Azure Synapse

DSS has native support for Microsoft Azure Synapse Dedicated SQL Pools (formerly known as Azure SQL Data Warehouse)

DSS supports the full range of features on Microsoft Azure Synapse

  • Reading and writing datasets

  • Executing SQL recipes

  • Performing visual recipes in-database

  • Using live engine for charts

Installing the JDBC driver

Azure Synapse uses the Microsoft SQL Server JDBC driver, which can be downloaded from Microsoft website (at time of writing, from https://docs.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server).

Make sure to select the version which is appropriate for your version of SQL Server and your version of Java. At the time of writing, these constraints are summarized here. In particular, Java 8 requires driver 4.2 or later, and Java 10 requires driver 7.0 or later.

  • Download the “tar.gz” distribution archive (for Unix)

  • Unarchive the downloaded file

  • Take only the “enu/mssql-jdbc-VERSION.jreX.jar”

The driver is the single JAR file called mssql-jdbc-VERSION.jreX.jar where X is the corresponding Java version.

  • Copy the JAR file to the lib/jdbc driver of DSS

  • Restart DSS

Write into Azure Synapse

Writing data from the outside into a Azure Synapse dataset is slow. Conversely, if the input and outputs are on othe same connection and the recipe uses the SQL or “In-database” engines, this is fast.

Importing data to Azure Synapse can be sped up by first loading the data into a Azure Blob Storage dataset and then using a Sync recipe with the “Azure Blob to Synapse” as recipe engine.

When using the Azure Blob to Synapse engine, discrepancies may appear in strings if the use of quote characters is not consistent throughout the input dataset.

Login using OAuth

DSS can login using OAuth on Azure Synapse. OAuth login can be performed either:

  • Using a single service account

  • Using per-user credentials. In the latter case, each user must grant DSS permission to access the database on his behalf.

Login as a single account

  • Make sure that you have at least version 7.2 of the JDBC driver

  • Create a new App (Azure Portal > Azure Active Directory > App registrations). DSS will connect with the identity of this app

  • In the Overview tab, note the Application (client) ID

  • In the Overview tab, click Endpoints and note the OAuth 2.0 token endpoint (v1) URL

  • Create a client secret for this application (App registration > Certificates & Secrets), note the client secret

  • Add this app as a user in the Azure SQL Server database (see below)

  • Create a new SQLServer connection

  • Fill the “Host” and “Database” fields with the SQL Server host and database name

  • Enable “Login with Azure OAuth”

  • The STS URL is the OAuth 2.0 token endpoint (v1) URL

  • Client id is the application id

  • Client secret is the one you created earlier

Note

How to add the app as a user in the Azure SQL Server database

Before DSS can login as an app, this app must be registered as a valid user in the Azure SQL server database. This is done by entering the SQL command CREATE USER [appName] FROM EXTERNAL PROVIDER while connected as an administrator to the database.

This is technically independent from DSS, but it can be practical to do it from DSS. The difficulty is that in order to perform this command, you must be logged in as an AD user on the database.

The following procedure is provided as a best-effort help:

  • First, make sure that you have setup a AAD user as administrator of this database. Follow instructions here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure

  • Create a new temporary SQL Server connection in DSS

    • Fill the “Host” and “Database” fields with the SQL Server host and database name

    • Enter the AD login/password of the AD admin user

    • Add a new JDBC property with key authentication and password ActiveDirectoryPassword

    • Create the connection

  • Create a new SQL notebook on this connection

  • Run the command CREATE USER [appName] FROM EXTERNAL PROVIDER with “appName” the name of the app you created previously

  • Delete the SQL Server connection (from now on, you’ll be logging as the app instead)

Login with per-user OAuth tokens

  • Make sure that you have at least version 7.2 of the JDBC driver

  • Create a new App (Azure Portal > Azure Active Directory > App registrations). DSS will connect with the identity of this app

  • In the Overview tab, note the Application (client) ID

  • In the Overview tab, click Endpoints and note the OAuth 2.0 token endpoint (v1) URL

  • Go to API permissions, Add a permission, APIs my organization uses

  • Search for Azure SQL and add the Azure SQL Database permission, Delegated permissions, user_impersonation

  • Go to Authentication, and set “Default client type” > “Treat as a public client” to “Yes”. Check the “login.microsoftonline.com” URL in the “Suggested Redirect URIs” section. Save your changes.

  • Create a new SQLServer connection

  • Fill the “Host” and “Database” fields with the SQL Server host and database name

  • Set “Credentials mode” to “Per user”

  • Enable “Login with Azure OAuth”

  • The STS URL is the OAuth 2.0 token endpoint (v1) URL

  • Client id is the application id

  • Create the connection (you can’t test it yet)

Then for each user:

  • Go to user profile > connection credentials

  • Click the “Edit” button next to the new connection name

  • Follow the instructions that appear

Important: the account you log with must be a “Member” on the AAD directory. A “guest” account cannot login

Common errors

  • Problem: when clicking on “Continue” in the OAuth setup modal, the user gets AADSTS70016: Pending end-user authorization.

  • Solution: the user has not completed the devicelogin registration

.

  • Problem: When the user goes to the devicelogin page, he gets AADSTS500113: No reply address is registered for the application.

  • Solution: You have not checked the “login.microsoftonline.com” URL in the “Suggested Redirect URIs” section.

.

  • Problem: You were able to authenticate the end-user, but connection fails with SQLServerException: Azure Active Directory is only supported on Windows operating systems.

  • Solution: Your driver is too old; Upgrade to 7.2 or higher

.

  • Problem: You were able to authenticate the end-user, but connection fails with SQLServerException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

  • Solution: the user account is a “Guest” on the AAD. Only “Members” are acceptable