Configuring SSO

This topic describes how to configure Dremio for Single Sign On (SSO). SSO is implemented with Microsoft's Azure Active Directory as an identity provider.

[info] Enterprise Edition only

Introduced in Dremio 3.3
SSO works only with a new Dremio installation.

Requirements

To use Azure Active Directory, Dremio's webserver must have web server encrpytion enabled. See the Web Server Encryption section in Configuring Wire Encryption for more information.

Setting Up Azure AD

To setup and configure Azure AD,

  1. In Azure AD, navigate to the App registrations section and create a new App registration for the Azure AD instance with the your name and the account type.
  2. Click on New Registration.
  3. Complete the Register an application by adding name, supported account types, and redirect URI
    (https://{dremio.host}:9047/sso), and press Save. Note that the URI is specified when you configure Dremio.
  4. Click on the app name that you registered to navigate to the app details screen.
  5. Navigate to the Certificates & secrets section, click on New client secret,
  6. Provide a client secret description and expiration, click on Add. Be sure to copy the secret and store it safely as it won't be visible after leaving the page.
  7. Navigate to API permissions, click on Add a permission, and then click on Microsoft Graph.
  8. Select Application permissions.
  9. Under Select permissions, search for Directory.Read.all, click on the Directory.Read.all permission box and click Add permission. This permission is required for Dremio to read from the Azure AD.

Configuring Dremio for Azure AD

When configuring Dremio for Azure directory, you modify the dremio.conf and azuread.json files. These modified files must be copied to the /conf directory on all coordinator nodes.

[info] Important

To enable Azure Active Directory support, all coordinator nodes must be configured prior to deploying the Dremio cluster.

To configure Dremio for Azure Active Directory:

  1. Edit the dremio.conf file, and add the following properties:
     services: {
       coordinator.enabled: true,
       coordinator.web.auth.type: "azuread",
       coordinator.web.auth.config: "azuread.json"
     }
    
  2. Edit the azuread.json file, add the following properties:
     {
       "oAuthConfig": {
         "clientId": "<clientId>",
         "clientSecret": "<clientSecret>",
         "redirectUrl": "https://<dremio.host>:9047/sso",
         "authorityUrl": "https://login.microsoftonline.com/<directory.id>/v2.0",
         "scope": "openid profile offline_access",
         "jwtClaims": {
           "userName": "preferred_username"
         }
       }
     }
    
    • clientId - Can be found in the Overview screen for your application. This property is also called application ID.
    • clientSecret - Is the secret that was created in the Setting Up Azure AD section.
    • redirectUrl - Is the redirect URI that was created in the Setting Up Azure AD section.
    • directory.id - Can be found in the Overview screen for your application. This property is also called tenant ID.
  3. Be sure to copy the modified dremio.conf and azuread.json files to every coordinator node in the Dremio cluster.

[info] Important

The LDAP configuration in the dremio.conf and azuread.json files must exist and match on all coordinator nodes.

Using Azure's Managed Storage Identities

Dremio supports using Azure's Managed Storage Identities feature to retrieve the secret when running inside Azure. This feature can be used if you want to avoid storing the secret in plain text.

To setup Azure's Managed Storage Identities:

  1. Create an Azure Keyvault and create a new secret. The Azure Key vault asks for a name and the value (which will be the secret generated for the application).
  2. Go to the Access policies section for the Key Vault and add the Azure Active Directory application. Make sure that you give it Get permissions for Secrets.
  3. Change the azuread.json value for clientSecret to the following URI:
       ...
       "clientSecret": "azure-vault+https://{keyvault.name}.vault.azure.net/#{secret.name}",
       ...
    
    Note: This special URI tells Dremio to access the Key Vault located at https://{keyvault.name}.vault.azure.net and load the secret named {secret.name}. The KeyVault value is on the Overview page under DNS Name.

Logging in with SSO

When SSO is configured, you are redirected to Azure to login using SSO. Dremio also uses Azure Active Directory for directory services and to look up users and groups.

Backing up with SSO

When using a SSO configuration, you must use personal access tokens (PATs) as the SSO password. See Personal Access Tokens for information on enabling PATs.

$ ./dremio-admin backup -u se3@dremioqa.onmicrosoft.com -d /tmp
  password: 
  Backup created at /tmp/dremio_backup_2019-07-17_23.08, dremio tables 32, uploaded files 1

If you use your SSO password instead of your PAT as the password, you will see the following:

$ ./dremio-admin backup -u se3@dremioqa.onmicrosoft.com -d /tmp
password: 
Failed to create backup at /tmp:java.io.IOException: Status 500 (Internal Server Error): 
Something went wrong (more info: Cannot authenticate users when using Azure AD)

Deleting Users

[info] Important

When deleting users from SSO, ensure that all Personal Access Tokens (PATs) are also deleted.

For More Information


results matching ""

    No results matching ""