How can I connect to my db2 database with sqlalchemy when the authentication is using kerberos?
When using pyodbc the connection string contains AuthenticationMethod=4, which lets kerberos handle the authentication and I don't need to provide username and password.
Is there a way to either pass a pyodbc.connect object directly into sqlalchemy or can I alternatively tell sqlalchemy to use kerberos?
My odbc connection string looks like this:
connstr = 'ApplicationUsingThreads=0;' \
...: 'FloatingPointParameters=0;' \
...: 'DoubleToStringPrecision=16;DB=NYRMPDI1;' \
...: 'AuthenticationMethod=4;' \
...: f'IpAddress={ip_address};' \
...: f'TcpPort={port};' \
...: f'DRIVER={driver_location}'
I can't find any way to pass this into sqlalchemy create_engine.
ibm_db_sa
with an IBM Db2 driver supports kerberos connections with pyodbc, both DSN-LESS and DSN connection-strings, and it works with all three types of IBM Db2-driver (fat client, run-time-client, and ODBC and CLI driver). Different configurations are necessary for the fat-client+runtime-client, versus the ODBC and CLI client.
By default, unless you tell it otherwise, the installation of ibm_db_sa
or ibm_db
modules will install the IBM 'ODBC and CLI client'.
Your odbcinst.ini
needs to define a driver-name (in my example I call it DB2CLI but you give it any name you prefer), and specify the library to load (example libdb2.so) from the correct path.
Here is an example of a DSN-LESS connection string, which you must urlencode before passing to create_engine()
:
CONNECTION_STRING=("DRIVER={DB2CLI};HOSTNAME=192.168.1.178;PORT=60000;KRBPLUGIN=IBMkrb5;AUTHENTICATION=KERBEROS;DATABASE=SAMPLE;")
quoted_connection_string=urllib.parse.quote_plus(CONNECTION_STRING)
engine = create_engine('ibm_db_sa+pyodbc:///?odbc_connect={}'.format(quoted_connection_string))
If you prefer a DSN connection, you must define all the details in the db2dsdriver.cfg
and have a stanza for the dsn in the active odbc.ini
that references the driver you configured in your odbcinst.ini
, and you must specify only the DSN in the connection-string like this:
CONNECTION_STRING=("DSN=SAMPLE;")
engine = create_engine('ibm_db_sa+pyodbc:///?odbc_connect={}'.format(CONNECTION_STRING))
For DSN connections, it helps if you first get the kerberos connection working with isql
defore you get it working with sqlalchemy because the troubleshooting seems easier.
I tested with these component versions:
Steps to try:
db2dsdriver.cfg
with dsn and database with parameter Authentication, parameter value Kerberos.CLNT_KRB_PLUGIN
parameter to IBMkrb5 via db2 update dbm cfg using CLNT_KRB_PLUGIN IBMkrb5
. (You don't need this step when using the ODBC and CLI driver). odbcinst.ini
for Db2 to use the correct libdb2.so
library as supplied by your Db2 client, and reference this driver-name either in your DSN-LESS python code, or in your odbc.ini
for DSN-connections. odbc.ini
to use the Db2 driver specified in odbcinst.ini
and mention Authentication = kerberos
in your DSN stanza in odbc.ini
.odbc.ini
file. For DSN-LESS connectiond you don't need any reference to the database in the odbc.ini
or db2dsdriver.cfg
. For DSN connections only, Verify db2cli validate -dsn $YOURDSN -connect
for a remote database completes successfully without a userid or password. This proves that the CLI layer is using kerberos.
(Optional) For Db2 fat client, or runtime client, verify you can connect to a catalogued remote database at the shell command line db2 connect to $YOUR_REMOTE_DATABASE
(without needing to enter a userid/password). This proves that regular shell scripts can connect to the database with kerberos authentication.
isql
or your python script.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.