Securing access to webapp back-ends from outside of DSS

pbajger
pbajger Registered Posts: 3 ✭✭✭✭
in Using Dataiku

Hi,

I'm trying to figure out how to restrict access to API back-ends when creating custom Python webapps.

If I create a webapp with Python backend, the flask routes are accessible to anyone outside of DSS who knows the url (/web-apps-backends/PROJECTID/APPID/some/endpoint).

Is there a way to force users to attach an API key? Ideally I would like users to use their Dataiku Personal API Keys and then infer the user making the request from the personal key in Python. Is this possible (or is there a better way to enforce authentication)?

· Share on FacebookShare on Twitter

Best Answer

  • Clément_Stenac
    Clément_Stenac Dataiker, Dataiku DSS Core Designer, Registered Posts: 753 Dataiker
    edited July 2024 Answer ✓

    Hi,

    Indeed, this sample requires access to the backend from a logged browser, which is the primary use case for webapps.

    For programmatic access, we'd simply recommend that the caller pass a DSS API key, and that the backend uses this API key to make calls to DSS, which will validate the validity of the API key, and can validate the identity of the user (if it's a personal API key).

    Something like (pseudo-code):

    @app.route("/sensitive-data")
def get_sensitive_data():
   api_key_sent_by_client = request.headers.get("X-DKU-APIKey")

   # Replace by your DSS port
   api_client = dataikuapi.DSSClient("http://127.0.0.1:10000", api_key_sent_by_client)
   # If the API was not valid, this call will fail
   auth_info = api_client.get_auth_info()

   return json.dumps({"you_are": auth_info["authIdentifier"]})

    With client code like:

    resp = requests.get("/web-app-backend/..../sensitive-data", headers= {"X-DKU-APIKey": "219DSGJLSKDAZEOKJ12390dskfe23"})

print("I am: %s" % resp.json())

    · Share on FacebookShare on Twitter

Answers

Bookmark this topic

Categories

Setup Info
    Tags
      Help me…