KX Community

aele · ‎2022.07.25

We have a "legacy" python system where some quant researchers using qpython to query data from q processes into python.

At one q process, I have something like

.z.po:{if[not any (`$.z.w"system \"echo $USER\"") in exec distinct user from .perm.users;hclose .z.w]};

where column user in table .perm.users includes all users with permission.

So basically, an extra layer of security is added to validate the user trying to connect.

I was thinking about applying the same method to Python APIs, which is connecting using qpython. Theoretically, the following should work

.z.po:{if[not any (`$.z.w"os.getenv(\"USER\")") in exec distinct user from .perm.users;hclose .z.w]};

Does anyone have experiences using .z.w or any tools to send query to python from q?

Thanks.

matt_moore · ‎2022.07.26

This does not seem like a good idea for handling entitlements. Sending a sync call back down the just opened handle with .z.w runs the risk of a dead-lock between processes. There is also a dedicated message handler for user/pass checks (.z.pw). This happens first before .z.po and by default returns 1b or your permissions code can return 0b to not grant access. E.g.

.perm.users:(),`matm;

.z.pw:{[user;pass] $[user in .perm.users;1b;0b]};

// client session pass
hopen `::12345:matm:abc
5i
// client session fail
hopen `::12345:user:abc
'access

qPython supports user/pass in the connection so these users will need to adjust how they are connecting to the Python APIs once this change is in place.

Existing kdb processes should authenticate themselves this way as well.

the .z namespace | Reference | kdb+ and q documentation - Kdb+ and q documentation (kx.com)

KX Community

using .z.w to call python