- 1. Install KAWA’s Python client
- 2. Setup the setup-admin user
- 2.a) Retrieve the setup-admin API Key
- 2.b) Login to KAWA via the Python Client
- 2.c) Change the setup admin user’s password
- 3. Create a new workspace and new users
- 4. Manage existing users
- 4. a) Update users’ role
- 4. b) Toggle users on and off
- 5. Assign users to perimeters
- 6. Restrict data source types
- 6.a) Data Source types
- 6.b) Restricting data source type creation
- 7. Configure SMTP
- 6. Retrieve usage report
- 7. Activate experimental features
- 8. Configure the API server general parameters
- 9. Activate the KAWA platform
1. Install KAWA’s Python client
Some of the advanced administration tasks are managed through KAWA’s Python client.
In order to install it, you need python 3.8 at least.
Run the following command to install KAWA Client:
pip install kywy --upgrade --extra-index-url https://kawa:Br2zFU2Y5EGBWr4khYzh@gitlab.com/api/v4/projects/31007056/packages/pypi/simple
⚠️ Make sure that the machine on which you install the python client has access to the KAWA server (via HTTP(S) on whatever port was configured on the server).
2. Setup the setup-admin user
The setup-admin user is unique inside each KAWA instance. It has the privileges of any admin user, but can never be downgraded to non-admin nor deactivated.
2.a) Retrieve the setup-admin API Key
In order to authenticate on KAWA via the Python client, it is recommended to use your API Key. In order to do so, login on KAWA with the setup-admin user with the following credentials:
login: setup-admin@kawa.io
password: changeme
From there, generate your API Key.
⚠️ Once the API Key has been generated, it cannot be recovered (KAWA does not store it anywhere). You can always generate a new one if you wish.
2.b) Login to KAWA via the Python Client
To login into KAWA from the Python client, use the following script:
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
# Copy and paste your key into a file and load it
# to authenticate.
# (The file must contain only one line, which is the key.
k.set_api_key(api_key_file='kawa.key')
# Alternatively, copy and paste your key into your script
# (Not recommended)
k.set_api_key(api_key='*********')
# You can optionally set a worksapce id
# If you don't, it will position you in the last workspace you were in
k.set_active_workspace_id(workspace_id=1)
sheets = k.entities.sheets()
print('There are {} sheets in workspace {}'.format(len(sheets.list_entities()), k.active_workspace_id))
2.c) Change the setup admin user’s password
The change_user_password command is only available for admin users. With it, you can set any password to users in the application.
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
cmd = k.commands
cmd.change_user_password(email='setup-admin@kawa.io', new_password='*******')
3. Create a new workspace and new users
A Workspace allows users to collaborate together on shared data sources, shared sheets, shared data models and shared reports (dashboards…).
In order to create a new workspace, use the following command (any user can run that command):
some_workspace = cmd.create_workspace('<WORKSPACE NAME>')
In order to create new users into KAWA, use the following command (admin only):
cmd.create_user_with_email_and_password(
email='some@email.com',
password='*****',
first_name='Lucius',
last_name='Fox')
Lastly, in order to add users in workspaces, use this command (admin, workspace owner, or workspace member admin only):
cmd.add_users_to_workspace(emails, some_workspace['id'])
Here is a sample of a script that creates a user and add them into a new workspace.
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
cmd = k.commands
some_workspace = cmd.create_workspace('<WORKSPACE NAME>')
# Creates the user with a defined password
# You need one upper case, one lower case, one number and one special character
cmd.create_user_with_email_and_password(email='lucius@wayne.ai',
password='$SomePassword123$',
first_name='Lucius',
last_name='Fox')
# Add the new user into the workspace
cmd.add_users_to_workspace(['lucius@wayne.ai'], some_workspace['id'])
Note that workspace creation and assignation can be achieved in the Web UI:
And then:
Please refer to the “Collaborating in KAWA” guide to learn more about workspaces and workspace permissions.
