Encrypting network traffic
Looker strongly recommends encrypting network traffic between the Looker application and your database. Consider one of the options described on the Enabling secure database access documentation page.
If you’re interested in using SSL encryption, see the Microsoft documentation.
Configuring server authentication
Looker requires “SQL Server Authentication” on your MSSQL server. If your MSSQL server is configured as “Windows Integrated Authentication” only, change the server configuration to “Windows Integrated Authentication and SQL Server Authentication.”
If this is not set properly Looker will be unable to connect. This will appear in your SQL Server log messages like: “An attempt to log in using SQL authentication failed. Server is configured for windows authentication only.”
If this change is required you can complete the following steps:
- In SQL Server Management Studio Object Explorer, right-click the server, and then click Properties.
- On the Security page, under Server authentication, select the new server authentication mode, and then click OK.
- In the SQL Server Management Studio dialog box, click OK to acknowledge the requirement to restart SQL Server.
- In Object Explorer, right-click your server, and then click Restart. If SQL Server Agent is running, it must also be restarted.
You can read about this more in Microsoft’s documentation.
Creating a Looker user
Looker authenticates to your database using SQL Server Authentication. Using a domain account is not supported.
To create an account, run the following commands. Change some_password_here
to a unique, secure password:
CREATE LOGIN looker
WITH PASSWORD = 'some_password_here';
USE MyDatabase;
CREATE USER looker FOR LOGIN looker;
GO
Granting the Looker user permission to SELECT from tables
Looker requires the SELECT
permission for each table or schema you will want to query. There are multiple ways to assign SELECT
permission:
To grant
SELECT
permission to individual schemas, run the following command for each schema:GRANT SELECT on SCHEMA :: 'schema_name' to looker;
To grant
SELECT
permission to individual tables, run the following command for each table:GRANT SELECT on OBJECT :: 'schema_name'.'table_name' to looker;
For MSSQL version 2012 or later, you can alternatively assign the Looker user the
db_datareader
role using these commands:USE MyDatabase; ALTER ROLE db_datareader ADD MEMBER looker; GO
Granting the Looker user permission to view and stop running queries
Looker must be authorized to detect and stop currently running queries, which requires the following permissions:
ALTER ANY CONNECTION
VIEW SERVER STATE
To grant these permissions, run the following commands:
USE Master;
GRANT ALTER ANY CONNECTION TO looker;
GRANT VIEW SERVER STATE to looker;
GO
Granting the Looker user permission to create tables
To give the Looker user the permission to create PDTs, issue the following commands:
USE MyDatabase;
GRANT CREATE TABLE to looker;
GO
Temp schema setup
To create a schema owned by the Looker user and grant the necessary rights to the Looker user, issue this command:
CREATE SCHEMA looker_scratch AUTHORIZATION looker;
Adding the connection
Use the Looker interface to configure the database connection: In the Admin section of Looker, select Connections, and then select New Connection.
Enter the connection information. The majority of the settings are common to most database dialects and are described on the Connecting Looker to your database documentation page. The following fields have additional information that applies to Microsoft SQL Server:
- Dialect: Select your appropriate version of Microsoft SQL Server.
Remote Host:Port: Enter the hostname and port (the default port is 1433).
If you need to specify a non-default port other than 1433 and your database requires the use of a comma instead of a colon, you can add
useCommaHostPortSeparator=true
in the Additional Params field further down in the connection settings, which will allow you to use a comma in the Remote Host:Port field. For example:jdbc:sqlserver://hostname,1434
Click on Test These Settings to verify that the connection to your database is successful. See the Testing database connectivity documentation page for troubleshooting information.
Click Add Connection to save the connection.
Configuring Kerberos authentication
If you use Kerberos authentication with your MSSQL database, follow these steps to configure Looker to connect using Kerberos.
Admins of Looker-hosted instances should contact their Looker analyst for support in configuring Kerberos authentication for your MSSQL database.
Setting up the Kerberos client configuration
The first thing to do is to ensure the installation of several pieces of software and the presence of several files on the Looker machine.
Kerberos client
Verify that the Kerberos client is installed on the Looker machine by running kinit
. If the Kerberos client not, install the Kerberos client’s binaries.
