Databricks

kaustubhgupta · ‎09-05-2023

We extensively use Databricks (DBX) for creating Tableau visuals. Whenever DBX data sources are published on our self hosted Tableau Server, we have to add the connection creds for the data source. These creds can be both personal email id-password or personal access (PA) token based password. On the other hand, a source like Google Sheets only requires one time user addition to the server settings.

Ask:

Do we have a way to add o-auth for DBX based connections?
If not o-auth, then can we somehow store the PA token in Tableau Server and use that for every new data source that gets added?

Use-case:

NLE employees can be safely offboarded without the fear of breaking any workflow
The PA can be refreshed periodically to maintain infosec

Kaniz · ‎09-05-2023

Hi @kaustubhgupta, Based on the provided information, here are the answers to your questions.

1. Do we have a way to add o-auth for DBX-based connections?
- For AWS, Databricks does support OAuth for DBX-based connections. However, it's noted that only users enrolled in Tableau's internal identity provider (IdP) can authenticate using OAuth. For Azure, the Azure Active Directory is used for authentication, but it's not explicitly mentioned if it's OAuth [source](https://docs.databricks.com/partners/bi/tableau.html).

2. If not o-auth, can we somehow store the PA token in the Tableau Server and use that for every new data source added?
- The provided information does not explicitly state that you can store a PA token in Tableau Server for use with every new data source.

However, it does mention that you can use a Databricks personal access token for authentication when connecting to Tableau.

[source](https://docs.databricks.com/partners/bi/tableau.html).

It's recommended to use personal access tokens belonging to service principals instead of workspace users for security purposes.

[source](https://docs.databricks.com/shared/service-principal-pat.html).

kaustubhgupta · ‎09-11-2023

Thanks for your response. While I understood most of it, I still have some doubts to clear. Therefore explaining it again.

Problem:

We want users to create data sources using Databricks via their personal credentials in the local env (tableau desktop) and as soon as the user publishes the data source on the server, the personal credentials should not be present. Instead, the credentials stored in Tableau server should be used automatically (we are preferring personal access token of the service account). This should make sure that the workflows do not break and the data source (if created in extract mode) are refreshing at the schedule set) even if a user access is removed from databricks

My Understanding:

As mentioned in the resolution, we need to use a service account. Does this service account ensure our concerns? How do we set up this account in such a manner that it does not prompt authentication for every new data source.

Any other possible solutions?

Do we have any other solution to the concerns raised?