4. Manage existing users
4. a) Update users’ role
There are three global roles in KAWA. Those roles are meant to define high level permissions, but Workspace roles are used to define more precise roles for users in each workspace.
READER_ROLE
Most users of KAWA will have this role. READERS can create their workspaces and be administrators of their own workspaces. They will be affected by each workspace permission flags.
ADMIN_ROLE
Admin users have the same sets of permissions as Readers. In addition, they can bypass all the workspace permission flags set for them and more importantly: they can create, remove, activate and deactivate users via the Python API. They also have access to all the administration API to configure the KAWA instance.
SETUP_ADMIN_ROLE
This roles grants the same permissions as the ADMIN ROLE. The only difference is that a SETUP_ADMIN can never be disabled, removed or turned into another role. There is always one and only one setup admin in each KAWA instance.
In order to update a user’s role, you need to have the ADMIN or SETUP_ADMIN role.
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
cmd = k.commands
# Use one of: ADMIN_ROLE or READER_ROLE
# (No user can be turned into a SETUP_ADMIN user)
cmd.replace_user_role(user_id='lucius@wayne.com', new_role='ADMIN_ROLE')
4. b) Toggle users on and off
Admin users can turn off users. When a user is turned off, they will instantly lose access to KAWA an will be able to login again only if their account is turned back on.
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
cmd = k.commands
# the SETUP_ADMIN_ROLE cannot be deactivated
cmd.toggle_users_status(user_id_list=['lucius@wayne.com', 'bruce@wayne.com'],
active=False)
5. Assign users to perimeters
In KAWA, perimeters are used to define groups of users to which will be applied Row Level Security rules for data access.
Perimeters are different from Workspaces as: Workspaces define a set of data sources, sheets, reports on which users can collaborate on Perimeters define the groups of users who will be allowed to see the same data (Row level security).
Here is a Python snippet that will let you assign perimeters (Here: US and AS) to users:
ℹ️ The perimeters will be created automatically.
⚠️ After the command has run, each user will be exactly in the perimeters that were specified. It means that they will be added to the perimeters in the list and removed from the ones that are NOT in the list.
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
cmd = k.commands
cmd.assign_user_to_perimeters('user1@kawa.io', ['US','AS'])
cmd.assign_user_to_perimeters('user2@kawa.io', ['AS'])
cmd.assign_user_to_perimeters('user3@kawa.io', ['US'])
You can then configure Row Level Security based on those perimeters. To do so, please refer to the ROW Level Security documentation.
Users can pick in which Perimeter they work from the settings modal:
6. Restrict data source types
6.a) Data Source types
There are a few types of data sources in KAWA. This type comes from how the data source was created:
TRANSFORMATION
Creates a data source by transforming a view into a new data source. Achieved from the view itself:
USER_FILE
Creates a data source by uploading files to KAWA.
EXTERNAL_SYSTEM
Creates a data source by connecting to an external system (Google sheet, Airtable, MySQL server, etc..).
PYTHON_CLIENT
Creates a data source from the Python client
LIVE_CONNECT
Connects to a table in the connected data warehouse: SNOWFLAKE, BIG QUERY, etc
6.b) Restricting data source type creation
By default, principals can create data sources for all types. Administrators are not affected by this limitation.
ℹ️ This configuration is applied per user and across all workspaces.
You can limit this by using the following command: replace_forbidden_data_types
The following elements are supported:
TRANSFORMATION, USER_FILE, EXTERNAL_SYSTEM, PYTHON_CLIENT, LIVE_CONNECT
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
cmd = k.commands
# Forbid the creation of data sources of type: EXTERNAL_SYSTEM and TRANSFORMATION
# to user snow@flake.io
cmd.replace_forbidden_data_types(['snow@flake.io'], ['EXTERNAL_SYSTEM', 'TRANSFORMATION'])
7. Configure SMTP
In order to configure a SMTP server, use a script similar to the following one. SMTP can be used to send account activation messages (when working with KAWA’s native authentication mechanism) or to send emails from automations.
