我一直在尝试通过来自工作台/J 的 IAM 对 redshift 进行身份验证,并遵循了各种链接: https ://medium.com/tensult/aws-redshift-authentication-with-adfs-4ba423e2dc96 https://docs.amazonaws。 cn/en_us/redshift/latest/mgmt/generating-user-credentials.html 我仍然无法连接。
我的工作台看起来像:
Driver : com.amazon.redshift.jdbc.Driver
url : jdbc:redshift:iam://<cluster-name>:<region>/<db>
username : org email id
password : org email id password
extended properties :
DbUser employeeid
idp_port 443
AutoCreate true
plugin_name com.amazon.redshift.plugin.AzureCredentialsProvider
idp_host domain-id
preferred_role arn-of-IAM-Role
IAM 角色已附加以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "GetClusterCredsStatement",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:*:*:dbname:<cluster>/<db>",
"arn:aws:redshift:*:*:dbuser:<cluster>/${Redshift:DbUser}",
"arn:aws:redshift:*:*:dbgroup:<cluster>/<dbgroup>"
]
},
{
"Sid": "CreateClusterUserStatement",
"Effect": "Allow",
"Action": [
"redshift:CreateClusterUser"
],
"Resource": [
"arn:aws:redshift:*:*:dbname:<cluster>/<db>",
"arn:aws:redshift:*:*:dbuser:<cluster>/${Redshift:DbUser}"
]
},
{
"Sid": "RedshiftJoinGroupStatement",
"Effect": "Allow",
"Action": [
"redshift:JoinGroup"
],
"Resource": [
"arn:aws:redshift:*:*:dbgroup:<cluster>/<dbgroup>"
]
}
]
}
已经添加了以下声明规则:
DbUser : user.employeeid
DbGroups : user.assignedroles
Role : the IAM role with policy attached above
RoleSessionName : user.userprincipalname
我可以提供更多详细信息,但我只是按照这些链接所说的内容进行操作,否则我与 redshift 集群有工作连接。
编辑:
我跟踪了 sqlworkbench 日志以找到:Caused by: java.lang.NoClassDefFoundError: com/amazonaws/auth/profile/ProfilesConfigFile
编辑2:
我启动了 sql 工作台:
java -Dworkbench.log.level=DEBUG -jar sqlworkbench.jar
并看着tail -f $Home/.sqlworkbench/workbench.log
发现我缺少一些罐子,比如 httpclient、httpcore、aws-sdk-java 等等。
现在卡在idp_tenant required parameter missing
编辑2:我现在已经进步到:
[JDBC Driver]SAML error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: 1c67cec4-bc2e-4140-bdc5-84e72ae50300 Correlation ID: 14be34b2-b9e2-49e5-8415-a388a8839c91 Timestamp: 2020-03-31 06:20:55Z
我什至可以反编译 Redshift Jar 来查看 AzureCredentialsProvider 插件的源代码——这在 Azure AD 端确实有问题。虽然我的用户名/密码凭据是正确的。