Dremio latest ODBC driver is installed on the client machine (machine where Tableau, Python, etc. resides)
Configure Dremio for Inbound Impersonation
Step 1: Create ‘depta__user’ and ‘deptb_user’ as ‘User’ role within Dremio. These users will only be able to Query the datasets to which they should have permissions.
Step 2: Create a service account (in this case ‘tpcds_service’) as the generic access for the specific datasource or dataset.
Step 3: Specify that the ‘tpcds_service’ user has access to a specific data source (or dataset). In this case we are permitting only queries on the ‘tpcds-Hive3.default’ datasource directory.
Step 4: Setup the inbound impersonation policies and confirm that the exec.impersonation.inbound.policies have been updated.
The cluster is now enabled to support Inbound Impersonation for ODBC related queries using the depta_user and deptb_user. In the following sections are examples on how to use Inbound Impersonation for both Python and BI tools such as Tableau (other ODBC related tools will follow a similar pattern).
Python ODBC Query example
Leveraging the above configuration steps we will go through an example where we run a Python program containing the Python requesting user and its matching delegated user.
ODBC Property
Value
Comments
UID
Depta_user
This user does not require permission to the targeted dataset. But, it MUST already have been mapped to the specified DelegationUID before running the ODBC related program or you will receive a message "pyodbc.InterfaceError: ('28000', u"[28000] [Dremio][Connector] (40) User authentication failed. Server message: [30017]User authentication failed"
DelegationUID
tpcds_service
The DelegationUID specified user must have sharing rights associated with the requested Dremio table in the request or you will see the “User authentication failed” message. This delegationUID also needs to have been mapped to the uid ODBC property.
Step 1: Create your Python ODBC program as shown below
Step 3: Validate that the query was handled by the ‘tpcds_service’ user and not the ‘depta_user’ user by looking in the Dremio Job Logs screen as shown below.
As we see above the query type is ODBCClient which is how we submitted the Sample Python query and in fact we see the tpcds_service account and not depta_user.
Step 4: Validate that an authorized user cannot leverage the delegationUID
In this continuation of this example, we will perform the same query using the ‘deptb_user’.
In the above example we received the error message “Proxy user ‘deptb_user’ is not authorized to impersonate target user ‘tpcds_service’.” Ensuring that the Python program is not able to inappropriately hijak a delegation user.
Ready to Get Started? Here Are Some Resources to Help
Webinars
Cyber Lakehouse for the AI Era, ZTA and Beyond
Many agencies today are struggling not only with managing the scale and complexity of cyber data but also with extracting actionable insights from that data. With new data retention regulations, such as M-21-31, compounding this problem further, agencies need a next-generation solution to address these challenges.
Bring your users closer to the data with organization-wide self-service analytics and lakehouse flexibility, scalability, and performance at a fraction of the cost. Run Dremio anywhere with self-managed software or Dremio Cloud.