Skip to main content
Version: current [26.x]

PostgreSQL

Configuring PostgreSQL as a Source

  1. On the Datasets page, to the right of Sources in the left panel, click This is the Add Source icon..
  2. In the Add Data Source dialog, under Databases, select PostgreSQL.

General

Under Name, enter the name to identify the data source in Dremio. The name cannot include the following special characters: /, :, [, or ].

Connection

NameDescription
HostPostgreSQL host name.
PortPostgreSQL port number. Defaults to 5432.
DatabaseDatabase name.
Encrypt connectionEnables encrypted connections to PostgreSQL using SSL. Encryption validation mode can be modified under Advanced Options.

Authentication

Select an authentication option:

  • No Authentication
  • Master Credentials (default):
    • Username: PostgreSQL username
    • Password: Select the password store from the dropdown menu:
      • Dremio: Provide the password in plain text. Dremio stores the password.
      • Azure Key Vault: Provide the URI for your stored password using the format https://<vault_name>.vault.azure.net/secrets/<secret_name>
      • AWS Secrets Manager: Provide the Amazon Resource Name (ARN) for the AWS Secrets Manager secret that holds the password, which is available in the AWS web console or by using command-line tools.
      • HashiCorp Vault: Select your HashiCorp secrets engine from the dropdown and enter the password reference in the required format.
    • Secret Resource URL: Provide the username and secret resource URL for Dremio to use for the source.
  • Kerberos authentication is also available. See Kerberos Authentication for PostgreSQL.

Advanced Options

  • Record Fetch Size: Number of records to fetch at once. Set to 0 (zero) to have Dremio automatically decide. By default, this is set to 10.
  • Maximum idle connections: The total number of connections allowed to be idle at a given time. By default, this is set to 8.
  • Connection idle time (s): The amount of time (in seconds) allowed for a connection to remain idle before the connection is terminated. By default, this is set to 60.
  • Query timeout: The amount of time (in seconds) allowed to wait for the results of a query. If this time expires, the connection being used is returned to an idle state.
  • Enable legacy dialect

Encryption

Validation modes include:

  • Validate certificate and hostname (default)
  • Validate certificate only
  • Do not validate certificate or hostname

Reflection Refresh

  • Never refresh – Specifies how often to refresh based on hours, days, weeks, or never.
  • Never expire – Specifies how often to expire based on hours, days, weeks, or never.

Metadata

Dataset Handling

  • Remove dataset definitions if underlying data is unavailable (Default).
    If this box is not checked and the underlying files under a folder are removed or the folder/source is not accessible, Dremio does not remove the dataset definitions. This option is useful in cases when files are temporarily deleted and put back in place with new sets of files.

Metadata Refresh

  • Dataset Discovery – Refresh interval for top-level source object names such as names of databases and tables.
    • Fetch every – Specify fetch time based on minutes, hours, days, or weeks. Default: 1 hour
  • Dataset Details – The metadata that Dremio needs for query planning such as information needed for fields, types, shards, statistics, and locality.
    • Fetch mode – Specify either Only Queried Datasets, All Datasets, or As Needed. Default: Only Queried Datasets
      • Only Queried Datasets – Dremio updates details for previously queried objects in a source. This mode increases query performance because less work is needed at query time for these datasets.
      • All Datasets – Dremio updates details for all datasets in a source. This mode increases query performance because less work is needed at query time.
      • As Needed – Dremio updates details for a dataset at query time. This mode minimizes metadata queries on a source when not used but might lead to longer planning times.
    • Fetch every – Specify fetch time based on minutes, hours, days, or weeks. Default: 1 hour
    • Expire after – Specify expiration time based on minutes, hours, days, or weeks. Default: 3 hours

Privileges

On the Privileges tab, you can grant privileges to specific users or roles. See Access Controls for additional information about privileges. All privileges are optional.

  1. For Privileges, enter the user name or role name that you want to grant access to and click the Add to Privileges button. The added user or role is displayed in the USERS/ROLES table.
  2. For the users or roles in the USERS/ROLES table, toggle the checkmark for each privilege you want to grant on the Dremio source that is being created.
  3. Click Save after setting the configuration.

Update a PostgreSQL Source

To update a PostgreSQL source:

  1. On the Datasets page, under Databases in the panel on the left, find the name of the source you want to update.
  2. Right-click the source name and select Settings from the list of actions. Alternatively, click the source name and then the The Settings icon at the top right corner of the page.
  3. In the Source Settings dialog, edit the settings you wish to update. Dremio does not support updating the source name. For information about the settings options, see Configuring PostgreSQL as a Source.
  4. Click Save.

