Google Data Catalog Connection Details

Introduction

Connector Version

This documentation is based on version 25.0.9368 of the connector.

Get Started

Google Data Catalog Version Support

The connector leverages the GoogleDataCatalog API to enable read only access to GoogleDataCatalog.

Establish a Connection

Connect to Google Data Catalog

Provide the following connection properties before adding the authentication properties.

• OrganizationId: The ID associated with the Google Cloud Platform organization resource you would like to connect to. Find this by navigating to the cloud console.
  Open the Project drop-down menu and click the link to your organization from the list. The organization ID is displayed on this page.
• ProjectId: The ID associated with the Google Cloud Platform project resource you would like to connect to.
  Find this by navigating to the cloud console dashboard and selecting your project from the Select from drop-down menu. The project ID is displayed in the Project info card.

Authenticate to Google Data Catalog

The connector supports using user accounts, service accounts and GCP instance accounts for authentication.

The following sections discuss the available authentication schemes for Google Data Catalog:

• User Accounts (OAuth)
• Service Account (OAuthJWT)
• GCP Instance Account

User Accounts (OAuth)

AuthScheme must be set to OAuth in all user account flows.

Desktop Applications

An embedded OAuth application is provided that simplifies OAuth desktop Authentication. Alternatively, you can create a custom OAuth application. See Creating a Custom OAuth App for information about creating custom applications and reasons for doing so.

For authentication, the only difference between the two methods is that you must set two additional connection properties when using custom OAuth applications.

After setting the following connection properties, you are ready to connect:

• InitiateOAuth: Set this to GETANDREFRESH, which instructs the connector to automatically attempt to get and refresh the OAuth access token.
• OAuthClientId: (custom applications only) Set this to the Client ID in your custom OAuth application settings.
• OAuthClientSecret: (custom applications only) Set this to the Client Secret in the custom OAuth application settings.

When you connect the connector opens the OAuth endpoint in your default browser. Log in and grant permissions to the application. The connector then completes the OAuth process as follows:

• Extracts the access token from the callback URL.
• Obtains a new access token when the old one expires.
• Saves OAuth values in OAuthSettingsLocation that persist across connections.

Service Accounts (OAuthJWT)

To authenticate using a service account, you must create a new service account and have a copy of the accounts certificate. If you do not already have a service account, you can create one by following the procedure in Creating a Custom OAuth App.

For a JSON file, set these properties:

• AuthScheme: Set this to OAuthJWT.
• InitiateOAuth: Set this to GETANDREFRESH.
• OAuthJWTCertType: Set this to GOOGLEJSON.
• OAuthJWTCert: Set this to the path to the .json file provided by Google.
• OAuthJWTSubject: (optional) Only set this value if the service account is part of a GSuite domain and you want to enable delegation. The value of this property should be the email address of the user whose data you want to access.

For a PFX file, set these properties instead:

• AuthScheme: Set this to OAuthJWT.
• InitiateOAuth: Set this to GETANDREFRESH.
• OAuthJWTCertType: Set this to PFXFILE.
• OAuthJWTCert: Set this to the path to the .pfx file provided by Google.
• OAuthJWTCertPassword: (optional) Set this to the .pfx file password. In most cases you must provide this since Google encrypts PFX certificates.
• OAuthJWTCertSubject: (optional) Set this only if you are using a OAuthJWTCertType, which stores multiple certificates. This should not be set for PFX certificates generated by Google.
• OAuthJWTIssuer: Set this to the email address of the service account. This address usually includes the domain iam.gserviceaccount.com.
• OAuthJWTSubject: (optional) Only set this value if the service account is part of a GSuite domain and you want to enable delegation. The value of this property is the email address of the user whose data you want to access.

GCP Instance Accounts

When running on a GCP virtual machine, the connector can authenticate using a service account tied to the virtual machine. To use this mode, set AuthScheme to GCPInstanceAccount.

Create a Custom OAuth App

Create a Custom OAuth Application

OAuth application credentials are embedded with branding that can be used when connecting to Google Data Catalog via a desktop application or a headless machine.

(For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to Google Data Catalog".)

However, you must create a custom OAuth application to connect to Google Data Catalog via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway.

Custom OAuth applications are useful if you want to:

• control branding of the authentication dialog
• control the redirect URI that the application redirects the user to after the user authenticates
• customize the permissions that you are requesting from the user

The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth) and Service Accounts (OAuth/JWT).

Enable the

Follow these steps to enable the :

1. Navigate to the Google Cloud Console.
2. Select Library from the left-hand navigation menu. This opens the Library page.
3. In the search field, enter "" and select from the search results.
4. On the page, click ENABLE.

Create an OAuth Application

To create custom OAuth applications that retrieve the necessary OAuth connection properties, follow these procedures.

User Accounts (OAuth)

For users whose AuthScheme is OAuth and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)

Do the following:

1. Navigate to the Google Cloud Console.
2. Create a new project or select an existing project.
3. At the left-hand navigation menu, select Credentials.
4. If this project does not already have a consent screen configured, click CONFIGURE CONSENT SCREEN to create one. If you are not using a Google Workspace account, you are restricted to creating an External-type Consent Screen, which requires specifying a support email and developer contact email. Additional info is optional.
5. On the Credentials page, select Create Credentials > OAuth Client ID.
6. In the Application Type menu, select Web application.
7. Specify a name for your custom OAuth application.
8. Under Authorized redirect URIs, click ADD URI and enter a redirect URI.
9. Click Enter, then CREATE. The Cloud Console returns you to the Credentials page.
   A window opens that displays your client ID and client secret.
10. Record the client ID and Client Secret for later use as the OAuthClientId and OAuthClientSecret connection properties.

