sqlalchemy 与 db2 和 kerberos

Question

How can I connect to my db2 database with sqlalchemy when the authentication is using kerberos?

When using pyodbc the connection string contains AuthenticationMethod=4, which lets kerberos handle the authentication and I don't need to provide username and password.

Is there a way to either pass a pyodbc.connect object directly into sqlalchemy or can I alternatively tell sqlalchemy to use kerberos?

My odbc connection string looks like this:

connstr = 'ApplicationUsingThreads=0;' \
  ...:               'FloatingPointParameters=0;' \
  ...:               'DoubleToStringPrecision=16;DB=NYRMPDI1;' \
  ...:               'AuthenticationMethod=4;' \
  ...:               f'IpAddress={ip_address};' \
  ...:               f'TcpPort={port};' \
  ...:               f'DRIVER={driver_location}'

I can't find any way to pass this into sqlalchemy create_engine.

Answer 1

ibm_db_sa with an IBM Db2 driver supports kerberos connections with pyodbc, both DSN-LESS and DSN connection-strings, and it works with all three types of IBM Db2-driver (fat client, run-time-client, and ODBC and CLI driver). Different configurations are necessary for the fat-client+runtime-client, versus the ODBC and CLI client.

By default, unless you tell it otherwise, the installation of ibm_db_sa or ibm_db modules will install the IBM 'ODBC and CLI client'.

Your odbcinst.ini needs to define a driver-name (in my example I call it DB2CLI but you give it any name you prefer), and specify the library to load (example libdb2.so) from the correct path.

Here is an example of a DSN-LESS connection string, which you must urlencode before passing to create_engine() :

CONNECTION_STRING=("DRIVER={DB2CLI};HOSTNAME=192.168.1.178;PORT=60000;KRBPLUGIN=IBMkrb5;AUTHENTICATION=KERBEROS;DATABASE=SAMPLE;")

quoted_connection_string=urllib.parse.quote_plus(CONNECTION_STRING)

engine = create_engine('ibm_db_sa+pyodbc:///?odbc_connect={}'.format(quoted_connection_string))

If you prefer a DSN connection, you must define all the details in the db2dsdriver.cfg and have a stanza for the dsn in the active odbc.ini that references the driver you configured in your odbcinst.ini , and you must specify only the DSN in the connection-string like this:

CONNECTION_STRING=("DSN=SAMPLE;")

engine = create_engine('ibm_db_sa+pyodbc:///?odbc_connect={}'.format(CONNECTION_STRING))

For DSN connections, it helps if you first get the kerberos connection working with isql defore you get it working with sqlalchemy because the troubleshooting seems easier.

I tested with these component versions:

• ubuntu 16.04 LTS x64
• python 3.6.8 in a virtualenv
• ibm_db 3.0.1
• ibm_db_sa 0.3.5
• unixODBC 2.3.4
• pyodbc 4.0.30
• IBM Db2 data server driver 11.1.4.4a ( optional )
• IBM Db2 ODBC and CLI driver ( default )
• local and remote Db2-LUW servers whose Db2-instances are kerberized already.

Steps to try:

• For DSN connections, configure your active db2dsdriver.cfg with dsn and database with parameter Authentication, parameter value Kerberos.
• For the fat-client and runtime-client, configure your IBM Data Server Client CLNT_KRB_PLUGIN parameter to IBMkrb5 via db2 update dbm cfg using CLNT_KRB_PLUGIN IBMkrb5 . (You don't need this step when using the ODBC and CLI driver).
• Configure your active odbcinst.ini for Db2 to use the correct libdb2.so library as supplied by your Db2 client, and reference this driver-name either in your DSN-LESS python code, or in your odbc.ini for DSN-connections.
• For DSN connections only, configure your active odbc.ini to use the Db2 driver specified in odbcinst.ini and mention Authentication = kerberos in your DSN stanza in odbc.ini .
• For DSN connections, Omit any userid/password from the active odbc.ini file. For DSN-LESS connectiond you don't need any reference to the database in the odbc.ini or db2dsdriver.cfg .

• For DSN connections only, Verify db2cli validate -dsn $YOURDSN -connect for a remote database completes successfully without a userid or password. This proves that the CLI layer is using kerberos.

• (Optional) For Db2 fat client, or runtime client, verify you can connect to a catalogued remote database at the shell command line db2 connect to $YOUR_REMOTE_DATABASE (without needing to enter a userid/password). This proves that regular shell scripts can connect to the database with kerberos authentication.

• If you are using either the Db2 fat client, or the Db2 runtime client then you need to dot in / source the correct db2profile before running either isql or your python script.