Provide top domain and data to truly test superset
It should be accessible w/o a ssh tunnel, we will keep pivot and superset running side by side
Description
Description
Details
Details
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Ottomata | T166689 Productionize Superset | |||
| Declined | None | T167427 Configure superset to query mysql slaves | |||
| Resolved | mark | T182443 Allow access to druid public-eqiad cluster ports 8081 from analytics VLAN |
Event Timeline
Comment Actions
Discovered that the legend bug was actually not fixed (see T166320), so...
Do we still want to do this?
The only advantage is the autosource schema feature that displays the zero field in pageview_hourly.
Comment Actions
I would say no then. We can scrape this work and focus on setting up superset for PMs to take a look.
Comment Actions
Superset is python and thus harder to deploy than a node counterpart.
Can we deploy this virtual env (whole environment is uploaded to gerrit)
Superset can consume from druid as it is.
Comment Actions
See : https://phabricator.wikimedia.org/T166414 maybe we can use navigationTiming data also to test UI?
Comment Actions
ping @Ottomata and @JAllemandou please update ticket if superset is running on screen accessible by tunnel
Comment Actions
Now running in a screen on stat1004 under my user:
ssh -N stat1004.eqiad.wmnet -L 8088:stat1004.eqiad.wmnet:8088
Login is admin / admin
Comment Actions
I updated the datasources to contain interesting metrics and created a new user able to use and create visualisation, but not mess with the config:
tester / tester
Comment Actions
Change 392933 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[analytics/superset/deploy@master] Deploy repo for superset (python)
Comment Actions
Change 392978 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] [WIP] Puppetization for superset
Comment Actions
Change 395804 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[analytics/superset/deploy@master] Adding artifacts for jessie superset==0.20.6
Comment Actions
Change 392933 merged by Ottomata:
[analytics/superset/deploy@master] Deploy repo for superset (python)
Comment Actions
Change 395804 merged by Ottomata:
[analytics/superset/deploy@master] Adding artifacts for jessie superset==0.20.6
Comment Actions
Change 395887 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[analytics/superset/deploy@master] Improvements to deployment scripts
Comment Actions
Change 392978 merged by Ottomata:
[operations/puppet@production] Puppetization for superset
Comment Actions
Change 395887 merged by Ottomata:
[analytics/superset/deploy@master] Improvements to deployment scripts
Comment Actions
Change 396103 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Configure LDAP proxy and authentication for Superset
Comment Actions
Change 396103 merged by Ottomata:
[operations/puppet@production] Configure LDAP proxy and authentication for Superset
Comment Actions
Change 396124 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/dns@master] Add superset.wikimedia.org DYNA/CNAME
Comment Actions
Change 396124 merged by Ottomata:
[operations/dns@master] Add superset.wikimedia.org DYNA/CNAME
Comment Actions
Change 396127 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Add misc cache route for superset.wikimedia.org -> thorium
Comment Actions
Change 396127 merged by Ottomata:
[operations/puppet@production] Add misc cache route for superset.wikimedia.org -> thorium
Comment Actions
Change 396141 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Allow authenticated (in certain ldap groups) to auto-register for superset account
Comment Actions
Change 396141 merged by Ottomata:
[operations/puppet@production] Allow authenticated (in certain ldap groups) to auto-register for superset account
Comment Actions
Change 396143 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Set superset auth_settings => undef if not using ldap_proxy
Comment Actions
Alright! https://superset.wikimedia.org is up and running.
I had a bit of trouble with authentication. Here's the skinny:
superset uses Flask-AppBuilder as its web framework. Flask-AppBuilder supports several authentication methods, including AUTH_LDAP and AUTH_REMOTE_USER.
I first tried AUTH_LDAP. However, it does not support restricting the authentication to users in certain LDAP groups. I think fixing Flask-AppBuilder to support this would be pretty easy. We'd just need to alter this code to support more complex filters than just uid=value.
But, since we already use an HTTP LDAP auth proxy for other services (pivot, yarn, etc.), I next tried AUTH_REMOTE_USER. This works! But has the downside of not supporting the AUTH_USER_REGISTRATION feature. That feature should allow superset to auto-create accounts for users that are authenticated, but don't yet have superset accounts in the superset database. AUTH_USER_REGISTRATION works for AUTH_LDAP, but not AUTH_REMOTE_USER.
I tested in labs, and was able to modify Flask-AppBuilder to support AUTH_USER_REGISTRATION with AUTH_REMOTE_USER. I submitted a https://github.com/dpgaspar/Flask-AppBuilder/pull/663 upstream. We'll see how that goes.
AUTH_REMOTE_USER + AUTH_USER_REGISTRATION has the downside that if someone can reach the superset app HTTP port directly, they can just set the X-Remote-User header and superset will consider them authenticated. For us, this should practically be ok, as the superset app HTTP port 9080 is only reachable by localhost (on thorium in production). The only other way to get to the app is via the HTTP proxy on port 80, which will force you to authenticate with LDAP, and only allow you to do so if you are in the wmf or nda LDAP groups.
For now I'd like to keep AUTH_REMOTE_USER and manually create user accounts in superset when we have to. If my patch gets merged, we can update the Flask-AppBuilder dependency in the analytics/superset/deploy repo.
Alternatively, I could submit a patch to support more complex filters, e.g. group membership, for AUTH_LDAP.
Comment Actions
Change 396413 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Open druid coordinator to more networks; superset needs to query it
Comment Actions
Change 396413 merged by Ottomata:
[operations/puppet@production] Open druid coordinator to more networks; superset needs to query it
Comment Actions
Oof, Somethign is not happy with MySQL + superset and druid metadata refresh.
Dec 8 20:10:01 thorium superset[5227]: 2017-12-08 20:10:01,479:ERROR:root:(_mysql_exceptions.OperationalError) (1205, 'Lock wait timeout exceeded; try restarting transaction') [SQL: u'INSERT INTO datasources (created_on, changed_on, description, default_endpoint, is_featured, filter_select_enabled, offset, cache_timeout, params, perm, datasource_name, is_hidden, fetch_values_from, cluster_name, user_id, changed_by_fk, created_by_fk) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)'] [parameters: (datetime.datetime(2017, 12, 8, 20, 9, 10, 537145), datetime.datetime(2017, 12, 8, 20, 9, 10, 537180), None, None, 0, 0, 0, None, None, None, 'mediawiki_history_reduced', 0, None, 'public-eqiad', None, 2L, 2L)]
It seems this [[ https://github.com/apache/incubator-superset/blob/0.21.0/superset/connectors/druid/models.py#L164 | session.flush() call ]] is hanging due to an unclosed transaction (?) and causing the worker process to timeout.
Comment Actions
Hm, might not be a MySQL related problem after all. I switched the database to a local sqlite db, and I get a very similar problem:
Dec 8 21:21:05 thorium superset[27367]: OperationalError: (sqlite3.OperationalError) database is locked [SQL: u'INSERT INTO datasources (created_on, changed_on, description, default_endpoint, is_featured, filter_select_enabled, "offset", cache_timeout, params, perm, datasource_name, is_hidden, fetch_values_from, cluster_name, user_id, changed_by_fk, created_by_fk) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'] [parameters: ('2017-12-08 21:21:00.153764', '2017-12-08 21:21:00.153786', None, None, 0, 0, 0, None, None, None, u'mediawiki_history_reduced', 0, None, u'public-eqiad', None, 2, 2)]Comment Actions
Change 396488 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Use sync worker for superset
Comment Actions
Change 396488 merged by Ottomata:
[operations/puppet@production] Use sync worker for superset
Comment Actions
Hm, looks to be a threading/async/gevent issue. I switched the gunicorn worker class back to sync, and it works now. I bumped up to 8 workers. If 8 people run long queries at once, the app will hang. Might have to fix this and/or deploy celery works to help with long async queries. Let's save that for another task...
