A credential is an authentication object for a resource or repository that is
external to the database. It consists of the credentials used to authenticate to
that external system, with the goal of providing an authentication token to any
database object that may need to connect to that system.
A credential name must adhere to the standard
naming criteria . Each credential
exists within a schema and follows the standard
name resolution rules for tables .
The following can make use of credentials :
Any user can create a credential for their own use.
The following services are supported:
Amazon S3
Azure
Docker Repository
HDFS
Kafka Cluster
Managing Credentials
A credential can be managed using the following API endpoint calls. For
managing credentials in SQL, see CREATE CREDENTIAL .
Creating a Credential
To create a credential , auser_azure_active_dir_creds , that connects to
Azure Active Directory , in Python :
Create Credential (Azure AD) Example
1
2
3
4
5
6
h_db . create_credential (
credential_name = 'auser_azure_active_dir_creds' ,
type = 'azure_ad' ,
identity = uid ,
secret = pwd
)
To create a credential , kafka_cred , that connects to Kafka via SASL, in
Python :
Create Credential (Kafka SASL) Example
1
2
3
4
5
6
7
8
9
10
11
12
h_db . create_credential (
credential_name = 'kafka_sasl_cred' ,
type = 'kafka' ,
identity = '' ,
secret = '' ,
options = {
'security.protocol' : 'SASL_SSL' ,
'sasl.mechanism' : 'PLAIN' ,
'sasl.username' : uid ,
'sasl.password' : pwd
}
)
Provider-Specific Syntax
Several authentication schemes across multiple providers are supported.
Amazon S3
Access Key
1
2
3
4
5
6
h_db . create_credential (
credential_name = '<credential name>' ,
type = 'aws_access_key' ,
identity = '<aws access key id>' ,
secret = '<aws secret access key>'
)
IAM Role
1
2
3
4
5
6
7
8
9
h_db . create_credential (
credential_name = '<credential name>' ,
type = 'aws_iam_role' ,
identity = '<aws access key id>' ,
secret = '<aws secret access key>' ,
options = {
's3_aws_role_arn' : '<amazon resource name>'
}
)
Azure BLOB
Password
1
2
3
4
5
6
7
h_db . create_credential (
credential_name = '<credential name>' ,
type = 'azure_storage_key' ,
identity = '<azure storage account name>' ,
secret = '<azure storage account key>' ,
options = {}
)
SAS Token
1
2
3
4
5
6
7
8
9
h_db . create_credential (
credential_name = '<credential name>' ,
type = 'azure_sas' ,
identity = '<azure storage account name>' ,
secret = '' ,
options = {
'azure_sas_token' : '<azure sas token>'
}
)
OAuth Token
1
2
3
4
5
6
7
8
9
h_db . create_credential (
credential_name = '<credential name>' ,
type = 'azure_oauth' ,
identity = '<azure storage account name>' ,
secret = '' ,
options = {
'azure_oauth_token' : '<azure oauth token>'
}
)
Active Directory
1
2
3
4
5
6
7
8
9
10
h_db . create_credential (
credential_name = '<credential name>' ,
type = 'azure_ad' ,
identity = '<ad client id>' ,
secret = '<ad client secret key>' ,
options = {
'azure_storage_account_name' : '<azure storage account name>' ,
'azure_tenant_id' : '<azure tenant id>'
}
)
HDFS
Password
1
2
3
4
5
6
7
h_db . create_credential (
credential_name = '<credential name>' ,
type = 'hdfs' ,
identity = '<hdfs username>' ,
secret = '<hdfs password>' ,
options = {}
)
Kerberos Token
1
2
3
4
5
6
7
8
9
h_db . create_credential (
credential_name = '<credential name>' ,
type = 'hdfs' ,
identity = '<hdfs username>' ,
secret = '' ,
options = {
'hdfs_use_kerberos' : 'true'
}
)
Kafka
Password
1
2
3
4
5
6
h_db . create_credential (
credential_name = '<credential name>' ,
type = 'kafka' ,
identity = '<username>' ,
secret = '<password>'
)
SASL
1
2
3
4
5
6
7
8
9
10
11
12
credential_name = '<credential name>' ,
type = 'kafka' ,
identity = '' ,
secret = '' ,
options = {
'security.protocol' : 'SASL_SSL' ,
'sasl.mechanism' : 'PLAIN' ,
'sasl.username' : '<sasl username>' ,
'sasl.password' : '<sasl password>'
}
)
Altering a Credential
To alter an existing credential , auser_azure_active_dir_creds , for a
new secret , in Python :
1
2
3
4
5
6
7
h_db . alter_credential (
credential_name = 'auser_azure_active_dir_creds' ,
credential_updates_map = {
'secret' : new_pwd
},
options = {}
)
Removing a Credential
To remove an existing credential , auser_azure_active_dir_creds , in
Python :
1
h_db . drop_credential ( 'auser_azure_active_dir_creds' )
Showing a Credential
To show the configuration for an existing credential ,
auser_azure_active_dir_creds , while masking the secret , in Python :
1
2
3
h_db_read = gpudb . GPUdb ( host = [ args . url ], username = 'auser' , password = 'password' )
response = h_db_read . show_credential ( 'auser_azure_active_dir_creds' )
The output for the above:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
"info": {},
"credential_names": [
"ki_home.auser_azure_active_dir_creds"
],
"credential_types": [
"azure_ad"
],
"credentials": [
"{\"credential_name\":\"ki_home.auser_azure_active_dir_creds\",\"type\":\"azure_ad\",\"identity\":\"\",\"secret\":\"[redacted]\",\"options\":{}}"
],
"credential_identities": [
""
],
"status_info": {
"status": "OK",
"data_type": "show_credential_response",
"message": "",
"response_time": 0.00011
},
"additional_info": [
{}
]
}
Updating Credential Permissions
To grant credential_read permission to a user, auser , in Python :
1
2
3
4
5
h_db . grant_permission_credential (
name = 'auser' ,
permission = 'credential_read' ,
credential_name = 'auser_azure_active_dir_creds'
)
To revoke credential_read permission from a user, auser , in Python :
1
2
3
4
5
h_db . revoke_permission_credential (
name = 'auser' ,
permission = 'credential_read' ,
credential_name = 'auser_azure_active_dir_creds'
)