My company is implementing RStudio Server Open in order to centralize our data science.
We trying to create a centralized account that would be set up as an ODBC connection for various users to access as they develop. This would allow users to easily develop without worrying about what database permissions they would need.
We are able to successfully connect using this ODBC Data_Source_Name, but instead of using the UID and PWD supplied in the ODBC DSN, the user's local account is what ends up being used in the con object:
Why are the SELECT SYSTEM_USER and SELECT CURRENT_USER not returning DOMAIN\\Centralized_User_Name? We are using Kerberos authentication. Are there any extra driver arguments that need to be declared?
If this is not a best practice, I am also open to exploring other methodologies. If users could provide documentation and examples, that would be appreciated.
I think the issue may be Trusted_Connection=Yes. When this is enabled in the DSN, then kerberos or Windows Authentication is used to authenticate the user/connection and UID and PWD are ignored.
If the centralized user name and password are accounts on SQL Server, you can try disabling Trusted_Connection to use SQL Server's authentication, in which case the user/password from the DSN should be used for auth.
A trusted connection is the same thing as using Windows Authentication in SQL Server 2005. Authentication is done by the domain, and authorization is handled by SQL Server.
SQL Server can also use its own logins, such as the sa user. These are both authenticated and authorized by SQL Server. They are only viable if SQL Server is run in Mixed Authentication Mode.
I tried using dbConnect with the Microsoft ODBC Driver for SQL Server arguments (https://db.rstudio.com/databases/microsoft-sql-server/) for both the central account and the local account. Removing the Trusted_Connection argument results in the following errors:
Error: nanodbc/nanodbc.cpp:983: 00000: [unixODBC][Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'Centralized_User_Name'.
Error: nanodbc/nanodbc.cpp:983: 00000: [unixODBC][Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'Local_User'.
Oops, I see I missed the fact that you're using Kerberos auth for the centralized user. In that case, I don't think the problem is solvable by changing the DSN or the dbConnect() parameters. Instead, your users would either need to re-auth with Kerberos using kinit Centralized_User_Name or you'd need to work out a pooled connection. The latter option isn't something I've done before but it's hinted at here: https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/using-integrated-authentication?view=sql-server-ver15
We had kinit issued for both the Local_User and the Centralized_User_Name. I think what was happening was that while both users were valid, the Local_Userkinit ticket had priority when executing the query.
Once the kinit ticket was removed from Local_User, the Centralized_User_Name was returned when executing dbGetQuery(con, "SELECT SYSTEM_USER").
Below are the DSN settings we set up in our odbc.ini file: