Page MenuHomePhabricator

Presto error in Superset
Closed, ResolvedPublic


@JAnstee_WMF ran into this error Presto permission denied error when using the editor dashboard in Superset. (4×2 px, 1019 KB)

Also when trying to preview mediawiki_user_groups (991×1 px, 474 KB)

According to, she's already in the analytics-privatedata-users group.

Event Timeline

odimitrijevic triaged this task as High priority.
odimitrijevic moved this task from Incoming to Ops Week on the Analytics board.
Ottomata added subscribers: razzi, Ottomata.

Hi @JAnstee_WMF, that is a strange error indeed! As far as I can tell you have all the right permissions.

I can't reproduce from here. Can you ping me on IRC or on Slack and we can try and troubleshoot real time?


Weird! Okay, Jaime's account entry in the superset database was incorrect, and specifically, her username was her LDAP CommonName instead of her lowercase only shell username, which caused authentication with HDFS to fail. I edited her user account and fixed her records, and now it works for her.

I think her account was created way before we had the CAS based single sign on, and the LDAP integration was a bit iffy. There are a lot of other superset accounts that look weird too (e.g. have email address @email.notfound or Last Name '-'). Most of these have lowercase shell names, so probably just work, but many don't.

@razzi, let's be on the lookout for other issues like this, its possible others have this problem too.

I think that we should either 1) make another ticket or 2) re-title this ticket to follow this up by fixing the LDAP integration and Superset user account creation.

For new users, myself included, the account created in Superset is missing information. I have since corrected my own record.

The lower case ldap username that is used for successful authentication ends up being put into the First Name field, as well as the User Name field of the newly created account.
It is also used for the first part of the amail address. It should only be used for the User Name field.

See the following screenshot for examples:

image.png (420×1 px, 40 KB)

I think that it would be a significant improvement for Superset to:

  1. Get this LDAP record -> User record mapping working again
  2. Check and fix the existing Superset user records

Yeah a new task maybe makes sense.