For example, on Redhat/CentOS, this would be:
sudo yum install krb5-workstation krb5-libs krb5-auth-dialog
Java 8
Java 8 must be installed on the Looker machine and in the PATH
and JAVA_HOME
of the Looker user. If necessary, install it locally in the looker
directory.
Java Cryptography Extension
Download and install the Java Cryptography Extension (JCE) for Java 8 from this Oracle site.
- Locate the
jre/lib/security
directory for the Java installation. - Remove the following JAR files from this directory:
local_policy.jar
andUS_export_policy.jar
. - Replace these two files with the JAR files included in the JCE Unlimited Strength Jurisdiction Policy Files download.
It may be possible to use versions of Java prior to Java 8 with the JCE installed, but this is not recommended.
- Locate the
Update
JAVA_HOME
andPATH
in~looker/.bash_profile
to point to the correct installation of Java andsource ~/.bash_profile
or log out and in again.Verify the Java version with
java -version
.Verify the
JAVA_HOME
environment variable withecho $JAVA_HOME
.
gss-jaas.conf
Create a gss-jaas.conf
file in the looker
directory with these contents:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
doNotPrompt=true;
};
If necessary for testing, debug=true
can be added to this file like this:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
doNotPrompt=true
debug=true;
};
krb5.conf
The server running Looker should also have a valid krb5.conf
file. By default, this file is in /etc/krb5.conf
. If it is in another location, that must be indicated in the environment (KRB5_CONFIG
in the shell environment).
You may need to copy this from another Kerberos client machine.
lookerstart.cfg
Point to the gss-jaas.conf
and krb5.conf
files by making a file in the looker
directory (the same directory that contains the looker
startup script) called lookerstart.cfg
that contains the following lines:
If the krb5.conf
file is not at /etc/krb5.conf
then it will also be necessary to add this variable:
For debugging, add these variables:
Then restart Looker with ./looker restart
.
Authenticating with Kerberos
User authentication
If
krb5.conf
is not in/etc/
, then use the environment variableKRB5_CONFIG
to indicate its location.Run the command
klist
to make sure there is a valid ticket in the Kerberos ticket cache.If there is no ticket, run
kinit username@REALM
orkinit username
to create the ticket.The account used with Looker will likely be headless, so you can get a keytab file from Kerberos to store the credential for long-term use. Use a command like
kinit -k -t looker_user.keytab username@REALM
to get the Kerberos ticket.
Automatically renewing the ticket
Set up a cron job that runs every so often to keep an active ticket in the Kerberos ticket cache. How often this should run depends on the configuration of the cluster. klist
should give an indication of how soon tickets expire.
Configuring the Looker connection
Follow the instructions on the Connecting Looker to your database documentation page to create a connection to your MSSQL database. In the Additional Params section of the Connection Settings page, add the following:
;integratedSecurity=true;authenticationScheme=JavaKerberos
Some networks are configured for two Kerberos realms, one for Windows Active Directory and the other for Linux and other non-Windows systems. In that case, when the Linux-focused Realm and the Active Directory Realm are configured to trust each other, it is called “cross-realm authentication”.
If your network uses cross-realm authentication, you must explicitly specify the Kerberos principal for MSSQL Server. In the Additional Params field, add the following:
;serverSpn=service_name/FQDN\:PORT@REALM
Replacing FQDN
and PORT@REALM
with your network information. For example:
;serverSpn=MSSQLSvc/dbserver.internal.example.com:1433@AD.EXAMPLE.COM
In addtion, the Connection Settings page in Looker requires entries in the Username and Password fields, but these are not required for Kerberos. Enter dummy values in these fields.
Test the connection to make sure that it is configured correctly.
Feature support
For Looker to support some features, your database dialect must also support them.
In Looker 22.6, Microsoft SQL Server 2008+ supports the following Looker features:
In Looker 22.6, Microsoft SQL Server 2016+ supports the following Looker features:
In Looker 22.6, Microsoft SQL Server 2017+ supports the following Looker features:
Next steps
After completing the database configuration, you can connect to the database from Looker using these directions.