Service Accounts (OAuthJWT)

Service accounts (AuthScheme OAuthJWT) can be used in an OAuth flow to access Google APIs on behalf of users in a domain. A domain administrator can delegate domain-wide access to the service account.

To create a new service account:

1. Navigate to the Google Cloud Console.
2. Create a new project or select an existing project.
3. At the left-hand navigation menu, select Credentials.
4. Select Create Credentials > Service account.
5. On the Create service account page, enter the Service account name, the Service account ID, and, optionally, a description.
6. Click DONE. The Cloud Console redisplays the Credentials page.
7. In the Service Accounts section, select the service account you just created.
8. Click the KEYS tab.
9. Click ADD KEY > Create new key.
10. Select any supported Key type (see OAuthJWTCert and OAuthJWTCertType).
11. Click CREATE. The key is automatically downloaded to your device, and any additional information specific to the key is displayed.
12. Record the additional information for future use.

To complete the service account flow, generate a private key in the Google Cloud Console. In the service account flow, the driver exchanges a JSON Web token (JWT) for the OAuthAccessToken. The private key is required to sign the JWT. The driver will have the same permissions granted to the service account.

Important Notes

Configuration Files and Their Paths

• All references to adding configuration files and their paths refer to files and locations on the Jitterbit agent where the connector is installed. These paths are to be adjusted as appropriate depending on the agent and the operating system. If multiple agents are used in an agent group, identical files will be required on each agent.

Advanced Features

This section details a selection of advanced features of the Google Data Catalog connector.

User Defined Views

The connector supports the use of user defined views, virtual tables whose contents are decided by a pre-configured user defined query. These views are useful when you cannot directly control queries being issued to the drivers. For an overview of creating and configuring custom views, see User Defined Views.

SSL Configuration

Use SSL Configuration to adjust how connector handles TLS/SSL certificate negotiations. You can choose from various certificate formats. For further information, see the SSLServerCert property under "Connection String Options".

Proxy

To configure the connector using private agent proxy settings, select the Use Proxy Settings checkbox on the connection configuration screen.

Query Processing

The connector offloads as much of the SELECT statement processing as possible to Google Data Catalog and then processes the rest of the query in memory (client-side).

For further information, see Query Processing.

Log

For an overview of configuration settings that can be used to refine logging, see Logging. Only two connection properties are required for basic logging, but there are numerous features that support more refined logging, which enables you to use the LogModules connection property to specify subsets of information to be logged.

User Defined Views

The Google Data Catalog connector supports the use of user defined views: user-defined virtual tables whose contents are decided by a preconfigured query. User defined views are useful in situations where you cannot directly control the query being issued to the driver; for example, when using the driver from Jitterbit.

Use a user defined view to define predicates that are always applied. If you specify additional predicates in the query to the view, they are combined with the query already defined as part of the view.

There are two ways to create user defined views:

• Create a JSON-formatted configuration file defining the views you want.
• DDL statements.

Define Views Using a Configuration File

User defined views are defined in a JSON-formatted configuration file called UserDefinedViews.json. The connector automatically detects the views specified in this file.

You can also have multiple view definitions and control them using the UserDefinedViews connection property. When you use this property, only the specified views are seen by the connector.

This user defined view configuration file is formatted so that each root element defines the name of a view, and includes a child element, called query, which contains the custom SQL query for the view.

For example:

{
    "MyView": {
        "query": "SELECT * FROM Schemas WHERE MyColumn = 'value'"
    },
    "MyView2": {
        "query": "SELECT * FROM MyTable WHERE Id IN (1,2,3)"
    }
}

Use the UserDefinedViews connection property to specify the location of your JSON configuration file. For example:

"UserDefinedViews", "C:\Users\yourusername\Desktop\tmp\UserDefinedViews.json"

Define Views Using DDL Statements

The connector is also capable of creating and altering the schema via DDL Statements such as CREATE LOCAL VIEW, ALTER LOCAL VIEW, and DROP LOCAL VIEW.

Create a View

To create a new view using DDL statements, provide the view name and query as follows:

CREATE LOCAL VIEW [MyViewName] AS SELECT * FROM Customers LIMIT 20;

If no JSON file exists, the above code creates one. The view is then created in the JSON configuration file and is now discoverable. The JSON file location is specified by the UserDefinedViews connection property.

Alter a View

To alter an existing view, provide the name of an existing view alongside the new query you would like to use instead:

ALTER LOCAL VIEW [MyViewName] AS SELECT * FROM Customers WHERE TimeModified > '3/1/2020';

The view is then updated in the JSON configuration file.

Drop a View

To drop an existing view, provide the name of an existing schema alongside the new query you would like to use instead.

DROP LOCAL VIEW [MyViewName]

This removes the view from the JSON configuration file. It can no longer be queried.

Schema for User Defined Views

In order to avoid a view's name clashing with an actual entity in the data model, user defined views are exposed in the UserViews schema by default. To change the name of the schema used for UserViews, reset the UserViewsSchemaName property.

Work with User Defined Views

For example, a SQL statement with a user defined view called UserViews.RCustomers only lists customers in Raleigh:

SELECT * FROM Customers WHERE City = 'Raleigh';

An example of a query to the driver:

SELECT * FROM UserViews.RCustomers WHERE Status = 'Active';

Resulting in the effective query to the source:

SELECT * FROM Customers WHERE City = 'Raleigh' AND Status = 'Active';

That is a very simple example of a query to a user defined view that is effectively a combination of the view query and the view definition. It is possible to compose these queries in much more complex patterns. All SQL operations are allowed in both queries and are combined when appropriate.

SSL Configuration

Customize the SSL Configuration

By default, the connector attempts to negotiate TLS with the server. The server certificate is validated against the default system trusted certificate store. You can override how the certificate gets validated using the SSLServerCert connection property.

To specify another certificate, see the SSLServerCert connection property.

Data Model

Overview

This section shows the available API objects and provides more information on executing SQL to Google Data Catalog APIs.

Key Features

• The connector models Google Data Catalog entities like Documents, Folders, and Groups as relational views, allowing you to write SQL to query Google Data Catalog data.
• Stored procedures allow you to execute operations to Google Data Catalog
• Live connectivity to these objects means any changes to your Google Data Catalog account are immediately reflected when using the connector.

Views

Views describes the available views. Views are statically defined to model read-only entities such as Schemas, Tables, and TagTemplates.

Stored Procedures

Stored Procedures are function-like interfaces to Google Data Catalog. Stored procedures allow you to execute operations to Google Data Catalog, including downloading documents and moving envelopes.

Views

Views are similar to tables in the way that data is represented; however, views are read-only.

Queries can be executed against a view as if it were a normal table.

Google Data Catalog Connector Views

Schemas

To view the list of schemas

Table Specific Information

Select

The connector will use the Google Data Catalog API to process WHERE clause conditions built with the following column and operator. The rest of the filter is executed client side within the connector.

• DataSetName supports the 'CONTAINS' comparison.
• Type supports the '=' comparison.
• ProjectId supports the '=' comparison.
• EntryGroup supports the '=' comparison.
• CreatedTime supports the '=, <, <=, >, >=' comparisons.
• UpdatedTime supports the '=, <, <=, >, >=' comparisons.
• OrganizationId supports the '=' comparison.
• DisplayName supports the 'CONTAINS' comparison.
• Description supports the '=' comparison.

For example, the following queries are processed server side:

SELECT * FROM Schemas WHERE CONTAINS (DataSetName, 'prop')

SELECT * FROM Schemas WHERE UpdatedTime >= '2018-01-01 01:00:00'

SELECT * FROM Schemas WHERE CreatedTime < '2018-06-01'

SELECT * FROM Schemas WHERE UpdatedTime > '2018-06-01 12:00:00' AND CreatedTime <= '2019-06-01 11:00'

SELECT * FROM Schemas WHERE OrganizationId = '112025358'

SELECT * FROM Schemas WHERE ProjectId = 'bigquery-public-data OR ProjectId = 'level-works-253411''

Additionally UpdatedTime column can be used in the ORDER BY clause, as following:

SELECT * FROM Schemas ORDER BY UpdatedTime DESC

Columns

Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

TableColumns

To view the columns in the table or view

Table Specific Information

Select

The connector will use the Google Data Catalog API to process WHERE clause conditions built with the following column and operator. The ResourceName is required to make a request and the rest of the filter is executed client side within the connector.

• ResourceName supports the '=' comparison.

For example, the following queries are processed server side:

SELECT * FROM TableColumns WHERE ResourceName = 'projects/bigquery-public-data/locations/US/entryGroups/@bigquery/entries/cHJvamVjdHMvYmlncXVlcnktcHVibGljLWRhdGEvZGF0YXNldHMvZ2VvX2NlbnN1c19ibG9ja2dyb3Vwcy90YWJsZXMvYmxvY2tncm91cHNfMTE'

Columns

TableProperties

To view the properties of the table

Table Specific Information

Select

The connector will use the Google Data Catalog API to process WHERE clause conditions built with the following column and operator. The ResourceName is required to make a request and the rest of the filter is executed client side within the connector.

• ResourceName supports the '=' comparison.

SELECT * FROM TableProperties WHERE ResourceName = 'projects/bigquery-public-data/locations/US/entryGroups/@bigquery/entries/cHJvamVjdHMvYmlncXVlcnktcHVibGljLWRhdGEvZGF0YXNldHMvZ2VvX2NlbnN1c19ibG9ja2dyb3Vwcy90YWJsZXMvYmxvY2tncm91cHNfMTE'

Columns

Tables

To view the list of tables and views

Table Specific Information

Select

The connector will use the Google Data Catalog API to process WHERE clause conditions built with the following column and operator. The rest of the filter is executed client side within the connector.

• DataSetName supports the 'CONTAINS' comparison.
• Type supports the '=' comparison.
• ProjectId supports the '=' comparison.
• EntryGroup supports the '=' comparison.
• CreatedTime supports the '=, <, <=, >, >=' comparisons.
• UpdatedTime supports the '=, <, <=, >, >=' comparisons.
• OrganizationId supports the '=' comparison.
• TagName supports the 'CONTAINS' comparison.
• DisplayName supports the 'CONTAINS' comparison.
• SearchColumn supports the 'CONTAINS' comparison.
• Description supports the '=' comparison.

For example, the following queries are processed server side:

SELECT * FROM Tables WHERE UpdatedTime <= '2018-06-01 11:00:00.0'

SELECT * FROM Tables WHERE UpdatedTime >= '2018-06-01'

SELECT * FROM Tables WHERE UpdatedTime > '2018-06-01 12:00:00' AND CreatedTime < '2019-06-01 11:00:00'

SELECT * FROM Tables WHERE OrganizationId = '112025358'

SELECT * FROM Tables WHERE ProjectId = 'bigquery-public-data'

SELECT * FROM Tables WHERE CONTAINS (SearchColumn, 'name')

SELECT * FROM Tables WHERE TagName = 'test'

SELECT * FROM Tables WHERE Type = 'table' OR Type = 'view'

Additionally UpdatedTime column can be used in the ORDER BY clause, as following:

SELECT * FROM Tables ORDER BY UpdatedTime ASC

Columns

Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

TableTagsDetails

To view the list of tags added to the table

Table Specific Information

Select

The connector will use the Google Data Catalog API to process WHERE clause conditions built with the following column and operator. The ResourceName is required to make a request and the rest of the filter is executed client side within the connector.

• ResourceName supports the '=' comparison.

