I've developed an ODBC Driver to Connect PowerBi to Trino/presto, based on a ODBC-JDBC bridge idea. The resulitng odbc driver is working really well, except on power BI Service + Gateway scenario, because it needs impersonationm and I would like some advice.
This is the scenario:
- user A developes a Dashboard using power BI Desktop, getting data from custom connector based on the ODBC mentioned. Working Good
- User A publishes the DashBoard to powerbi service
- DataSource is published through PowerBI Gateway
- DataSource is configured to use basic authentication as user B
- User C logs into power bi service using Organizational login.
- When dashboard is refreshed, user C should see only the data addinged to him, according to Ranger RLS policy
Well this is the scenario, According to MS, it should be achievable through Kerberos SSO with Delegation. I think would be easier to get User C principal name from powerbi service and to pass it as sessionUser, but there is no single way to achieve it that i'm awere from powr BI side. So seems that e are stick with Kerberos Delegation.The issue is: Is this possible using the JDBC KerberosDelegation in the current Trino implementation? How to use correctly the KerberosDelection Parameter of the JDBC? How to pass to the the driver the right KDC?
Would be easier just to get in M Custom connector (need to enable Direct Query) to get the userprincipalname from user logged into PowerBi.com? I know that the DAX function USERPRINCIPAL name returns this data, but would that be available in anyway to M running on Gateway?
If not, then does anybody have experience exposing Trino/presto data to powerBi.com th
Tnx in advance?
on:
Deployment pipelines don't support M365 groups
Hi @shsmonteiro,
Sorry, but I’m not clear about your issue. If you are using custom connector to get data from your data source that couldn’t be directly accessed by Power BI service, then you need use personal mode on-premises data gateway but not standard mode gateway for only personal mode gateway supports custom connector. But in your statement, you said you are connecting with Direct Query mode, right? With this connection mode, you could only use standard mode gateway. As you can see, it’s inconsistent.
If you would like to make your reports viewers only see specific data, then RLS would help as you mentioned. Using RLS, you could make users only see data that they have permissions to no matter the connection mode is Import or Direct Query. It is decided by the roles you created and whether you add these users to these roles. But if you would like Power BI fetches data from your Direct Query data source with their own credential, AFAIK, SSO is needed. As how to configure SSO and whether there is any limitation and whether it is applicable to your data source, please find some official documents about it.
Therefore, if you just want you reports users see specific data, RLS is adequate.
Best Regards,
Community Support Team _ Caiyun