stackoom
  简体   繁体   中英

sqlalchemy with db2 and kerberos

 原文  2020-04-25 11:36:59       python/ sqlalchemy/ db2/ kerberos

Question

How can I connect to my db2 database with sqlalchemy when the authentication is using kerberos?

When using pyodbc the connection string contains AuthenticationMethod=4, which lets kerberos handle the authentication and I don't need to provide username and password.

Is there a way to either pass a pyodbc.connect object directly into sqlalchemy or can I alternatively tell sqlalchemy to use kerberos?

My odbc connection string looks like this:

connstr = 'ApplicationUsingThreads=0;' \
  ...:               'FloatingPointParameters=0;' \
  ...:               'DoubleToStringPrecision=16;DB=NYRMPDI1;' \
  ...:               'AuthenticationMethod=4;' \
  ...:               f'IpAddress={ip_address};' \
  ...:               f'TcpPort={port};' \
  ...:               f'DRIVER={driver_location}'

I can't find any way to pass this into sqlalchemy create_engine.

1 answers

solution1
 1  2020-04-28 15:51:45

ibm_db_sa with an IBM Db2 driver supports kerberos connections with pyodbc, both DSN-LESS and DSN connection-strings, and it works with all three types of IBM Db2-driver (fat client, run-time-client, and ODBC and CLI driver). Different configurations are necessary for the fat-client+runtime-client, versus the ODBC and CLI client.

By default, unless you tell it otherwise, the installation of ibm_db_sa or ibm_db modules will install the IBM 'ODBC and CLI client'.

Your odbcinst.ini needs to define a driver-name (in my example I call it DB2CLI but you give it any name you prefer), and specify the library to load (example libdb2.so) from the correct path.

Here is an example of a DSN-LESS connection string, which you must urlencode before passing to create_engine() :

CONNECTION_STRING=("DRIVER={DB2CLI};HOSTNAME=192.168.1.178;PORT=60000;KRBPLUGIN=IBMkrb5;AUTHENTICATION=KERBEROS;DATABASE=SAMPLE;")

quoted_connection_string=urllib.parse.quote_plus(CONNECTION_STRING)

engine = create_engine('ibm_db_sa+pyodbc:///?odbc_connect={}'.format(quoted_connection_string))

If you prefer a DSN connection, you must define all the details in the db2dsdriver.cfg and have a stanza for the dsn in the active odbc.ini that references the driver you configured in your odbcinst.ini , and you must specify only the DSN in the connection-string like this:

CONNECTION_STRING=("DSN=SAMPLE;")

engine = create_engine('ibm_db_sa+pyodbc:///?odbc_connect={}'.format(CONNECTION_STRING))

For DSN connections, it helps if you first get the kerberos connection working with isql defore you get it working with sqlalchemy because the troubleshooting seems easier.

I tested with these component versions:

  • ubuntu 16.04 LTS x64
  • python 3.6.8 in a virtualenv
  • ibm_db 3.0.1
  • ibm_db_sa 0.3.5
  • unixODBC 2.3.4
  • pyodbc 4.0.30
  • IBM Db2 data server driver 11.1.4.4a ( optional )
  • IBM Db2 ODBC and CLI driver ( default )
  • local and remote Db2-LUW servers whose Db2-instances are kerberized already.

Steps to try:

  • For DSN connections, configure your active db2dsdriver.cfg with dsn and database with parameter Authentication, parameter value Kerberos.
  • For the fat-client and runtime-client, configure your IBM Data Server Client CLNT_KRB_PLUGIN parameter to IBMkrb5 via db2 update dbm cfg using CLNT_KRB_PLUGIN IBMkrb5 . (You don't need this step when using the ODBC and CLI driver).
  • Configure your active odbcinst.ini for Db2 to use the correct libdb2.so library as supplied by your Db2 client, and reference this driver-name either in your DSN-LESS python code, or in your odbc.ini for DSN-connections.
  • For DSN connections only, configure your active odbc.ini to use the Db2 driver specified in odbcinst.ini and mention Authentication = kerberos in your DSN stanza in odbc.ini .
  • For DSN connections, Omit any userid/password from the active odbc.ini file. For DSN-LESS connectiond you don't need any reference to the database in the odbc.ini or db2dsdriver.cfg .

  • For DSN connections only, Verify db2cli validate -dsn $YOURDSN -connect for a remote database completes successfully without a userid or password. This proves that the CLI layer is using kerberos.

  • (Optional) For Db2 fat client, or runtime client, verify you can connect to a catalogued remote database at the shell command line db2 connect to $YOUR_REMOTE_DATABASE (without needing to enter a userid/password). This proves that regular shell scripts can connect to the database with kerberos authentication.

  • If you are using either the Db2 fat client, or the Db2 runtime client then you need to dot in / source the correct db2profile before running either isql or your python script.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Db2 with SQLAlchemy, how to specify default schema SQLAlchemy connection error with Db2 on IBM Cloud Connect to IBM DB2 database using SQLAlchemy Missing zxJDBC connector in sqlalchemy (With DB2) SQLAlchemy mapping an existing table (IBM Db2 Issue) How do I fix connection to db2 using SQLAlchemy in python? Error in pushing dataframe to db2 Database using SQLAlchemy Error connecting to DB2 with python and sqlalchemy - Connection info needed in SQLAlchemy format How to fix SQLAlchemy connection problem: 'Connection info needed in SQLAlchemy format' when connecting to IBM db2 server hosted on IBM Cloud Using credentials from Db2 (Warehouse) on Cloud to initialize flask-sqlalchemy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM