User credentials in automated workflows

#1

I've been wondering how other users of KNIME Server deal with this:

When I want to automate a workflow that includes database access, I need to set a user name and a password within nodes like "Database Reader" in order to access the DB and execute queries.

Should I keep the credentials of whoever created the workflow? Should I replace them with my own? Should I create a separate "technical" user in the database only for the purpose of running automated workflows? What's best practice in this situation? How do you deal with it?

2 Likes

#2

Hi Ben,

If you want every user to use their own credentials while still being able to run the workflow automatically, you can use Workflow Credentials.

First, open the workflow in your local client. Right-click the workflow in the KNIME Explorer and click "Workflow Credentials". There, you can add a new set of credentials. Use a name like "db_credentials" and leave the fields for username and password empty.

Next, go to your workflow and open the configuration of the Database Reader. Instead of entering your credentials, select "Workflow Credentials" and select the variable you just created. Save and upload to Server.

If you execute the workflow now, you will be asked to provide credentials which are then used in the workflow.

Hope that helps!

Cheers,

Roland

 

0 Likes

#3

Hey Roland, thanks for the response. I've briefly checked out Workflow Credentials but not used them yet. They seem useful in many cases.

But what about scheduled workflows, e.g. a forecast that is supposed to run every morning automatically? I can put my personal credentials into the workflow, but that ties it to my personal account, which doesn't seem right. On the other hand, creating a "technical"user will use up one license and if you use LDAP auth, you'd have to create the user there.

I'm just wondering how other people handle this issue in scheduled workflows.

0 Likes

#4

Hello Ben!

Did you manage to resolve this issue?

We are more or less in the same situation: scheduled jobs, LDAP users and a generic user for database accesses…

regards.

1 Like

#5

Hey jricgar,
unfortunately not, but I haven’t spent too much time on this problem. We placed scheduled workflows in a special folder where only the KNIME admins have access. I have the feeling that workflow credentials are not very handy and I’m still curious if there is a better way. If you figure something out, let me know.

2 Likes

#6

Hi @jricgar,

At this point (as of KNIME Server 4.9.2), credentials should be passed via Workflow Credentials. To set this up, you need to add a set of credentials to the workflow -> right-click workflow in local repository -> Workflow Credentials. No need to save a password. In the WF, you set the DB Connector node to use those credentials. Then upload to KNIME Server. Once you run the job, either ad-hoc or on schedule, there will be a prompt asking for the credentials. Of course, the credentials you enter there can be for your generic user as well.

We’ll make this fair bit easier with the release of KNIME Server 4.10, scheduled for December release. There, we add an additional “Configuration” tab to the execution dialog, which grants you access to all configuration nodes in a workflow. All you’d need to do then is add a Credentials Configuration node to your WF, connected to the DB Connector via flow variable.

Hope that helps!

Cheers,
Roland

Edit: I need to add that the solution I mentioned for 4.9.2 will only work for EJB mountpoints. It will not work for REST mountpoints.

3 Likes