Password credential pass-through#

The password credential pass-through feature guarantees that Starburst Enterprise platform (SEP) uses the same credentials as a user accessing a data source directly. This allows you to authenticate using the CLI or client application with the JDBC or ODBC driver. The supplied credentials are passed through SEP and the connector to the underlying data source.

To use password credential pass-through, the data source and SEP must use the same authentication backend and use the same credentials. A typical example is an LDAP system such as Active Directory.

Note

The password credential pass-through feature is only supported in select connectors. Reference the connectors feature matrix for more information about which connectors support this feature.

Configuration#

To enable password credential pass-through, include DELEGATED-PASSWORD in the config.properties file:

http-server.authentication.type=DELEGATED-PASSWORD

Warning

DELEGATED-PASSWORD cannot be used with the PASSWORD authentication type, and results in runtime exceptions. The functionality of PASSWORD authentication is integrated in the DELEGATED-PASSWORD authentication.

To enable password credential pass-through in the Starburst Enterprise web UI and the query editor, include the Web UI property web-ui.authentication.type in the config.properties file:

web-ui.authentication.type=DELEGATED-PASSWORD

Typically, multiple Authentication types are used and must be configured as comma-separated values. These are evaluated in a short-circuit fashion. SEP attempts them in order until an authentication type succeeds, or fails the authentication attempt altogether if none succeed.

In the following example, SEP attempts to authenticate using DELEGATED-KERBEROS. If that succeeds, no further authentication attempts are made. If it fails, SEP attempts to authenticate using DELEGATED-PASSWORD, followed by CERTIFICATE. If those fail, the request fails as there are no further authentication methods specified:

http-server.authentication.type=DELEGATED-KERBEROS,DELEGATED-PASSWORD,CERTIFICATE

Update the catalog file, as needed by the connector, to enable password credential pass-through:

<connector_name>.authentication.type=PASSWORD_PASS_THROUGH

Specifying username via extra credentials#

It is possible to overwrite the username to authenticate with the external data source using extra credentials added to the JDBC URL. The name of the extra credential used to log in must be configured in the catalog properties file:

user-credential-name=arbitrary_username_id

Then add extraCredentials=arbitrary_username_id:external_user_login to the parameters used with the JDBC driver to connect to SEP.

Users of the CLI can use the --extraCredential option.

This feature works only for the PASSWORD_PASS_THROUGH authentication type.