Set Up OAuth for Dremio
This topic describes how to set up Dremio data sources for OAuth authentication. Complete these steps for each Tableau Server instance.
Setting up OAuth for Dremio consists of the following tasks:
- Register an OAuth client with Dremio.
- Use the information you obtained in Step 1 to configure Tableau Server for Dremio OAuth.
- (Optional) Configure site-specific OAuth.
Step 1: Register OAuth client in Dremio
Use the Identity Providers(Link opens in a new window) topic in the Dremio documentation to configure a Dremio-supported IdP to get the OAuth client ID and secret configuration parameters needed to configure Tableau Server for Dremio OAuth.
Step 2: Configure Tableau Server for Dremio OAuth
To configure Tableau Server for Dremio OAuth, you will use the parameters listed below in the tsm command that follows.
- Dremio client ID: The client ID is generated from the registration process in Step 1. Copy this value for
[your_client_id]
in the tsm command. - Dremio client secret: The client secret is generated from the procedure in Step 1. Copy this value for
[your_client_secret]
in the tsm command. - Tableau Server URL: This is your Tableau Server URL, such as
https://myco.com
. Copy this value for[your_server_url]
in the tsm command. - Configuration ID: This is the value for the
oauth.config.id
parameter you will use in the tsm command:dremio
Run the following tsm commands to configure OAuth for Dremio:
tsm configuration set -k oauth.config.clients -v "[{\"oauth.config.id\":\"dremio\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}]" --force-keys
tsm pending-changes apply
Setting multiple connectors
If you have multiple connectors to set, you must include all of them in a single command. For example:
tsm configuration set -k oauth.config.clients -v "[{\"oauth.config.id\":\"dremio\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}, {\"oauth.config.id\":\"customer_360_audience\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}, {\"oauth.config.id\":\"azure_sql_dw\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}, {\"oauth.config.id\":\"azure_sqldb\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}]" --force-keys
tsm pending-changes apply
Configure custom OAuth for a site
You can configure custom Dremio OAuth for a site.
Consider configuring a custom OAuth client to 1) override an OAuth client if configured for the server or 2) enable support for securely connecting to data that requires unique OAuth clients.
When a custom OAuth client is configured, the site-level configuration takes precedence over any server-side configuration and all new OAuth credentials created use the site-level OAuth client by default. No Tableau Server restart is required for the configurations to take effect.
Important: Existing OAuth credentials established before the custom OAuth client is configured are temporarily usable but both server administrators and users must update their saved credentials to help ensure uninterrupted data access.
1: Prepare the OAuth client ID, client secret and redirect URL
Before you can configure the custom OAuth client, you need the information listed below. After you have this information prepared, you can register the custom OAuth client for the site. For more information, see the section Register OAuth Client With Snowflake above.
OAuth client ID and client secret: First register the OAuth client with the data provider (connector) to retrieve the client ID and secret generated for Tableau Server.
Redirect URL: Note the correct redirect URL. You will need this during the registration process in Step 2 below.
https://<your_server_name>.com/auth/add_oauth_token
For example, https://example.com/auth/add_oauth_token
2: Register the OAuth client ID and client secret
Follow the procedure described below to register the custom OAuth client to the site.
(Versions 2024.1 and earlier) On the Tableau Server computer, run the following command to enable the Snowflake OAuth service:
tsm configuration set -k native_api.enable_snowflake_privatelink_on_server -v true
Note: For versions 2024.2 and newer, skip step 1 regardless of whether a Snowflake private connection is being used or not.
Sign in to your Tableau Server site using your admin credentials and navigate to the Settings page.
Under OAuth Clients Registry, click the Add OAuth Client button.
Enter the required information, including the information from Step 1 above:
For Connection Type, select the connector whose custom OAuth client you want to configure.
For Client ID, Client Secret, and Redirect URL, enter the information you prepared in Step 1 above.
Click the Add OAuth Client button to complete the registration process.
(Optional) Repeat step 3 for all supported connectors.
- Click the Save button at the bottom or top of the Settings page to save changes.
3: Validate and update saved credentials
To help ensure uninterrupted data access, you (and your site users) must delete the previous saved credentials and add it again to use the custom OAuth client for the site.
Navigate to your My Account Settings page.
Under Saved Credentials for Data Sources, do the following:
Click Delete next to the existing saved credentials for the connector whose custom OAuth client you configured in Step 2 above.
Next to connector name, click Add and follow the prompts to 1) connect to the custom OAuth client configured in Step 2 above and 2) save the latest credentials.
4: Notify users to update their saved credentials
Make sure you notify your site users to update their saved credentials for the connector whose custom OAuth client you configured in Step 2 above. Site users can use the procedure described in Update saved credentials to update their saved credentials.