⚠️ Please note that the server needs to be restarted for the SMTP parameters to be taken in account.
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
cmd = k.commands
# Turn on SMTP communications
# To turn back off, use: LOG instead of SMTP
cmd.replace_communication_provider_type('SMTP')
# Configure the SMTP server
# Use extraSmtpProperties to put any additional configuration from
# https://javadoc.io/doc/com.sun.mail/jakarta.mail/latest/jakarta.mail/com/sun/mail/smtp/package-summary.html
cmd.replace_configuration('SmtpConfig', {
'host': 'smtp.wayne.com',
'port': 2525,
'sslEnabled': False,
'startTlsEnabled': True,
'authenticationEnabled': True,
'extraSmtpProperties': {
"mail.smtp.ssl.trust": "some-domain.com"
}
})
# Defines a subject + sender for email activation emails
cmd.replace_configuration('EmailActivatorConfiguration', {
'sender': 'postmaster@kawa-analytics.com',
'subject': 'One last step to activate your account'
})
# Defines a subject + sender for autimation emails
cmd.replace_configuration('AutomationBehaviourConfiguration', {
'emailSender': 'robot@kawa-analytics.com',
'emailSubject': 'New automation from KAWA'
})
6. Retrieve usage report
As an admin, you can retrieve some statistics about the usage of KAWA over a period of time.
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
df = k.get_usage_stats(
from_date=date(2023, 2, 1),
to_date=date(2023,3,1),
tz='Europe/London')
The get_usage_stats
methods takes three optional inputs that you can use to restrict the period on which you want to retrieve statistics.
It gives, per user, the following data:
- The number of workspaces that the user owns (Does not depend on the time window)
- The number of sheets that the user owns (Does not depend on the time window)
- The number of data sources that the user owns (Does not depend on the time window)
- How many computations were done within the time window
- How many write operations were done within the time window
- How many python ingestions were done within the time window
⚠️ This method can take several minutes to run - it is recommended to use it outside of the periods of peak usage of the application.
7. Activate experimental features
In order to activate experimental features, contact the KAWA team to know the feature names you wish to experiment.
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
cmd = k.commands
cmd.toggle_feature(feature_name='experimentatl-feature-name', is_enabled=True)
When enabling a feature, no redeployment is needed. The change will be taken in account immediately.
8. Configure the API server general parameters
You can use this command to change parameters of the web server:
from kywy.client.kawa_client import KawaClient
k = KawaClient(kawa_api_url='http(s)://<YOUR URL>')
k.set_api_key(api_key_file='kawa.key')
cmd = k.commands
cmd.replace_configuration(configuration_type='StandaloneApiServerConfiguration',
payload={
"port": 8080,
"maxThreads": 50,
"enabledFeatures": [
'data-patching',
'list-principals',
],
})
9. Activate the KAWA platform
In order to enter your license into your platform, use the following:
cmd = k.commands
cmd.set_license(path_to_license_file='/path/to/license.json')
A License file will be provided to you by the KAWA team. It is a JSON file similar to this one:
{
"mainContactEmailAddress": "emmanuel@kawa.ai",
"licenseDescription": "dev platform license",
"licenceId": "KAWA-DEV",
"companyName": "KAWA Analytics",
"gracePeriodInDays": 30,
"from": "2023-01-01",
"to": "2023-12-30",
"base64Signature": "****"
}
The validity of the license extends from the from
date to the to
date in the license file. Once the to date is passed, the software will still work for gracePeriodInDays days. After that interval, users will still be able to login and open their assets. All computations will be blocked.
Contact support@kawa.ai for more information about licensing.
This guide should be used when working on the on-premise version of KAWA. All those features are available only for users with the ADMIN privileges. This applies to on premise instances of KAWA only.