Skip navigation

Support more Redshift IAM AuthTypes

score 23
You have not voted. Active

What is your idea?

 

The Redshift driver supports several ways to authenticate. By default Tableau only supports username/password, which is a common but outdated use of credentials for big setups with multiple users.

The newer IAM approach has several advantages. How to setup the driver is described here: Step         5: Configure a JDBC or ODBC Connection to Use IAM Credentials - Amazon Redshift

With Tableau Desktop and a custom data source it is possible to use these driver option, but the datasource is bound to a specific user. To be able to reuse a datasource for multiple users, the Tableau redshift connect options need to have options to select different auth types, similar to the DSN odbc driver manager on Windows: (Example for "AD FS")

CreatingTemporaryCredentials-odbc-connection-settings-adfs.png

 

What problem are you trying to solve or what scenario would this idea solve?

 

  • Extend Redshift connect options in Tableau to use IAM features.
  • Partially solves https://community.tableau.com/ideas/9362.
  • Tableau users can reuse their IdP credentials to login into Redshift datasources.
  • One can manage access patterns via (IdP) users and/or groups on Redshift side and Tableau users can easily select via DbGroups what they need (or allowed) to access on Redshift.

 

What workaround have you found and used so far (if any)?

 

  1. Create a ODBC DSN to setup parameters for ODBC connection.( This step is created from memory, since I have no access to windows at time of writing. )
    1. Use Tableau Desktop on Windows.
    2. Start the ODBC driver manager: Open the ODBC Data Source Administrator - SQL Server | Microsoft Docs
    3. Create a new file DSN .
    4. Select Redshift ODBC driver and AuthType: IdP: AD FS
    5. Setup the Following Parameters (depending on your IDP setup):
      1. Cluster ID
      2. Region
      3. DbUser
      4. Check User AutoCreate
      5. DbGroups
      6. IdP Host
      7. IdP Port
    6. Save DSN to file and open it with an editor to get driver extra parameters for next step.
  2. Customize Redshift Datasource with parameters from step 1.
    1. Create a Redshift Datasource (using default parameters to connect to a redshift cluster via a redshift user) via Tableau Desktop and save it to disk as redshift.tds.
    2. Open the .tds file with an editor and manually adjust "odbc-connect-string-extras".
    3. Add following parameters seperated by ";". (using example values here, use values from DSN file created in step 1)
      1. UID={username@domain}
      2. DBUSER=username@domain
      3. EPWD={PWHASH}
      4. DbGroups=a_redshift_grp_the_user_can_join
      5. ClusterId=redshift-cluster-id
      6. Region=eu-central-1
      7. idp_host=adfs.company.com
      8. IAM=1
      9. IAMDuration=900
      10. AuthType=Plugin
      11. plugin_name=ADFS
    4. Save file.
  3. Open Tableau Desktop and use customized Redshift datasource.
    1. Since Tableau connect options require to use a Cluster Url we still need to set the correct one for this cluster (IAM driver could retrieve cluster url via the cluster identifier).
    2. Also set database name.
    3. Enter IdP Credentials for this user, matching the user in the parameters from step 2.
    4. This should authenticate the user via AD FS with IAM, and then gets tempoary credentials for the user to log into redshift joining the DbGroups.

 

Disadvantage is that this datasource is mapped to specific user,dbgroups set in the connect-string-extras. So this datasource can NOT be reused by different users.

If Tableau would extend the connection options for redshift datasource, we could setup parameters 5 - 11 on datasource creation and parameters 1 - 4 dynamic for each user using this datasource.

 

What is your role in your organization?

 

     I'm a Server Admin.

Comments

Vote history