For example, the following queries are processed server side:

SELECT * FROM TableTagsDetails WHERE ResourceName = 'projects/level-works-253411/locations/us/entryGroups/@bigquery/entries/cHJvamVjdHMvbGV2ZWwtd29ya3MtMjUzNDExL2RhdGFzZXRzL3Rlc3RkYi90YWJsZXMvbXl2aWV3'

Columns

TagTemplateColumns

To view the list of columns in the TagTemplate.

Table Specific Information

Select

The connector will use the Google Data Catalog API to process WHERE clause conditions built with the following column and operator. The ResourceName is required to make a request and the rest of the filter is executed client side within the connector.

• ResourceName supports the '=' comparison.

SELECT * FROM TagTemplateColumns WHERE ResourceName = 'projects/level-works-253411/locations/us-central1/tagTemplates/demotemplate'

Columns

TagTemplateIAMPolicy

To view the TagTemplates permission in the project

Table Specific Information

Select

The connector will use the Google Data Catalog API to process WHERE clause conditions built with the following column and operator. The ResourceName is required to make a request and the rest of the filter is executed client side within the connector.

• ResourceName supports the '=' comparison.

SELECT * FROM TagTemplateIAMPolicy WHERE ResourceName = 'projects/level-works-253411/locations/us-central1/tagTemplates/demotemplate'

Columns

TagTemplates

To view the list of TagTemplates in the project

Table Specific Information

Select

The connector will use the Google Data Catalog API to process WHERE clause conditions built with the following column and operator. The rest of the filter is executed client side within the connector.

• Name supports the 'CONTAINS' comparison.
• Type supports the '=' comparison.
• ProjectId supports the '=' comparison.
• CreatedTime supports the '=, <, <=, >, >=' comparisons.
• UpdatedTime supports the '=, <, <=, >, >=' comparisons.
• OrganizationId supports the '=' comparison.
• DisplayName supports the 'CONTAINS' comparison.

For example, the following queries are processed server side:

SELECT * FROM TagTemplates WHERE OrganizationId = '112025358'

SELECT * FROM TagTemplates WHERE CONTAINS (Name, 'test') OR ProjectId = 'bigquery-public-data'

SELECT * FROM TagTemplates WHERE CreatedTime >= '2018-01-01 01:00:00'

SELECT * FROM TagTemplates WHERE UpdatedTime < '2018-06-01'

SELECT * FROM TagTemplates WHERE UpdatedTime > '2018-06-01 12:00:00' AND CreatedTime <= '2019-06-01 11:00'

SELECT * FROM TagTemplates WHERE Type = 'tag_template' AND DisplayName = 'test_template'

Additionally UpdatedTime column can be used in the ORDER BY clause, as following:

SELECT * FROM TagTemplates ORDER BY UpdatedTime DESC

Columns

Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Stored Procedures

Stored procedures are function-like interfaces that extend the functionality of the connector beyond simple SELECT operations with Google Data Catalog.

Stored procedures accept a list of parameters, perform their intended function, and then return any relevant response data from Google Data Catalog, along with an indication of whether the procedure succeeded or failed.

Google Data Catalog Connector Stored Procedures

GetOAuthAccessToken

Obtains the OAuth access token to be used for authentication with various Google services.

Input

Result Set Columns

GetOAuthAuthorizationURL

Obtains the OAuth authorization URL for authentication with various Google services.

Input

Result Set Columns

RefreshOAuthAccessToken

Obtains the OAuth access token to be used for authentication with various Google services.

Input

Result Set Columns

System Tables

You can query the system tables described in this section to access schema information, information on data source functionality, and batch operation statistics.

Schema Tables

The following tables return database metadata for Google Data Catalog:

• sys_catalogs: Lists the available databases.
• sys_schemas: Lists the available schemas.
• sys_tables: Lists the available tables and views.
• sys_tablecolumns: Describes the columns of the available tables and views.
• sys_procedures: Describes the available stored procedures.
• sys_procedureparameters: Describes stored procedure parameters.
• sys_keycolumns: Describes the primary and foreign keys.
• sys_indexes: Describes the available indexes.

Data Source Tables

The following tables return information about how to connect to and query the data source:

• sys_connection_props: Returns information on the available connection properties.
• sys_sqlinfo: Describes the SELECT queries that the connector can offload to the data source.

Query Information Tables

The following table returns query statistics for data modification queries:

• sys_identity: Returns information about batch operations or single updates.

sys_catalogs

Lists the available databases.

The following query retrieves all databases determined by the connection string:

SELECT * FROM sys_catalogs

Columns

sys_schemas

Lists the available schemas.

The following query retrieves all available schemas:

SELECT * FROM sys_schemas

Columns

sys_tables

Lists the available tables.

The following query retrieves the available tables and views:

SELECT * FROM sys_tables

Columns

sys_tablecolumns

Describes the columns of the available tables and views.

The following query returns the columns and data types for the Schemas table:

SELECT ColumnName, DataTypeName FROM sys_tablecolumns WHERE TableName='Schemas'

Columns

sys_procedures

Lists the available stored procedures.

The following query retrieves the available stored procedures:

SELECT * FROM sys_procedures

Columns

sys_procedureparameters

Describes stored procedure parameters.

The following query returns information about all of the input parameters for the SampleProcedure stored procedure:

SELECT * FROM sys_procedureparameters WHERE ProcedureName = 'SampleProcedure' AND Direction = 1 OR Direction = 2

To include result set columns in addition to the parameters, set the IncludeResultColumns pseudo column to True:

SELECT * FROM sys_procedureparameters WHERE ProcedureName = 'SampleProcedure' AND IncludeResultColumns='True'

Columns

Pseudo-Columns

sys_keycolumns

Describes the primary and foreign keys.

