[英]sqlalchemy with db2 and kerberos
How can I connect to my db2 database with sqlalchemy when the authentication is using kerberos?当身份验证使用 kerberos 时,如何使用 sqlalchemy 连接到我的 db2 数据库?
When using pyodbc the connection string contains AuthenticationMethod=4, which lets kerberos handle the authentication and I don't need to provide username and password.使用 pyodbc 时,连接字符串包含 AuthenticationMethod=4,它让 kerberos 处理身份验证,我不需要提供用户名和密码。
Is there a way to either pass a pyodbc.connect object directly into sqlalchemy or can I alternatively tell sqlalchemy to use kerberos?有没有办法将 pyodbc.connect object 直接传递到 sqlalchemy 或者我可以告诉 sqlalchemy 使用 kerberos?
My odbc connection string looks like this:我的 odbc 连接字符串如下所示:
connstr = 'ApplicationUsingThreads=0;' \
...: 'FloatingPointParameters=0;' \
...: 'DoubleToStringPrecision=16;DB=NYRMPDI1;' \
...: 'AuthenticationMethod=4;' \
...: f'IpAddress={ip_address};' \
...: f'TcpPort={port};' \
...: f'DRIVER={driver_location}'
I can't find any way to pass this into sqlalchemy create_engine.我找不到任何方法将其传递给 sqlalchemy create_engine。
ibm_db_sa
with an IBM Db2 driver supports kerberos connections with pyodbc, both DSN-LESS and DSN connection-strings, and it works with all three types of IBM Db2-driver (fat client, run-time-client, and ODBC and CLI driver).带有 IBM
ibm_db_sa
驱动程序的 ibm_db_sa 支持与 pyodbc 的 kerberos 连接,DSN-LESS 和 DSN 连接字符串,它适用于所有三种类型的 IBM Db2 驱动程序(胖客户端、运行时客户端和 ODBC 和 CLI 驱动程序) . Different configurations are necessary for the fat-client+runtime-client, versus the ODBC and CLI client.胖客户端+运行时客户端与 ODBC 和 CLI 客户端需要不同的配置。
By default, unless you tell it otherwise, the installation of ibm_db_sa
or ibm_db
modules will install the IBM 'ODBC and CLI client'.默认情况下,除非您另有说明,否则安装
ibm_db_sa
或ibm_db
模块将安装 IBM 的“ODBC 和 CLI 客户端”。
Your odbcinst.ini
needs to define a driver-name (in my example I call it DB2CLI but you give it any name you prefer), and specify the library to load (example libdb2.so) from the correct path.您的
odbcinst.ini
需要定义一个驱动程序名称(在我的示例中,我将其称为 DB2CLI,但您可以给它任何您喜欢的名称),并指定要从正确路径加载的库(例如 libdb2.so)。
Here is an example of a DSN-LESS connection string, which you must urlencode before passing to create_engine()
:这是一个 DSN-LESS 连接字符串的示例,您必须在传递给
create_engine()
之前对其进行 urlencode:
CONNECTION_STRING=("DRIVER={DB2CLI};HOSTNAME=192.168.1.178;PORT=60000;KRBPLUGIN=IBMkrb5;AUTHENTICATION=KERBEROS;DATABASE=SAMPLE;")
quoted_connection_string=urllib.parse.quote_plus(CONNECTION_STRING)
engine = create_engine('ibm_db_sa+pyodbc:///?odbc_connect={}'.format(quoted_connection_string))
If you prefer a DSN connection, you must define all the details in the db2dsdriver.cfg
and have a stanza for the dsn in the active odbc.ini
that references the driver you configured in your odbcinst.ini
, and you must specify only the DSN in the connection-string like this:如果您更喜欢 DSN 连接,则必须在 db2dsdriver.cfg 中定义所有详细信息,并在活动
db2dsdriver.cfg
中有一个 dsn 节,该odbc.ini
引用您在odbcinst.ini
中配置的驱动程序,并且您必须仅指定 DSN在这样的连接字符串中:
CONNECTION_STRING=("DSN=SAMPLE;")
engine = create_engine('ibm_db_sa+pyodbc:///?odbc_connect={}'.format(CONNECTION_STRING))
For DSN connections, it helps if you first get the kerberos connection working with isql
defore you get it working with sqlalchemy because the troubleshooting seems easier.对于 DSN 连接,如果您首先让 kerberos 连接与
isql
一起工作,然后再与 sqlalchemy 一起工作,这会有所帮助,因为故障排除似乎更容易。
I tested with these component versions:我使用这些组件版本进行了测试:
Steps to try:尝试步骤:
db2dsdriver.cfg
with dsn and database with parameter Authentication, parameter value Kerberos.db2dsdriver.cfg
,使用参数 Authentication 和参数值 Kerberos 配置数据库。CLNT_KRB_PLUGIN
parameter to IBMkrb5 via db2 update dbm cfg using CLNT_KRB_PLUGIN IBMkrb5
.db2 update dbm cfg using CLNT_KRB_PLUGIN IBMkrb5
将 IBM 数据服务器客户端CLNT_KRB_PLUGIN
参数配置为IBMkrb5 。 (You don't need this step when using the ODBC and CLI driver). odbcinst.ini
for Db2 to use the correct libdb2.so
library as supplied by your Db2 client, and reference this driver-name either in your DSN-LESS python code, or in your odbc.ini
for DSN-connections. odbcinst.ini
for Db2 to use the correct libdb2.so
library as supplied by your Db2 client, and reference this driver-name either in your DSN-LESS python code, or in your odbc.ini
for DSN-connections.odbc.ini
to use the Db2 driver specified in odbcinst.ini
and mention Authentication = kerberos
in your DSN stanza in odbc.ini
.odbc.ini
配置为使用odbcinst.ini
中指定的 Db2 驱动程序,并在odbc.ini
中的 DSN 节中提及Authentication = kerberos
。odbc.ini
file.odbc.ini
文件中的任何用户 ID/密码。 For DSN-LESS connectiond you don't need any reference to the database in the odbc.ini
or db2dsdriver.cfg
.odbc.ini
或db2dsdriver.cfg
中的数据库进行任何引用。 For DSN connections only, Verify db2cli validate -dsn $YOURDSN -connect
for a remote database completes successfully without a userid or password.仅对于 DSN 连接,Verify
db2cli validate -dsn $YOURDSN -connect
for a remote database 在没有用户 ID 或密码的情况下成功完成。 This proves that the CLI layer is using kerberos.这证明 CLI 层正在使用 kerberos。
(Optional) For Db2 fat client, or runtime client, verify you can connect to a catalogued remote database at the shell command line db2 connect to $YOUR_REMOTE_DATABASE
(without needing to enter a userid/password). (可选)对于 Db2 胖客户端或运行时客户端,验证您可以通过 shell 命令行
db2 connect to $YOUR_REMOTE_DATABASE
用户 IDOTE_DATA_BASE。 This proves that regular shell scripts can connect to the database with kerberos authentication.这证明了常规的 shell 脚本可以通过 kerberos 认证连接到数据库。
isql
or your python script.isql
或 python 脚本之前点入/获取正确的 db2profile。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.