Skip to content

Architecture

Enabling Lime BI in our cloud infrastructure required some adaptations to the Lime BI package, which doesn't affect the on-premise setup. Below is a diagram with an overview of the workflow.

setup overview

Lime BI is powered by Metabase and is running in its own separate instance in our cloud infrastructure.

Logging in as a Lime User

Technically, Lime BI (Metabase) and Lime CRM are two completely separate applications. Both with their own user authentication mechanism. Despite that, a Lime CRM user can log in to Lime BI in a seamless manner without even knowing that he or she actually logged in. This is possible thanks to the Metabase JWT-based Authentication.

JWT-based Authentication

The Lime BI python package implements a custom endpoint that acts as an identity provider for Lime CRM:

GET <application-name>/lime-bi/metabase-authentication/

The endpoint creates a signed URL and redirects the request to the created URL. For more info, see the official docs for Metabase.

The endpoint requires that you have a valid Lime CRM session.

Metabase Permission Group

Metabase uses groups to handle permissions. Each Lime CRM application with Lime BI access is supposed to have a specific group created in Metabase that describes what they're allowed to do inside Metabase.

Metabase User

A metabase user has to have an email address as its username. This is not a requirement in Lime CRM which means that we can't use the same username in both systems. Instead, a custom username is created for each user that logs in to Lime BI. This custom username shouldn't be changed. The following format is used for the user's username/email:

{lime-username}-{application-identifier}@lime-bi.com

Configuration & the Initialize Endpoint

The main addition is a new endpoint which is used to automatically setup Lime BI for a solution using the Metabase API. Currently, this endpoint is only available in cloud. The initialize endpoint will do the following for a specific application:

  • Create a connection to the application database
  • Create a Metabase group.
  • Create jwt group mappings in Metabase.
  • Create a collection in Metabase.
  • Update permissions to ensure users cannot run sql queries (read).
  • Save the configuration of the above in appconfig.

Interplay with Lime CAFE

As seen from the diagram at the top the cloud setup requires the completion of some steps in Lime CAFE, and some steps in each individual solution. Ideally, the setup process would be in one location, e.g. only in CAFE or only in Lime Admin. However, the readonly db user can only be created in CAFE and limetypes are accessible in Lime Admin. The readonly db user is needed to ensure the principle of least privilege.

Metabase API Credentials

Both the initialize command and the sync command requires superuser access rights to the Metabase API. Because of some limitations of Metabase, it is not possible to provide the same superuser credentials to each application. The applications currently have a non-superuser assigned per application to allow api request for e.g. embeddings.