Credentials Vault¶
Virtual DataPort provides support to obtain the credentials of JDBC and MongoDB data sources from an external Credentials Vault. That is, instead of entering in the data source the user and password of a service account in the database, you enter the name of the “secret” in the password vault. At runtime, the data source retrieves the username and password from this vault.
The main benefits to using a credentials vault are:
The developers of Virtual DataPort do not need to know the username/password of the service accounts of the databases.
The security team of your organization can now configure the vault to rotate the password of the service account the JDBC or MongoDB data sources use. This enables you to replace long-term passwords with short-term ones, which reduces the risk of compromise. Without the vault, changing the password of the service accounts involves coordinating the database administrators and the administrators of Virtual DataPort to do the change at the same time.
It allows the security team of your organization to keep a trail of what applications use each service account.
Enabling Access to the Credentials Vault¶
Follow these steps to enable the access to the credentials vault:
Go to the menu Administration > Server configuration. Then, click Credentials vault.
Select Use external credentials vault and then, set the Provider your organization uses.
Enter the configuration details. They are different depending on the vault you use. Then, click Ok.
You do not need to restart after this.
Open the JDBC or MongoDB data source that has to obtain the credentials for the vault, and in Authentication, select the right option.
When you configure a JDBC or MongoDB data source, you provide the credentials of a service account of that database. The data source will use these credentials to connect to the database and execute queries. Even if you enable pass-through session credentials, the data source uses this service account to show the tables and view of the database, during the process of creating base views.
To indicate the credentials of this service account you can:
Enter the user and password of this account.
Or configure the data source to retrieve the user and password from a credentials vault, when it needs to connect to the database.
Supported Credentials Vaults¶
Virtual DataPort supports these credentials vaults:
How A Data Source Obtains the Credentials from the Vault¶
Let us assume this scenario:
You have configured Virtual DataPort to use the credentials vault of your organization. That is, in the Server Configuration dialog > Credentials vault, you enabled this system and entered the required configuration.
You have configured a JDBC data source to retrieve the credentials (i.e., user and password) from a password vault, instead of entering the user and password of a service account.
In the data source, you have not enabled pass-through credentials.
In this scenario, this is what happens the first time the data source opens a connection to this database:
The data source sends a request to the vault to obtain the username and password from the vault.
The vault returns the credentials and the data source uses them to open the connection to the database.
The data source holds these credentials in-memory, not in the hard drive, with the goal of speeding up the creation of further connections to this database.
The next time this data source opens a connection to this database, it will do this:
The data source will try to open the connection using the credentials stored in memory. That is, the credentials it previously obtained from the vault.
If the connection fails, the data source will request the credentials to the vault and try to open the connection again.
If the connection fails again, the data source will return an error to the user.
The steps #1 and #2 happen automatically without the intervention of the user.
This process is the same regardless of the credentials vault your organization uses. The only difference is how Virtual DataPort requests the credentials to each vault.
Additional Considerations
By default, the JDBC and MongoDB data sources create a pool of connections to the database. When you configure a data source to request the credentials to a vault, the process of opening a new connection is the same regardless of if the pool is enabled or disabled.
If you enabled the option pass-through credentials in the data source, the data source will use the credentials of the user that connected to Virtual DataPort, to execute queries and will only use the credentials obtained from vault, to introspect the database. That is, to list the tables and views of the database when you click Create base view.
If you restart Virtual DataPort or the data source is recreated (e.g., you change the configuration and click Save), the credentials stored in memory for this data source are removed from memory and will be requested to vault.
You can also configure the data source to retrieve the credentials with the authentication option Use Kerberos. In this scenario, the data source will retrieve the credentials from the vault, and use these credentials to obtain a Kerberos ticket.
Specify a Pattern as Secret Name, Parameterized by the Login¶
When configuring a data source to obtain the credentials from a vault, you can add the variable @{USER_NAME} to the field Account name of the configuration of the data source. By doing this, the data source will retrieve the credentials of the data source based on the user that executes the query, instead of obtaining the credentials from the same secret.
To use this feature, follow these steps:
Open the data source that requires credentials from the vault.
In Account Name, enter the secret name with the variable
@{USER_NAME}
. For example,secret/data/@{USER_NAME}/denodo-user
.At runtime, when the data source establishes a connection, it will replace
@{USER_NAME}
with the username of the user that is executing the query.For example, if the user michael runs a query that involves this data source, the data source will obtain the secret from the account
secret/data/michael/denodo-user
.
With this enhancement, you provide personalized credentials to each user, based on their login name, enhancing security and access control within your organization.
Note
Consider this when using this feature:
Ensure that the secret names stored in the vault match the interpolated pattern for each user.
The process of obtaining the secrets from the vault and establishing the connection with the source remains the same.