This section describes how to enable relational connections to leverage your Hadoop Single Sign-On (SSO) infrastructure. When this feature is enabled and properly configured, users can create relational (JDBC) connections that use SSO that you have already configured.
Connections that were created before this feature is enabled continue to operate as expected without modification.
- For this release, this feature applies to SQL Server connections only.
Cross-realm is not supported. As a result, the SQL Server instance, service principal, and Alteryx® principal must be in the same Kerberos realm.
- Kerberos SSO: You must set up SSO authentication to the Hadoop cluster using Kerberos. This feature uses the global Kerberos keytab. For more information, see Configure for Kerberos Integration.
Configure JAAS file and path
Path on the Alteryx node to the location of the JAAS configuration file required by the DataDirect driver.
NOTE: The default location is listed below. You may wish to move this file to a location outside of the Alteryx installation to ensure that the file is not overwritten during upgrades.
More information on this file is provided below.
For connections that support Kerberos-delegated authentication, the underlying driver supports a JAAS file in which you can provide environment-specific configuration to the driver. As needed, you can modify this file.
|Connection Type||Default path to JAAS file|
Example JAAS file for SQL Server
Below is an example file, where you must apply the Kerberos global keytab and principal values that are to be used to authenticate to use the Kerberos-delegated connections of this type:
keytab= the absolute path on the Alteryx node where the Kerberos global keytab is located.
principal= Set to the service principal name of the user's service account in LDAP.
Specify Kerberos configuration file
On the Alteryx node, locate the following file:
If it doesn't exist, create it with the following content, some of which you must specify:
|Set this value to your default Kerberos realm.|
|This value must be set to |
For each realm that you create, you must create an entry in
For each domain to which the Kerberos delegation applies, you must create an entry in
Entries should look like the following:
Modify the location of the Kerberos configuration file
If you need to move the location of the file from the default one, please complete the following:
- If you haven't already done so, copy the file from its current location to its preferred location.
- You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json. For more information, see Platform Configuration Methods.
Specify the path to the new location in the following parameter:
- Save your changes.
Configure vendor definition file
For each vendor that supports SSO connections you must modify a setting in a configuration file on the Alteryx node. This change can only be applied for vendors that support Kerberized SSO connections.
On the Alteryx node, navigate to the following directory:
- In the
vendordirectory, each JDBC vendor has a sub-directory. Open the vendor directory.
- Locate the
credentialTypeproperty. Set the value to
- Save your changes and restart the platform.
- When you create your connection, select
kerberosDelegatefrom the Credential Type drop-down.
The following example uses the default Kerberos realm to set an SSO connection to a SQL Server instance. This example is intended to demonstrate one way in which you can set up your SSO connections.
Create the Alteryx service principal:
- Enable this flag:
- For more information on delegation flags, see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/kadmin_local.html
Generate a keytab for the Alteryx service principal.
Register the Alteryx service principal for Microsoft Sql Server instance:
- Enable this flag:
- For more information on setting this flag, see https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-2017.
- Enable this flag:
Create a linked SQL Server account:
Account must have the same name as the end-user principal.
Account needs connect permissions at least.
NOTE: If you are using LDAP/AD SSO, you can register all of the above SPNs using AD mechanisms. You do not have to use the delegation flags. Delegation can be managed through the UI for the service account.
When you create a new connection of a supported type, you can select the Kerberos Delegate credentials type. When selected, no username or credentials are applied as part of the connection object. Instead, authentication is determined via Kerberos authentication with the cluster.
When sharing SSO connections, the credentials for the connection cannot be shared for security reasons. The Kerberos principal for the user with whom the connection is shared is applied. That user must have the appropriate permissions to access any required data through the connection. See Overview of Sharing.
This page has no comments.