DataSources

Overview

DataSources are database connections that can be accessed via the web portal or through native database client tools via proxies.

Manage Datasources

Add Datasources

Prerequisites

Ensure the appropriate drivers are installed

Click Datasources

Click

Next, edit the datasource details

FieldDescription
Datasource NameThe reference for this datasource

Database name in SQL tools.

Datasource TypeThe datasource type
Datasource GroupSet if you are going to push down db credentials via Mamori
For example, create SOMEUSER with these grants on all databases in this group.
Driverdefaulted to driver for datasource type
Connection DetailsEnter database connection information
Credential Reset DaysConverts the credential to a managed credential that is reset every X days

The periodinally generated password uses mix case text, numbers, punctuation and has a max lenght of what is allowable by the database. An example password is '8jh{IW}Dp#6cPPq2#6A}aoS.R(7t4}P

Important! This credential can't be retreived once it is Mamori managed.
Credential Role(Optional) The role that is linked to this managed crendential

Click Save


The credential used to create the datasource needs minimal permissions. It is only used to periodically check if the datasource is available.
Typically only ad-hoc user database connections are routed through Mamori. Application traffic is only routed through the Mamori server to implement gobal masking rules or apply SQL injection prevention policies.

If this is required for a critial application, then have one HA Mamori server for the application traffic and another for the ad hoc traffic

Special Datasource Instructions

Oracle Datasources

Drivers supported for datasource creation

DriverOracle VersionsJDBC SpecJDK
ojdbc6.jar (11.2.0.4)
pre-installed		7 to 21c4.0JDK8,11 & 17
ojdbc10.jar (19.18.0.0)21c, 19c, 18c, & 12.24.3JDK11-17
ojdbc8.jar (19.18.0.0)21c, 19c, 18c, & 12.24.2JDK8,11 & 17

Connection String for oracle RAC

If the target database is RAC or requires other special TNS options, then enter the TNS entry in the datasource advanced > connection string field

jdbc:oracle:thin:@(DESCRIPTION= ... (LOAD_BALANCE=yes)...)

Mongo Datasource - If creating a mongo datasource, the authSource db and tls settings can be passed in under the advanced settings using either the Connection Properties:

authSource=admin;tls=true

or the Connection URL Suffix:

&authSource=admin&tls=true

MySQL 8 Datasource

For MySQL driver version 8 and a DB server without SSL, add the following to the datasource connection string properties.

sslMode=DISABLED

MySQL SSL Connection Configuration

The MySQL JDBC driver will use the JVM's default keystore as a fallback unless this parameter is included:

fallbackToSystemKeyStore=false

For MySQL datasources that require SSL with a user-provided SSL certificate, follow these steps:

Prerequisites

  • Mamori version 3.6.0.1 or higher
  • Docker version 26 or higher
  • MySQL SSL certificate files (CA certificate in PEM format)

Step 1: Convert PEM Certificate to JKS Format

Convert your MySQL CA certificate from PEM format to a Java KeyStore (JKS) file using the keytool command:

keytool -importcert -alias MySQLCACert -file ./data/ca.pem -keystore ./certs/truststore.jks -storepass mypassword

Note: Replace mypassword with a secure password of your choice. You will need this password in Step 3.

Step 2: Make Truststore Accessible to Mamori Hub

The truststore file must be accessible from inside the Docker container running the Mamori Hub process.

Ensure the truststore file is placed in a location that is mounted and accessible within the Docker container (e.g., a mounted volume path).

Step 3: Configure the MySQL Datasource

When creating or updating the MySQL datasource in Mamori, add the following properties to the Connection Properties field:

sslMode=VERIFY_CA;trustCertificateKeyStoreUrl=file:///path/to/truststore.jks;trustCertificateKeyStorePassword=mypassword;fallbackToSystemKeyStore=false

Important:

  • Replace /path/to/truststore.jks with the actual path to your truststore file as accessible from inside the Docker container
  • Replace mypassword with the password you set in Step 1
  • The fallbackToSystemKeyStore=false parameter is required for ANY MySQL SSL connection

Example Configuration

If your truststore is mounted at /vagrant/tmp/truststore.jks inside the Docker container:

sslMode=VERIFY_CA;trustCertificateKeyStoreUrl=file:///vagrant/tmp/truststore.jks;trustCertificateKeyStorePassword=mypassword;fallbackToSystemKeyStore=false

Troubleshooting

  • Verify the truststore file path is correct and accessible from inside the Docker container
  • Confirm the truststore password matches the password used during certificate import
  • Ensure the fallbackToSystemKeyStore=false parameter is included in the connection properties

Azure Synapse - Dedicated Pool & Serverless

Microsoft Azure Synapse warehouse does not support the sys.sysdepends system view. To disable the lookup set the following property.

supportsObjectDependencies=false

Manage DB Credentials

Any number of credentials can be added to a datasource and then mapped to users and roles. End user connections will use the mapped credentials.