The following query retrieves the primary key for the Schemas table:

SELECT * FROM sys_keycolumns WHERE IsKey='True' AND TableName='Schemas'

Columns

sys_foreignkeys

Describes the foreign keys.

The following query retrieves all foreign keys which refer to other tables:

SELECT * FROM sys_foreignkeys WHERE ForeignKeyType = 'FOREIGNKEY_TYPE_IMPORT'

Columns

sys_primarykeys

Describes the primary keys.

The following query retrieves the primary keys from all tables and views:

SELECT * FROM sys_primarykeys

Columns

sys_indexes

Describes the available indexes. By filtering on indexes, you can write more selective queries with faster query response times.

The following query retrieves all indexes that are not primary keys:

SELECT * FROM sys_indexes WHERE IsPrimary='false'

Columns

sys_connection_props

Returns information on the available connection properties and those set in the connection string.

The following query retrieves all connection properties that have been set in the connection string or set through a default value:

SELECT * FROM sys_connection_props WHERE Value <> ''

Columns

sys_sqlinfo

Describes the SELECT query processing that the connector can offload to the data source.

Discovering the Data Source's SELECT Capabilities

Below is an example data set of SQL capabilities. Some aspects of SELECT functionality are returned in a comma-separated list if supported; otherwise, the column contains NO.

The following query retrieves the operators that can be used in the WHERE clause:

SELECT * FROM sys_sqlinfo WHERE Name = 'SUPPORTED_OPERATORS'

Note that individual tables may have different limitations or requirements on the WHERE clause; refer to the Data Model section for more information.

Columns

sys_identity

Returns information about attempted modifications.

The following query retrieves the Ids of the modified rows in a batch operation:

SELECT * FROM sys_identity

Columns

sys_information

Describes the available system information.

The following query retrieves all columns:

SELECT * FROM sys_information

Columns

Advanced Configurations Properties

The advanced configurations properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure. Click the links for further details.

Authentication

OAuth

JWT OAuth

SSL

Schema

Miscellaneous

Authentication

This section provides a complete list of authentication properties you can configure.

AuthScheme

The type of authentication to use when connecting to Google Data Catalog.

Possible Values

OAuth, OAuthJWT, GCPInstanceAccount, AWSWorkloadIdentity

Data Type

string

Default Value

OAuth

Remarks

• OAuth: Set this to perform OAuth authentication using a standard user account.
• OAuthJWT: Set this to perform OAuth authentication using an OAuth service account.
• GCPInstanceAccount: Set this to get Access Token from Google Cloud Platform instance.
• AWSWorkloadIdentity: Set this to authenticate using Workload Identity Federation. The connector authenticates to AWS according to the AWSWorkloadIdentityConfig and provides Google Security Token Serivce with an authentication token. The Google STS validates this token and produces an OAuth token that can access Google services.

OrganizationId

The ID associated with the Google Cloud Platform organization resource to connect to.

Data Type

string

Default Value

""

Remarks

Find this by navigating to the cloud console. Click the project selection drop-down, and select your organization from the list. Then, click More -> Settings. The organization ID is displayed on this page.

ProjectId

The ID associated with the Google Cloud Platform project resource you would like to connect to.

Data Type

string

Default Value

""

Remarks

Find this by navigating to the cloud console dashboard and selecting your project from the Select from drop-down. The project ID will be present in the Project info card. Set this to a comma-separated values for more than one Project(Project1, Project2).

OAuth

This section provides a complete list of OAuth properties you can configure.

InitiateOAuth

Specifies the process for obtaining or refreshing the OAuth access token, which maintains user access while an authenticated, authorized user is working.

Possible Values

OFF, REFRESH, GETANDREFRESH

Data Type

string

Default Value

OFF

Remarks

OAuth is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. The OAuth flow defines the method to be used for logging in users, exchanging their credentials for an OAuth access token to be used for authentication, and providing limited access to applications.

Google Data Catalog supports the following options for initiating OAuth access:

1. OFF: No automatic OAuth flow initiation. The OAuth flow is handled entirely by the user, who will take action to obtain their OAuthAccessToken. Note that with this setting the user must refresh the token manually and reconnect with an updated OAuthAccessToken property when the current token expires.
2. GETANDREFRESH: The OAuth flow is handled entirely by the connector. If a token already exists, it is refreshed when necessary. If no token currently exists, it will be obtained by prompting the user to login.
3. REFRESH: The user handles obtaining the OAuth Access Token and sets up the sequence for refreshing the OAuth Access Token. (The user is never prompted to log in to authenticate. After the user logs in, the connector handles the refresh of the OAuth Access Token.

OAuthClientId

Specifies the client ID (also known as the consumer key) assigned to your custom OAuth application. This ID is required to identify the application to the OAuth authorization server during authentication.

Data Type

string

Default Value

""

Remarks

This property is required when using a custom OAuth application, such as in web-based authentication flows, service-based authentication, or certificate-based flows that require application registration. It is also required if an embedded OAuth application is not available for the driver. When an embedded OAuth application is available, this value may already be provided by the connector and not require manual entry.

This value is generally used alongside other OAuth-related properties such as OAuthClientSecret and OAuthSettingsLocation when configuring an authenticated connection.

OAuthClientId is one of the key connection parameters that need to be set before users can authenticate via OAuth. You can typically find this value in your identity provider’s application registration settings. Look for a field labeled Client ID, Application ID, or Consumer Key.

While the client ID is not considered a confidential value like a client secret, it is still part of your application's identity and should be handled carefully. Avoid exposing it in public repositories or shared configuration files.

OAuthClientSecret

Specifies the client secret assigned to your custom OAuth application. This confidential value is used to authenticate the application to the OAuth authorization server.

Data Type

string

Default Value

""

Remarks

This property is required when using a custom OAuth application in any flow that requires secure client authentication, such as web-based OAuth, service-based connections, or certificate-based authorization flows. It is not required when using an embedded OAuth application.