Comment Actions
Weird, when I try to access the website I get:
This page isn’t working superset.wikimedia.org redirected you too many times. Try clearing your cookies. ERR_TOO_MANY_REDIRECTS
Is there a known workaround for this?
Comment Actions
This is what I am seeing with tcpdump on thorium:
GET / HTTP/1.1 Host: localhost:9080 [..] X-Remote-User: Elukey X-Forwarded-Host: superset.wikimedia.org X-Forwarded-Server: superset.wikimedia.org Connection: Keep-Alive HTTP/1.1 302 FOUND Server: gunicorn/19.7.1 Date: Sat, 09 Dec 2017 10:59:48 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 241 Location: https://superset.wikimedia.org/superset/welcome <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to target URL: <a href="/superset/welcome">/superset/welcome</a>. If not click the link. GET /superset/welcome HTTP/1.1 Host: localhost:9080 [..] X-Remote-User: Elukey X-Forwarded-Host: superset.wikimedia.org X-Forwarded-Server: superset.wikimedia.org Connection: Keep-Alive HTTP/1.1 302 FOUND Server: gunicorn/19.7.1 Date: Sat, 09 Dec 2017 10:59:48 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 221 Location: https://superset.wikimedia.org/login/ Set-Cookie: session=[REDACTED]; HttpOnly; Path=/ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to target URL: <a href="/login/">/login/</a>. If not click the link. GET /login/ HTTP/1.1 Host: localhost:9080 [..] authorization: Basic [REDACTED] upgrade-insecure-requests: 1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9,it;q=0.8 dnt: 1 cookie:session=[REDACTED] [..] X-Remote-User: Elukey X-Forwarded-Host: superset.wikimedia.org X-Forwarded-Server: superset.wikimedia.org Connection: Keep-Alive HTTP/1.1 302 FOUND Server: gunicorn/19.7.1 Date: Sat, 09 Dec 2017 10:59:49 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 209 Location: https://superset.wikimedia.org/ Set-Cookie: session=[REDACTED] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to target URL: <a href="/">/</a>. If not click the link.
Then it restarts with a GET / HTTP/1.1 and it goes back to the beginning of this..
Comment Actions
Reading from the Analytics IRC chan it seems that "its because superset is not auto-creating your superset account after auth". So if anybody encounters the issue this is the problem :)
Comment Actions
Change 397616 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Add superset password mappings for analytics mysql dbs
Comment Actions
Change 397616 merged by Ottomata:
[operations/puppet@production] Add superset password mappings for analytics mysql dbs
Comment Actions
Change 397629 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Fix superset lookup_password to work with sqla uris
Comment Actions
Change 397629 merged by Ottomata:
[operations/puppet@production] Fix superset lookup_password to work with sqla uris
Comment Actions
Ok, things are pretty decent over at superset.wikimedia.org. Still to do:
- Update superset/flask-appbuilder once we get new releases from them. This will allow auto-account creation for LDAP users in the wmf and nda groups.
- Figure out async vs sync worker database locking problem; possibly update to Python 3 to solve this.
- Set up celery workers for async database queries. This way the web UI doesn't have to block to wait for queries to finish. Sync queries have a gui timeout anyway, I think of around 60 seconds. Perhaps this is good? Perhaps superset shouldn't be used for queries that take longer than 60 seconds?
- Verify that Hive queries work. I think I might need to change the LDAP REMOTE_USER to shell login, rather than common name, in order for Hive doAs to work. Not sure about this yet.
Comment Actions
Oh, btw, I added DB connections for analytics-slave / log db, and analytics-store, with passwords stored in puppet, not in superset meta db. You can now query those MySQL databases from superset. :)
Comment Actions
Change 396143 merged by Ottomata:
[operations/puppet@production] Set superset auth_settings => undef if not using ldap_proxy