Delete a PostgreSQL Source

note

If the source is in a bad state (for example, Dremio cannot authenticate to the source or the source is otherwise unavailable), only users who belong to the ADMIN role can delete the source.

To delete a PostgreSQL source, perform these steps:

  1. On the Datasets page, click Sources > Databases in the panel on the left.
  2. In the list of data sources, hover over the name of the source you want to remove and right-click.
  3. From the list of actions, click Delete.
  4. In the Delete Source dialog, click Delete to confirm that you want to remove the source. Deleting a source causes all downstream views that depend on objects in the source to break.

Predicate Pushdowns

Dremio delegates the execution of these expressions and functions to the database being queried, often dramatically improving query performance. It can also offload entire SQL queries that include one or more of these expressions and functions.

*, +, -, /, %
<, <=, <>, =, >, >=, !=
AND, NOT, OR, ||
ABS
ACOS
ADD_MONTHS
ASIN
ATAN
ATAN2
AVG
CAST
CBRT
CEIL
CEILING
CHAR_LENGTH
CHARACTER_LENGTH
CONCAT
COS
COT
COVAR_POP
COVAR_SAMP
DATE_ADD
DATE_SUB
DATE_TRUNC_CENTURY
DATE_TRUNC_DAY
DATE_TRUNC_DECADE
DATE_TRUNC_HOUR
DATE_TRUNC_MINUTE
DATE_TRUNC_MONTH
DATE_TRUNC_QUARTER
DATE_TRUNC_SECOND
DATE_TRUNC_WEEK
DATE_TRUNC_YEAR
DEGREES
E
EXP
EXTRACT_CENTURY
EXTRACT_DAY
EXTRACT_DECADE
EXTRACT_DOW
EXTRACT_DOY
EXTRACT_EPOCH
EXTRACT_HOUR
EXTRACT_MILLENNIUM
EXTRACT_MINUTE
EXTRACT_MONTH
EXTRACT_QUARTER
EXTRACT_SECOND
EXTRACT_WEEK
EXTRACT_YEAR
FLOOR
IS DISTINCT FROM
IS NOT DISTINCT FROM
IS NOT NULL
IS NULL
LAST_DAY
LCASE
LEFT
LENGTH
LIKE
LN
LOCATE
LOG
LOG10
LOWER
LPAD
LTRIM
MAX
MEDIAN
MIN
MOD
PERCENT_CONT
PERCENT_DISC
PI
POSITION
POW
POWER
RADIANS
REGEXP_LIKE
REPLACE
REVERSE
RIGHT
ROUND
RPAD
RTRIM
SIGN
SIN
SQRT
STDDEV
STDDEV_POP
STDDEV_SAMP
SUBSTR
SUBSTRING
SUM
TAN
TO_CHAR
TO_DATE
TRIM
TRUNC
TRUNCATE
UCASE
UPPER
VAR_POP
VAR_SAMP

Kerberos Authentication for PostgreSQL

Dremio offers an option to authenticate with PostgreSQL databases using Kerberos. This approach uses Java's JAAS framework with Krb5LoginModule to consume credentials from a Kerberos ticket cache.

Prerequisites

Before configuring Dremio, ensure the following prerequisites are met:

  • A Kerberos realm and Key Distribution Center (KDC) reachable from all Dremio coordinator and executor nodes
  • A krb5.conf file that maps your domains and hosts to the Kerberos realm and KDC. Your Kerberos administrator can provide this, or you can create one using the example in this guide.
  • A Kerberos ticket cache file for a service principal with access to the target PostgreSQL database, which your infrastructure team generates from a keytab and refreshes before ticket expiration. This file is typically handled by a sidecar container in Kubernetes deployments and by a cron job or systemd timer in VM deployments. Dremio reads from the ticket cache but does not refresh it.
  • JDK 11 or later

Configuration Steps

  1. Configure krb5.conf.

    The krb5.conf file tells the JVM how to map hostnames to Kerberos realms and where to find KDCs.

    Add the file content to your values-overrides.yaml using the configFiles option. The Helm chart will create a ConfigMap and mount it into the Dremio containers automatically.

    krb5.conf configuration in values-overrides.yaml 
    dremio:
      configFiles:
        krb5.conf: |
          [libdefaults]
            default_realm = REALM.EXAMPLE.COM
            dns_lookup_kdc = false
            rdns = false
            ticket_lifetime = 10h
            renew_lifetime = 7d
            udp_preference_limit = 1

          [realms]
            REALM.EXAMPLE.COM = {
              kdc = kdc01.example.com
              kdc = kdc02.example.com
              admin_server = kdc01.example.com
            }

          [domain_realm]
            .example.com = REALM.EXAMPLE.COM
            example.com = REALM.EXAMPLE.COM

    Configuration Guidelines

    • default_realm must match your realm name (uppercase by convention).
    • List at least one reachable KDC under [realms]. Add multiple for high availability.
    • In [domain_realm], map your DNS suffixes to the realm so hostname-to-realm resolution works correctly.
    • Set dns_lookup_kdc=true only if your DNS publishes SRV records for KDCs; otherwise, specify KDC hosts explicitly.
    • Set udp_preference_limit = 1 to force TCP and avoid UDP fragmentation issues.

