Password credential pass-through#
The password credential pass-through feature guarantees that Starburst Enterprise platform (SEP) uses the same credentials as a user accessing a data source directly. This allows you to authenticate using the CLI or client application with the JDBC or ODBC driver. The supplied credentials are passed through SEP and the connector to the underlying data source.
To use password credential pass-through, the data source and SEP must use the same authentication backend and use the same credentials. A typical example is an LDAP system such as Active Directory.
Note
The password credential pass-through feature is only supported in select connectors. Reference the connectors feature matrix for more information about which connectors support this feature.
Configuration#
To enable password credential pass-through, include DELEGATED-PASSWORD
in
the config.properties
file:
http-server.authentication.type=DELEGATED-PASSWORD
Warning
DELEGATED-PASSWORD
cannot be used with the PASSWORD
authentication
type, and results in runtime exceptions. The functionality of PASSWORD
authentication is integrated in the DELEGATED-PASSWORD
authentication.
To enable password credential pass-through in the Starburst Enterprise web UI and the query
editor, include the Web UI property
web-ui.authentication.type
in the config.properties
file:
web-ui.authentication.type=DELEGATED-PASSWORD
Typically, multiple Authentication types are used and must be configured as comma-separated values. These are evaluated in a short-circuit fashion. SEP attempts them in order until an authentication type succeeds, or fails the authentication attempt altogether if none succeed.
In the following example, SEP attempts to authenticate using
DELEGATED-KERBEROS
. If that succeeds, no further authentication attempts are
made. If it fails, SEP attempts to authenticate using DELEGATED-PASSWORD
,
followed by CERTIFICATE
. If those fail, the request fails as there are no
further authentication methods specified:
http-server.authentication.type=DELEGATED-KERBEROS,DELEGATED-PASSWORD,CERTIFICATE
Update the catalog file, as needed by the connector, to enable password credential pass-through:
<connector_name>.authentication.type=PASSWORD_PASS_THROUGH
Specifying username via extra credentials#
It is possible to overwrite the username to authenticate with the external data source using extra credentials added to the JDBC URL. The name of the extra credential used to log in must be configured in the catalog properties file:
user-credential-name=arbitrary_username_id
Then add extraCredentials=arbitrary_username_id:external_user_login
to the
parameters used with the JDBC driver to connect to SEP.
Users of the CLI can use the --extraCredential
option.
This feature works only for the PASSWORD_PASS_THROUGH
authentication type.