Authentication
This section outlines all supported authentication methods for external services with regard to user and group management.
LDAP and external token provider authentication options are only available in Dremio's Enterprise Edition.
Supported login credential and access control settings for each authentication option are outlined in the following chart.
| Authentication Option | Login Credentials - UI | Login Credentials - ODBC/JDBC/REST |
|---|---|---|
| OIDC (including Microsoft Entra ID and Okta) | Single sign-on and personal access token | Personal access token |
| LDAP | Username/password and personal access token | Username/password and personal access token |
| Local | Username/password and personal access token | Username/password and personal access token |
You can use more than one authentication method for a single Dremio instance. For example, you can use local authentication for some users and LDAP authentication for other users. However, Dremio supports only one Enterprise identity provider per Dremio instance. For example, you can use local and Microsoft Entra ID authentication, but not LDAP and Microsoft Entra ID.
Dremio requires a unique username for each user, regardless of how the usernames are created. For example, if you have a local user whose username is user1@dremio.com, you cannot create an LDAP user whose username is also user1@dremio.com.
Login Credentials
The options available for users to authenticate with Dremio over either browser-based UI or ODBC, JDBC, and Rest sessions are:
- Username / Password - User provides a username and password combination for authentication.
- Single Sign-On - User is authenticated by the configured Identity Provider, including automatic authentication, if already signed into the Identity Provider.
- Personal Access Token - User creates a private access token (PAT) for authentication, which is used in place of a username/password authentication for ODBC, JDBC, and Rest sessions.
When adding user access controls with OIDC authentication, usernames are assumed correct and not validated against a directory service.
Read External Users and External Roles for more information about user and group/role management.
AWS Custom Authentication
Glue, S3, and Amazon OpenSearch sources allow Dremio to use your AWS profile to authenticate users accessing your AWS-hosted data.
This authentication is performed by selecting the AWS Profile option for a source. Dremio will use credentials from the selected profile in the credentials file to authenticate with the source. Multiple methods are available for authentication, such as an external process. However, such processes must be created and validated for security by the user themselves.
We recommend using supported and secure methods via the AWS SDK and AWS application to minimize the potential for security risks.
For users with methods of generating and/or looking up credentials that may not be supported by the AWS SDK, you may alter the SDK to use your tool still by using additional configurations, such as the credential_process setting in the credentials file. Again, additional options are available for authenticating users via AWS. For more details regarding the storage of configuration settings and credentials maintained by AWS SDK, read AWS's Configuration and credential file settings documentation. This discusses both the supported settings available for inclusion on the configuration and credential files, as well as details regarding the storage of credentials.
Further information regarding this setting is found at AWS's documentation for Sourcing credentials with an external process. This help topic outlines not only how to execute your command, but also how to structure the expected JSON-formatted output from a Credentials program, which Dremio requires.
For More Information
To configure LDAP, refer to Setting Up LDAP.
To configure OIDC (including Microsoft Entra ID and Okta) with single sign-on, refer to Configuring Single Sign On.