Exasol offers connectors for many third-party systems. One of them is Tableau, a Business Intelligence analytics platform. Tableau allows you to connect to your data source and generate reports and visualizations from your data.
Tableau provides an open-source SDK for developing connectors. It contains a lot of documentation and an extensive test suite that verifies that the new connector works with Tableau.
We created a Tableau connector for Exasol as an open-source project that allows you to easily connect Tableau with your Exasol database. The connector already supported password-less single-sign-on authentication with Tableau Desktop, but we also wanted to support Kerberos delegation with Tableau Server.
Kerberos Delegation
Kerberos delegation (also called “Viewer Credentials”) allows Tableau Server users to access the database with their personal user account. This allows the Tableau Server to access data on the user’s behalf and with the user’s permissions. As an example of why this is useful, take Row Level Security which applies per-dataset access control on Exasol based on the user’s permissions.
The alternative (RunAs credentials) would use one service account for all Tableau users and thus does not allow enforcing Row Level Security.
Kerberos Test Environment
Setting up a Kerberos test environment with a Windows Domain Controller, Tableau Server, and service accounts is not trivial and requires some trial and error to get it right — especially when you haven’t done that before.
We asked the Tableau team for support via their GitHub project and user @devanshsoni9 gave us some helpful hints. He also pointed us to his open-source tool constrained-delegation-jdbc that allows testing Kerberos delegation and connecting to a database.
This tool helped us to quickly debug our Kerberos environment and fix some configuration problems. We also identified a bug in our database driver and could fix it in a short time.
Without the test tool, the debugging cycle — modify setup, try it out and check result — would have been much slower and it would have taken a lot longer to identify the issues.
Giving Back to the Open-Source Community
During the debugging process, we updated the @devanshsoni9’s test tool to our requirements, which was no problem because it’s open source. That’s why we decided to give something back to the open-source community and published our version of the test tool under the MIT License, of course after asking the original author for his approval and giving him attribution in the documentation.
With the new integration tests, Exasol users can now easily verify if Kerberos delegation with Exasol works in their environment. And thanks to open source it’s no problem to adapt the tests for other databases.