Starburst MongoDB connector

The Starburst MongoDB connector is an extended, tested and fully supported version of the MongoDB connector with configuration and usage identical.

The following improvements are included:

Requirements

• Fulfill the MongoDB connector requirements.

• Additional features of the connector require a valid Starburst Enterprise license, unless otherwise noted.

Performance

The connector includes a number of performance improvements, detailed in the following sections.

Predicate pushdown support

The connector supports predicate pushdown, including complex expression predicate pushdown using MongoDB indexing. It also supports predicate pushdown for the following functions:

• json_extract_scalar() with the = and != operators, on columns of type STRING, INTEGER, LONG, and BOOLEAN.

• from_iso8601_timestamp() on columns of type DATE and when used in conjunction with json_extract_scalar().

Complex expression predicate pushdown is supported on columns of type SMALLINT, TINYINT, INT, BIGINT, VARCHAR, TIMESTAMP(3), and TIMESTAMP WITH TIMEZONE(3).

You can set mongodb.complex-expression-pushdown.enabled=true in the catalog configuration or use the complex_expression_pushdown_enabled session property to enable predicate pushdown. By default, this configuration property is set to true.

Security

The connector includes security-related features detailed in the following section.

Kerberos authentication

The connector supports Kerberos authentication using a keytab.

To configure Kerberos authentication with a keytab, add the following catalog configuration properties to the catalog properties file:

mongo.authentication.type=KERBEROS
kerberos.client.principal=example@example.com
kerberos.client.keytab=etc/kerberos/example.keytab
kerberos.config=etc/kerberos/krb5.conf

With this configuration the user example@example.com, defined in the principal property, is used to connect to the database, and the related Kerberos service ticket is located in the example.keytab file.

Kerberos credential pass-through

The connector can be configured to pass through Kerberos credentials received by SEP to the MongoDB database. Configure Kerberos and SEP, following the instructions in Kerberos credential pass-through.

Next, configure the connector to pass through the credentials from the server to the database in your catalog properties file, and ensure the Kerberos client configuration properties are in place on all nodes.

mongo.authentication.type=KERBEROS_PASS_THROUGH
http.authentication.krb5.config=/etc/krb5.conf
http-server.authentication.krb5.service-name=exampleServiceName
http-server.authentication.krb5.keytab=/path/to/Keytab/File

Note

When delegated Kerberos authentication is configured for the Starburst Enterprise web UI, make sure the http-server.authentication.krb5.service-name value is set to HTTP to match the configured Kerberos service name.

Now any MongoDB database accessed using SEP is subject to the Kerberos-defined data access restrictions and permissions.

Enable password credential pass-through

The connector supports password credential pass-through. To enable it, add the following properties to the catalog properties file:

mongo.authentication.type=PASSWORD_PASS_THROUGH
mongo.authentication.source=
mongo.authentication.mechanism=

The mongo.authentication.source property is the name of the database where the user’s data is stored. If the user’s data is stored outside of MongoDB, set the property value to $external.

The mongo.authentication.mechanism property is modeled after MongoDB’s authentication mechanisms and accepts a single value from the following set defined by MongoDB:

• SCRAM-SHA-1

• SCRAM-SHA-256

• PLAIN

For more information about configurations and limitations, see Password credential pass-through.