Authentication

Dremio supports the following four Authentication options.

  1. Local Authentication
  2. LDAP Authentication
  3. Azure AD Authentication
  4. OpenID Authentication

Enterprise Edition only

LDAP, Azure AD and OpenID Authentication options are only available in Enterprise Edition

Supported login credential and access control settings for each Authentication option are provided in the following chart.

Authentication Option Login Credentials - UI Login Credentials - ODBC/JDBC/REST User Access Controls Group Access Controls
Local Username / Password &
Personal Access Token
Username / Password &
Personal Access Token
Yes No
LDAP Username / Password &
Personal Access Token
Username / Password &
Personal Access Token
Yes Yes
Azure AD Single Sign-On &
Personal Access Token
Personal Access Token Yes Yes
OpenID Single Sign-On &
Personal Access Token
Personal Access Token Yes No

Login Credentials

The options available for users to authenticate to Dremio over either the Web UI interface or ODBC, JDBC & Rest sessions are:

  • Username / Password - User provides a User ID and Password combination for authentication
  • Single Sign-On - User is authenticated by the configured Identity Provider including automatic authentication if already signed into the Identity Provider
  • Personal Access Token - User creates a private access token for authentication, used in place of username/password authentication in ODBC, JDBC and Rest sessions.

Note: With OpenID authentication when adding User Access Controls user names are assumed correct and not validated against a directory service.

User Access Controls

If the authentication option supports user-level access controls for PDS, VDS and other objects. When supported access to individual objects can be configured based on the User ID used for authentication.

Group Access Controls

If the authentication option supports group-level access controls for PDS, VDS and other objects. When supported access to individual objects can be configured based upon groups associated with the User ID used for authentication.

AWS Custom Authentication

Version Requirement:

This functionality is only available via Dremio 17.0+.

Glue, S3, and Amazon Elasticsearch sources allow Dremio to use your AWS profile to authenticate users accessing your AWS-hosted data.

This authentication is performed by selecting the AWS Profile option for a source. Dremio will use credentials from the selected profile in the credentials file to authenticate with the source. Multiple methods are available for authentication, such as an external process. However, such processes must be created and validated for security by the user themselves.

Note:

We recommend using supported and secure methods via the AWS SDK and AWS application to minimize the potential for security risks.

For users with methods of generating and/or looking up credentials that may not be supported by the AWS SDK, you may alter the SDK to use your tool still by using additional configurations, such as the credential_process setting in the credentials file. Again, additional options are available for authenticating users via AWS. For more details regarding the storage of configuration settings and credentials maintained by AWS SDK, read AWS’s Configuration and credential file settings documentation. This discusses both the supported settings available for inclusion on the configuration and credential files, as well as details regarding the storage of credentials.

Further information regarding this setting is found at AWS’s documentation for Sourcing credentials with an external process. This help topic outlines not only how to execute your command, but also how to structure the expected JSON-formatted output from a Credentials program, which Dremio requires.

For More Information

To configure LDAP refer to Setting Up LDAP

To configure Azure AD or OpenID with Single Sign On refer to Configuring Single Sign On