The client secret is used during the token exchange step of the OAuth flow, when the driver requests an access token from the authorization server. If this value is missing or incorrect, authentication will fail, and the server may return an invalid_client or unauthorized_client error.

OAuthClientSecret is one of the key connection parameters that need to be set before users can authenticate via OAuth. You can obtain this value from your identity provider when registering the OAuth application. It may be referred to as the client secret, application secret, or consumer secret.

This value should be stored securely and never exposed in public repositories, scripts, or unsecured environments. Client secrets may also expire after a set period. Be sure to monitor expiration dates and rotate secrets as needed to maintain uninterrupted access.

OAuthAccessToken

Specifies the OAuth access token used to authenticate requests to the data source. This token is issued by the authorization server after a successful OAuth exchange.

Data Type

string

Default Value

""

Remarks

The OAuthAccessToken is a temporary credential that authorizes access to protected resources. It is typically returned by the identity provider after the user or client application completes an OAuth authentication flow. This property is most commonly used in automated workflows or custom OAuth implementations where you want to manage token handling outside of the driver.

The OAuth access token has a server-dependent timeout, limiting user access. This is set using the OAuthExpiresIn property. However, it can be reissued between requests to keep access alive as long as the user keeps working.

If InitiateOAuth is set to REFRESH, we recommend that you also set both OAuthExpiresIn and OAuthTokenTimestamp. The connector uses these properties to determine when the token expires so it can refresh most efficiently. If OAuthExpiresIn and OAuthTokenTimestamp are not specified, the connector refreshes the token immediately.

Access tokens should be treated as sensitive credentials and stored securely. Avoid exposing them in logs, scripts, or configuration files that are not access-controlled.

DelegatedServiceAccounts

A space-delimited list of service account emails for delegated requests.

Data Type

string

Default Value

""

Remarks

The service account emails must be specified in a space-delimited list.

Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain.

The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the requesting service account. The requesting service account is the one specified in the RequestingServiceAccount property.

Note that for delegated requests, the requesting service account must have the permission iam.serviceAccounts.getAccessToken, which can also be granted through the serviceAccountTokenCreator role.

RequestingServiceAccount

A service account email to make a delegated request.

Data Type

string

Default Value

""

Remarks

The service account email of the account for which the credentials are requested in a delegated request. With the list of delegated service accounts in DelegatedServiceAccounts, this property is used to make a delegated request.

You must have the IAM permission iam.serviceAccounts.getAccessToken on this service account.

OAuthSettingsLocation

The location of the settings file where OAuth values are saved when InitiateOAuth is set to GETANDREFRESH or REFRESH. Alternatively, you can hold this location in memory by specifying a value starting with 'memory://'.

Data Type

string

Default Value

%APPDATA%\CData\Acumatica Data Provider\OAuthSettings.txt

Remarks

When InitiateOAuth is set to GETANDREFRESH or REFRESH, the driver saves OAuth values to avoid requiring the user to manually enter OAuth connection properties and to allow the credentials to be shared across connections or processes.

Instead of specifying a file path, you can use memory storage. Memory locations are specified by using a value starting with 'memory://' followed by a unique identifier for that set of credentials (for example, memory://user1). The identifier can be anything you choose but should be unique to the user. Unlike file-based storage, where credentials persist across connections, memory storage loads the credentials into static memory, and the credentials are shared between connections using the same identifier for the life of the process. To persist credentials outside the current process, you must manually store the credentials prior to closing the connection. This enables you to set them in the connection when the process is started again. You can retrieve OAuth property values with a query to the sys_connection_props system table. If there are multiple connections using the same credentials, the properties are read from the previously closed connection.

The default location is "%APPDATA%\CData\Acumatica Data Provider\OAuthSettings.txt" with %APPDATA% set to the user's configuration directory. The default values are

• Windows: "register://%DSN"
• Unix: "%AppData%..."

where DSN is the name of the current DSN used in the open connection.

The following table lists the value of %APPDATA% by OS:

CallbackURL

Identifies the URL users return to after authenticating to Google Data Catalog via OAuth. (Custom OAuth applications only.).

Data Type

string

Default Value

""

Remarks

If you created a custom OAuth application, the OAuth authorization server redirects the user to this URL during the authentication process. This value must match the callback URL you specified when you Configured the custom OAuth application.

OAuthVerifier

Specifies a verifier code returned from the OAuthAuthorizationURL. Used when authenticating to OAuth on a headless server, where a browser can't be launched. Requires both OAuthSettingsLocation and OAuthVerifier to be set.

Data Type

string

Default Value

""

OAuthRefreshToken

Specifies the OAuth refresh token used to request a new access token after the original has expired.

Data Type

string

Default Value

""

Remarks

The refresh token is used to obtain a new access token when the current one expires. It enables seamless authentication for long-running or automated workflows without requiring the user to log in again. This property is especially important in headless, CI/CD, or server-based environments where interactive authentication is not possible.

The refresh token is typically obtained during the initial OAuth exchange by calling the GetOAuthAccessToken stored procedure. After that, it can be set using this property to enable automatic token refresh, or passed to the RefreshOAuthAccessToken stored procedure if you prefer to manage the refresh manually.

When InitiateOAuth is set to REFRESH, the driver uses this token to retrieve a new access token automatically. After the first refresh, the driver saves updated tokens in the location defined by OAuthSettingsLocation, and uses those values for subsequent connections.

The OAuthRefreshToken should be handled securely and stored in a trusted location. Like access tokens, refresh tokens can expire or be revoked depending on the identity provider’s policies.

OAuthExpiresIn

Specifies the duration in seconds, of an OAuth Access Token's lifetime. The token can be reissued to keep access alive as long as the user keeps working.

