switch. Am I understanding correctly?

Edit : After testing and reading, it seems the documentation points to the core jdbc parameters and not the additional ones." jdbc:bigquery://https://www.googleapis.com/bigquery/v2:443;
ProjectId=MyBigQueryProject;OAuthType=0;
OAuthServiceAcctEmail=bqtest1@data-drivertesting.
iam.gserviceaccount.com;
OAuthPvtKeyPath=C:\SecureFiles\ServiceKeyFile.p12;"

If I understand correctly the additional jdbc are for enhancement or for token based and not service account base.

Kevin_F_McCarth

Hello P1eter1

Core a version of Looker which runs natively on GCP infrastructure. Because you don't see the option Andy mentioned, I'd assume you are on 'Classic' rather than Core. One quick way to double check if you are on core or not: If you are an admin you can check whether Labs admin page is present on the instance (Labs page is not currently provided on Core).

FWIW, as an alternate avenue if you are unable to achieve the dynamic connection settings here you require...
While you cannot have one (technically) dashboard use different models or connections dynamically based on a user, I have seen customers with similar needs use singular lookml_dashboard definitions with different models (which in turn have different connections).

Queries from a lookml dashboard will by default use the model that the dashboard has been included in. So, if you remove all model parameters from dashboard lookml and include the dashboard in both models (which could each include the relevant explores), you get two copies of the lookml_dashboard using their respective models (and thus respective connections -> service accounts). Not a simple solution because you are having to use/maintain lookml dashboards, but with some additional processes in place for publishing dashboards, that approach can work if it's absolutely required.

- Kevin

P1eter1

Hi Kevin,

Thank you for your reply. Yes when I go to admin I can see a tab called Labs so I guess I am on Looker classic.

I have been having a hard time trying to find a solution and thought something was missing. Having 2 dashboards (each with a model) can work but I was hoping to achieve dynamic data changing based on user attribute.

But at least this is possible using Looker Core and Impersonation so it is still helpful.

Thank you for your support!