End users will use their identity logins to access databases, which means they will never have or require access to the actual database credentials.

Add Credential

Prerequisites

Added a datasource

Click Datasources

Select the target datasource and click

Click Manage Credentials

Click Add Credential

Next, set the credential details

FieldDescription
UsernameThe database login
PasswordThe database login password
Credential Reset DaysConverts the credential to a managed credential that is reset every X days

The periodinally generated password uses mix case text, numbers, punctuation and has a max lenght of what is allowable by the database. An example password is '8jh{IW}Dp#6cPPq2#6A}aoS.R(7t4}P

Important! This credential can't be retreived once it is Mamori managed.

Click Validate

Click Save


Manage Data Access Policies

To configure database access via the web console or proxies a user needs

  • Permission on a datasource credential
  • A session passthrough mode permission
Passthrough ModeDescription
PASSTHROUGHApplies connection policies, but does not apply statement, session or data policies.
MASKED PASSTHROUGHApplies connection, session & statement policies. Allows statements that can't be analyzed.
PROTECTED PASSTHROUGHSame as MASKED PASSTHROUGH, but blocks all unregistered statements that can't be analyzed.
  • At least SELECT permission on a object
  • For native DB Tool access grant the DB Object permissions the tools require
  • CALL, EXECUTE SQL BLOCK, EXECUTE DYNAMIC SQL
  • SELECT on respective catalogs. eg., SYS & SYSTEM for Oracle
  • For WebSQL Access grant the Mamori permissions
  • WEB SQL EDITOR - Enables WebSQL Editor access
  • WEB EXPORT DATA - Enables data extract from the WebSQL Editor
  • WEB AUTO COMMIT - Enables the WebSQL auto-commit toggle button. By default WebSQL sessions are auto-commit = false.
Mamori can't provide permissions that the database credential doesn't have. For example, if the database credential assigned to the user doesn't have EXECUTE DYNAMIC SQL, then statement will fail even if you grant it in Mamori.

Mamori allows for micro-segment a database credential's existing permissions. It can't add additional.
The built-in default db resource policy grants all the appropriate permissions; however, if you want to provision permanent access then grant them to a role or user.

Provision Access

Follow the steps bellow to manually grant permanent or temporary database access to a user or role.

Prerequisites

Add the credentials to the default_database_credentials role

  • Click Roles
  • Double click on the default_database_credentials role to edit it
  • Click Database & Data Access > Credentials
  • Click Add Credential and select the data source
  • Select an existing credential or add enter details for a new one
  • Click Add

Assign default_database_credentials to a user

  • Click Roles
  • Find default_database_credentials in the grid and click
  • Click Manager Assigned Users
  • For time grants toggled advanced options
  • Click on the user to add or remove the grant

Assign default_database_access_ro to a user

  • Click Roles
  • Find default_database_access_ro in the grid and click
  • Click Manager Assigned Users
  • For time grants toggled advanced options
  • Click on the user to add or remove the grant

The user will now be able to access the granted databases via WebSQL and database proxies

Manage On-Demand Access

Manage who has access to request a credential@datasource combination

Prerequisites

Added a datasource & Credential

Click Datasources

Select the target datasource and click

Click Manage Request Grants

Click Add Request Grant

Next, set the form details

FieldDescription
Grantee TypeUser or Role
GranteeA role, an Mamori user or an external directory user
Mamori Resource PolicySelect a DB resource policy. The grant will fail otherwise.
CredentialThe credential that will be granted via this request
DescriptionThe description that the user will see when making a request

Click Save

The user will see the datasource in the request resources grid

Edit this page on GitHub Updated at Wed, Dec 3, 2025
Azure Directory SSH