A few releases ago, Looker introduced the ability to authenticate API calls using OAuth. This release represented a huge leap forward for support of API-enabled use cases.
μAdmin for Looker, a newly released open source project, builds upon OAuth and provides a low-friction way for instance owners to extend API-powered administrative capabilities to their users with fine-grained access control and logging.
What’s an example?
Let’s say you want to allow your developers (without admin permissions) to define new database connections and to add them to models, but not to edit or delete existing connections.
Or, for example, let’s say you want to allow a program manager to manage the user attribute values for a particular user attribute, but not otherwise manage users.
One last example, let’s say you want to allow users to manage schedules (even created by other users) but only within folders that they have access to manage.
These are all achievable with the μAdmin framework.
How does it work?
The μAdmin project contains code for a NodeJS powered server. The owner of a Looker instance would deploy the code to a server, and configure it with traditional administrative API credentials for their instance (a.k.a. a service account).
In addition, they would setup the server with a number of allow-listed administrative workflows. The workflows can be defined by configuring workflows from an out-of-the-box library, or by writing short code-based workflows using a convenient framework.
Once deployed, end users navigate to the server, and the server uses Looker’s OAuth interface to verify the users’ identity. From there, the server runs administrative workflows that the user requests using its service account, subject to whatever access controls are defined server-side in the workflow.
Sounds great. Now what?
The vision for μAdmin is that it will eventually contain a comprehensive library of pre-built workflows for common use cases. For now, it includes just a few basic workflows, but the project is structured to make it easy to add your own flows.
The project is also structured to be very easy to adapt and deploy, as a simple Node server with no build step or other tooling, so give it a try!