Data Type

string

Default Value

""

Remarks

The OAuth Access Token is assigned to an authenticated user, granting that user access to the network for a specified period of time. The access token is used in place of the user's login ID and password, which stay on the server.

An access token created by the server is only valid for a limited time. OAuthExpiresIn is the number of seconds the token is valid from when it was created. For example, a token generated at 2024-01-29 20:00:00 UTC that expires at 2024-01-29 21:00:00 UTC (an hour later) would have an OAuthExpiresIn value of 3600, no matter what the current time is.

To determine how long the user has before the Access Token will expire, use OAuthTokenTimestamp.

OAuthTokenTimestamp

Displays a Unix epoch timestamp in milliseconds that shows how long ago the current Access Token was created.

Data Type

string

Default Value

""

Remarks

The OAuth Access Token is assigned to an authenticated user, granting that user access to the network for a specified period of time. The access token is used in place of the user's login ID and password, which stay on the server.

An access token created by the server is only valid for a limited time. OAuthTokenTimestamp is the Unix timestamp when the server created the token. For example, OAuthTokenTimestamp=1706558400 indicates the OAuthAccessToken was generated by the server at 2024-01-29 20:00:00 UTC.

JWT OAuth

This section provides a complete list of JWT OAuth properties you can configure.

OAuthJWTCert

Supplies the name of the client certificate's JWT Certificate store.

Data Type

string

Default Value

""

Remarks

The OAuthJWTCertType field specifies the type of the certificate store specified in OAuthJWTCert. If the store is password-protected, use OAuthJWTCertPassword to supply the password..

OAuthJWTCert is used in conjunction with the OAuthJWTCertSubject field in order to specify client certificates.

If OAuthJWTCert has a value, and OAuthJWTCertSubject is set, the Google Data Catalog connector initiates a search for a certificate. For further information, see OAuthJWTCertSubject.

Designations of certificate stores are platform-dependent.

Notes

• The most common User and Machine certificate stores in Windows include:

  • MY: A certificate store holding personal certificates with their

    associated private keys.

  • CA: Certifying authority certificates.

  • ROOT: Root certificates.

  • SPC: Software publisher certificates.

  • In Java, the certificate store normally is a file containing certificates and optional private keys.
  • When the certificate store type is PFXFile, this property must be set to the name of the file.
  • When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).

OAuthJWTCertType

Identifies the type of key store containing the JWT Certificate.

Possible Values

USER, MACHINE, PFXFILE, PFXBLOB, JKSFILE, JKSBLOB, PEMKEY_FILE, PEMKEY_BLOB, PUBLIC_KEY_FILE, PUBLIC_KEY_BLOB, SSHPUBLIC_KEY_FILE, SSHPUBLIC_KEY_BLOB, P7BFILE, PPKFILE, XMLFILE, XMLBLOB, BCFKSFILE, BCFKSBLOB, GOOGLEJSON, GOOGLEJSONBLOB

Data Type

string

Default Value

USER

Remarks

OAuthJWTCertPassword

Provides the password for the OAuth JWT certificate used to access a password-protected certificate store. If the certificate store does not require a password, leave this property blank.

Data Type

string

Default Value

""

Remarks

This property specifies the password needed to open a password-protected certificate store. To determine if a password is necessary, refer to the documentation or configuration for your specific certificate store.

This is not required when using the GOOGLEJSON OAuthJWTCertType. Google JSON keys are not encrypted.

OAuthJWTCertSubject

Identifies the subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate.

Data Type

string

Default Value

*

Remarks

The value of this property is used to locate a matching certificate in the store. The search process works as follows:

• If an exact match for the subject is found, the corresponding certificate is selected.
• If no exact match is found, the store is searched for certificates whose subjects contain the property value.
• If no match is found, no certificate is selected.

You can set the value to '*' to automatically select the first certificate in the store. The certificate subject is a comma-separated list of distinguished name fields and values. For example: CN=www.server.com, OU=test, C=US, E=example@jbexample.com. Common fields include:

If a field value contains a comma, enclose it in quotes. For example: "O=ACME, Inc.".

OAuthJWTIssuer

The issuer of the Java Web Token.

Data Type

string

Default Value

""

Remarks

The issuer of the Java Web Token. Enter the value of the service account email address.

This is not required when using the GOOGLEJSON OAuthJWTCertType. Google JSON keys contain a copy of the issuer account.

OAuthJWTSubject

The user subject for which the application is requesting delegated access.

Data Type

string

Default Value

""

Remarks

The user subject for which the application is requesting delegated access. Enter the email address of the user for which the application is requesting delegated access.

SSL

This section provides a complete list of SSL properties you can configure.

SSLServerCert

Specifies the certificate to be accepted from the server when connecting using TLS/SSL.

Data Type

string

Default Value

""

Remarks

If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine is rejected.

This property can take the following forms:

If not specified, any certificate trusted by the machine is accepted.

Certificates are validated as trusted by the machine based on the System's trust store. The trust store used is the 'javax.net.ssl.trustStore' value specified for the system. If no value is specified for this property, Java's default trust store is used (for example, JAVA_HOME\lib\security\cacerts).

Use '*' to signify to accept all certificates. Note that this is not recommended due to security concerns.

Schema

This section provides a complete list of schema properties you can configure.

Location

Specifies the location of a directory containing schema files that define tables, views, and stored procedures. Depending on your service's requirements, this may be expressed as either an absolute path or a relative path.

Data Type

string

Default Value

%APPDATA%\GoogleDataCatalog Data Provider\Schema

Remarks

The Location property is only needed if you want to either customize definitions (for example, change a column name, ignore a column, etc.) or extend the data model with new tables, views, or stored procedures.

If left unspecified, the default location is %APPDATA%\GoogleDataCatalog Data Provider\Schema, where %APPDATA% is set to the user's configuration directory:

BrowsableSchemas

Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC.

