You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New data sources are always added to the default group automatically.
This violates the principle of least privilege, as all users belong to the default group and immediately gain access to every new data source.
This issue was raised in #5015 and #5735, and a reviewer suggested controlling the behavior with an environment variable (#5735 review comment):
Let's control this with an environment variable so that the existing behaviour is still the default, but admins can modify it.
Proposal
Add a new environment variable REDASH_DATASOURCE_AUTO_ASSIGN_GROUP to control which group new data sources are assigned to.
Value
Behavior
default
Add to default group (current behavior)
admin
Add to admin group only
none
Do not add to any group
The default value would be default to preserve backward compatibility.
Summary
New data sources are always added to the
defaultgroup automatically.This violates the principle of least privilege, as all users belong to the
defaultgroup and immediately gain access to every new data source.This issue was raised in #5015 and #5735, and a reviewer suggested controlling the behavior with an environment variable (#5735 review comment):
Proposal
Add a new environment variable
REDASH_DATASOURCE_AUTO_ASSIGN_GROUPto control which group new data sources are assigned to.defaultadminnoneThe default value would be
defaultto preserve backward compatibility.