  2. Configure the ticket cache.

    Your infrastructure team provides the Kerberos ticket cache and is responsible for refreshing it before tickets expire.

    The ticket cache is typically mounted into the Dremio containers as a shared volume, refreshed by a sidecar container. Configuring the sidecar and shared volume requires customizing the Dremio Helm chart. See Downloading Dremio's Helm Charts for information on customizing the chart.

    Set the KRB5CCNAME environment variable in your values-overrides.yaml to point to the cache location:

    KRB5CCNAME configuration values-overrides.yaml 
    coordinator:
      extraEnvs:
        - name: KRB5CCNAME
          value: "FILE:/var/kerberos/krb5cache"

    executor:
      extraEnvs:
        - name: KRB5CCNAME
          value: "FILE:/var/kerberos/krb5cache"

    Ensure the ticket cache is:

    • Available at a consistent path on all coordinator and executor nodes
    • Readable by the Dremio process
    • Refreshed before tickets expire

  3. Create the Java Authentication and Authorization Service (JAAS) file.

    The JAAS configuration tells Java how to authenticate using the Kerberos ticket cache.

    Add the file content to your values-overrides.yaml using the configFiles option:

    JAAS configuration in values-overrides.yaml 
    dremio:
      configFiles:
        jaas.conf: |
          pgjdbc {
            com.sun.security.auth.module.Krb5LoginModule required
              doNotPrompt=true
              useTicketCache=true
              renewTGT=true;
          };

    JAAS Options

    • doNotPrompt=true – Prevents password prompts; fails if no credentials are available.
    • useTicketCache=true – Uses tickets from the cache specified by KRB5CCNAME.
    • renewTGT=true – Attempts to renew the TGT if possible.
    • debug=true – (Optional) Enables verbose JAAS logging for troubleshooting.

  4. Configure the JVM options for Dremio.

    Dremio's JVM needs to know where to find the Kerberos and JAAS configuration files.

    When using configFiles in your values-overrides.yaml, the files are mounted at /opt/dremio/conf/. Add the JVM options using extraStartParams in your values-overrides.yaml:

    JVM option configurations in values-overrides.yaml 
    coordinator:
      extraStartParams: >-
        -Djava.security.krb5.conf=/opt/dremio/conf/krb5.conf
        -Djava.security.auth.login.config=/opt/dremio/conf/jaas.conf
        -Djavax.security.auth.useSubjectCredsOnly=false

    JVM Options

    • -Djava.security.krb5.conf – Path to the krb5.conf file.
    • -Djava.security.auth.login.config – Path to the jaas.conf file.
    • -Djavax.security.auth.useSubjectCredsOnly=false – Allows JGSS to use default credentials directly.

    These JVM options must be configured on the coordinator node.

  5. Add the PostgreSQL source in Dremio.

    When adding your PostgreSQL source in Dremio:

    1. Select No Authentication as the authentication method.

    2. Navigate to Advanced Options.

    3. Add the following connection properties:

      PropertyValue
      jaasApplicationNamepgjdbc (must match the entry name in jaas.conf)
      kerberosServerNamepostgres (the Kerberos service name for PostgreSQL). This property is equivalent to libpq's PGKRBSRVNAME environment variable. It defaults to postgres if not specified but should match the service name configured in your PostgreSQL server's Kerberos setup.
      userYour Kerberos principal (e.g., service@REALM.EXAMPLE.COM)

Troubleshooting

  • Realm/KDC lookup errors: Verify the [realms] and [domain_realm] sections in krb5.conf are correctly configured.
  • "Server not found in Kerberos database" errors: Ensure you are connecting to the PostgreSQL server using its correct Fully-Qualified Domain Name (FQDN) and that the FQDN maps to the expected realm in [domain_realm].
  • Enable debug logging: Add debug=true to your jaas.conf entry for verbose JAAS output. You can also add -Dsun.security.krb5.debug=true to JVM options for Kerberos library debugging.
  • Ticket cache not found or expired: Verify the ticket cache is mounted correctly and that your infrastructure's refresh process is running. Check that the KRB5CCNAME environment variable points to the correct path.
  • Permission errors: Verify the Dremio process user can read the ticket cache, krb5.conf, and jaas.conf files.

For More Information