Data Type

string

Default Value

""

Remarks

Listing all available database schemas can take extra time, thus degrading performance. Providing a list of schemas in the connection string saves time and improves performance.

Tables

Optional setting that restricts the tables reported to a subset of all available tables. For example, Tables=TableA,TableB,TableC.

Data Type

string

Default Value

""

Remarks

Listing all available tables from some databases can take extra time, thus degrading performance. Providing a list of tables in the connection string saves time and improves performance.

If there are lots of tables available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those tables. To do this, specify the tables you want in a comma-separated list. Each table should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Tables=TableA,[TableB/WithSlash],WithCatalog.WithSchema.`TableC With Space`.

Views

Optional setting that restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC.

Data Type

string

Default Value

""

Remarks

Listing all available views from some databases can take extra time, thus degrading performance. Providing a list of views in the connection string saves time and improves performance.

If there are lots of views available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those views. To do this, specify the views you want in a comma-separated list. Each view should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Views=ViewA,[ViewB/WithSlash],WithCatalog.WithSchema.`ViewC With Space`.

Miscellaneous

This section provides a complete list of miscellaneous properties you can configure.

AWSWorkloadIdentityConfig

Configuration properties to provide when using Workload Identity Federation via AWS.

Data Type

string

Default Value

""

Remarks

The properties are formatted as a semicolon-separated list of Key=Value properties, where the value is optionally quoted. For example, this setting authenticates in AWS using a user's root keys:

AWSWorkloadIdentityConfig="AuhtScheme=AwsRootKeys;AccessKey='AKIAABCDEF123456';SecretKey=...;Region=us-east-1"

MaxRows

Specifies the maximum rows returned for queries without aggregation or GROUP BY.

Data Type

int

Default Value

-1

Remarks

This property sets an upper limit on the number of rows the connector returns for queries that do not include aggregation or GROUP BY clauses. This limit ensures that queries do not return excessively large result sets by default.

When a query includes a LIMIT clause, the value specified in the query takes precedence over the MaxRows setting. If MaxRows is set to "-1", no row limit is enforced unless a LIMIT clause is explicitly included in the query.

This property is useful for optimizing performance and preventing excessive resource consumption when executing queries that could otherwise return very large datasets.

Other

Specifies additional hidden properties for specific use cases. These are not required for typical provider functionality. Use a semicolon-separated list to define multiple properties.

Data Type

string

Default Value

""

Remarks

This property allows advanced users to configure hidden properties for specialized scenarios. These settings are not required for normal use cases but can address unique requirements or provide additional functionality. Multiple properties can be defined in a semicolon-separated list.

Specify multiple properties in a semicolon-separated list.

Integration and Formatting

Pagesize

The maximum number of records per page the provider returns when requesting data from Google Data Catalog.

Data Type

int

Default Value

1000

Remarks

When processing a query, instead of requesting all of the queried data at once from Google Data Catalog, the connector can request the queried data in pieces called pages.

This connection property determines the maximum number of results that the connector requests per page.

Note that setting large page sizes may improve overall query execution time, but doing so causes the connector to use more memory when executing queries and risks triggering a timeout.

PseudoColumns

Specifies the pseudocolumns to expose as table columns. Use the format 'TableName=ColumnName;TableName=ColumnName'. The default is an empty string, which disables this property.

Data Type

string

Default Value

""

Remarks

This property allows you to define which pseudocolumns the connector exposes as table columns.

To specify individual pseudocolumns, use the following format: "Table1=Column1;Table1=Column2;Table2=Column3"

To include all pseudocolumns for all tables use: "*=*"

Timeout

Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. The default is 60 seconds. Set to 0 to disable the timeout.

Data Type

int

Default Value

60

Remarks

This property controls the maximum time, in seconds, that the connector waits for an operation to complete before canceling it. If the timeout period expires before the operation finishes, the connector cancels the operation and throws an exception.

The timeout applies to each individual communication with the server rather than the entire query or operation. For example, a query could continue running beyond the timeout value if each paging call completes within the timeout limit.

Setting this property to 0 disables the timeout, allowing operations to run indefinitely until they succeed or fail due to other conditions such as server-side timeouts, network interruptions, or resource limits on the server. Use this property cautiously to avoid long-running operations that could degrade performance or result in unresponsive behavior.

UserDefinedViews

Specifies a filepath to a JSON configuration file defining custom views. The provider automatically detects and uses the views specified in this file.

Data Type

string

Default Value

""

Remarks

This property allows you to define and manage custom views through a JSON-formatted configuration file called UserDefinedViews.json. These views are automatically recognized by the connector and enable you to execute custom SQL queries as if they were standard database views. The JSON file defines each view as a root element with a child element called "query", which contains the SQL query for the view. For example:

{
    "MyView": {
        "query": "SELECT * FROM Schemas WHERE MyColumn = 'value'"
    },
    "MyView2": {
        "query": "SELECT * FROM MyTable WHERE Id IN (1,2,3)"
    }

}

You can define multiple views in a single file and specify the filepath using this property. For example: UserDefinedViews=C:\Path\To\UserDefinedViews.json. When you use this property, only the specified views are seen by the connector.

Refer to User Defined Views for more information.

WorkloadPoolId

The ID of your Workload Identity Federation pool.

Data Type

string

Default Value

""

Remarks

The ID of your Workload Identity Federation pool.

WorkloadProjectId

The ID of the Google Cloud project that hosts your Workload Identity Federation pool.

Data Type

string

Default Value

""

Remarks

The ID of the Google Cloud project that hosts your Workload Identity Federation pool.

WorkloadProviderId

The ID of your Workload Identity Federation pool provider.

Data Type

string

Default Value

""

Remarks

The ID of your Workload Identity Federation pool provider.