Summary
When Dremio's web console authentication is switched from traditional username/password to single sign-on (SSO), users can no longer access Dremio from Tableau Desktop using the "Username and Password" method.
Users must now use a Personal Access Token (PAT) as a password for their new external Dremio user or SSO to Dremio from Tableau can be enabled, prompting users for their SSO credentials via the authorization server.
Reported Issue
After changing the Dremio web console authentication from username and password to single-sign-on with an Open ID Connect (OIDC) identity provider, Tableau Desktop users can no longer login with the Dremio connector using the "Username and Password" authentication method. Upon entering their "old" credentials, they receive an error reading:
Failure in connecting to Dremio: com.dremio.jdbc.shaded.com.dremio.exec.rpc.RpcException: HANDSHAKE_VALIDATION : Status: AUTH_FAILED, Error Id: 823b3956-1dfd-47cf-a12b-bca0f41a1cc2, Error message: Authentication failed for user ben@dremio.com with type for resource USER_RPC. Reason: Login failed: Invalid username or password Invalid username or password. Connector Class: dremio, Version: 4.1.0
Relevant Versions
All documented Dremio software releases.
Tableau Desktop 2022.3 or later.
Troubleshooting Steps
Verify what username a user is trying (and failing) to login into to Dremio with from Tableau.
Check the Dremio users listing in "Settings" → "Users . Can you find the username?
If so, what is the "Source" for this user? They are either an internal user or an external.
Verify what identity provider you are using for the Dremio web console login and what username mappings are configured to users. The oauth.json holds most of this configuration, for example:
{
"oAuthConfig": {
"clientId": "<clientId>",
"clientSecret": "<clientSecret>",
"redirectUrl": "http://dremioHost:9047/sso",
"authorityUrl": "<authorityUrl>",
"scope": "openid profile email",
"jwtClaims": {
"userName": "email"
},
"parameters": [
{ "name": "access_type", "value": "offline" },
...
]
}
}Note that the userName here takes an "email" claim from the users ID token to form the identity in Dremio.
When users login to the Dremio web console, the identity provider (IdP) will prompt them for this email address and their password with that IdP.
Can you find this type username in the Dremio "Users" listing for a user having the problem? If so, their "Source" should be external.
Cause
In this scenario, user identities and authentication were previously managed by Dremio. In both the Dremio web console and the Dremio Software connector for Tableau, users would enter usernames and passwords that were passed to the Dremio server for authentication. The users were internal Dremio users.
Upon configuring SSO, the identity provider now manages information about the user and handles the authentication for Dremio. In this method of authentication, Dremio forms identity for a user based on the information from an identity token it receives from the identity provider after the user has successfully authenticated. The users are now from an external source.
Importantly, the passwords are different between these 2 authentication methods, and usually the usernames.
As an example, user Jane Doe with email jane.doe@acme.com may have had and internal user with username "janedoe". After SSO implementation and Jane's initial login to the identity provider Dremio is registered with, there will appear another user in Dremio for her with the username jane.doe@acme.com (NOTE: the user claim does not have to map to email, but it often does).
Steps to Resolve
The Dremio connector for Tableau gives you 2 options for authentication: "Username and Password" and "OAuth 2.0"
To resolve the problem with "Username and Password" authentication you will need to identify the new external user in Dremio. Then you can have that user create a personal access token (PAT), which will function as their password with Dremio.
For the "OAuth 2.0" authentication, you can configure SSO for the connection from Tableau to Dremio. See the "Additional Resources" link below. The user will be prompted for their credentials from the authorization server in this method.