Denodo Lineage Scanner

The Denodo lineage scanner connects to Denodo Virtual DataPort (VDP) over JDBC, extracts metadata into Ataccama ONE, and runs design-time lineage analysis.

The scanner is view-centric: it catalogs virtual databases, views, columns, and data sources. Denodo does not expose physical tables as separate catalog objects.

Physical tables might appear in lineage only when they are referenced inside SQL embedded in JDBC base views and recognized by the underlying source technology parser.

For installation, registration, and runtime placement of the scanner process, see Standalone Lineage Scanner.

Scanned and supported objects

While we strive for comprehensive lineage capture, certain dataflows and transformations might be incomplete or unavailable due to technical constraints. We continuously work to expand coverage and accuracy.

Extracted metadata

The scanner reads metadata from VDP and publishes catalog and lineage artifacts for the following Denodo objects:

Virtual databases (the scan scope is controlled with includeDatabases and excludeDatabases).
Views, including base and derived views.
View columns.
View VQL definitions.
Column dependencies reported by Denodo.
Data sources (JDBC sources include additional connection details when available).

Lineage analysis

Lineage is computed in two paths, depending on the view type:

Derived views: VQL from derived views is parsed with the Denodo SQL analyzer. Views that cannot be parsed are skipped and the scan continues.
JDBC base views: For base views backed by a JDBC wrapper, the embedded SQLSENTENCE is parsed using the technology of the underlying data source (for example, MS SQL or Oracle). When catalog context is available, lineage can include a bridge from the external source to the Denodo base view.
Physical tables: Not scanned as first-class Denodo catalog objects. They appear in lineage only when referenced in JDBC base-view SQL and resolved by the corresponding source technology parser.

Supported external technologies

For JDBC base views, lineage can be propagated through the underlying source when the data source maps to one of the following technologies:

Amazon Redshift
BigQuery
Databricks
DB2
Dremio
Hive
MS SQL
MySQL
Oracle
PostgreSQL
SAP HANA
Snowflake
Teradata

Limitations

The following are supported only in a limited way or not supported at all:

Physical tables as first-class Denodo catalog assets (only indirect lineage via JDBC base-view SQL).
Stored procedures, web services, and REST or SOAP views.
Non-JDBC base views (for example, delimited-file wrappers): Metadata might be extracted, but the JDBC base-view lineage path does not run.
Non-JDBC data sources: Listed in metadata with limited connection detail (no JDBC-style DESC DATASOURCE enrichment).
Arbitrary Denodo element types beyond views and data sources (for example, folders or interfaces).

Supported connectivity

Connector type: JDBC to Denodo VDP (jdbc:vdb), driver version 9.4.1.
Authentication method: Username and password.

The scanner host must be able to open a TCP connection to the VDP JDBC endpoint. Supported network topologies include direct routing in the same data center, site-to-site VPN or private WAN to an on-premises cluster, and SSH tunnel or jump-host port forwarding when the forwarded address and port remain stable for the duration of scans.

Denodo permissions

The VDP user defined in the scanner configuration must be able to connect to each target virtual database and read view metadata.

At minimum, grant the user the following privileges over each virtual database to be scanned:

CONNECT on the database.
METADATA on the views to be scanned.

For privilege definitions and GRANT syntax, see the Denodo documentation:

Scanner configuration

All fields marked with an asterisk (*) are mandatory.

Property Description

Property	Description
`name*`	Unique name for the scanner job.
`sourceType*`	Specifies the source type to be scanned. Must be `DENODO`.
`description*`	A human-readable description of the scan.
`jdbcUrl*`	Full JDBC connection string. Typically `jdbc:vdb://<host>:<port>/<virtual_database>`. Replace `<virtual_database>` with the name of the Denodo database you want to scan.
`username*`	Denodo VDP username.
`password*`	Denodo VDP password for the VDP user. Can be encrypted.
`includeDatabases`	List of virtual databases to include in lineage extraction.
`excludeDatabases`	List of virtual databases to exclude from lineage extraction.
`ssl`	Optional SSL/TLS configuration for encrypted connections to the Denodo VDP JDBC endpoint. If omitted, the scanner connects without TLS. See SSL configuration.

name*

Unique name for the scanner job.

sourceType*

Specifies the source type to be scanned. Must be DENODO.

description*

A human-readable description of the scan.

jdbcUrl*

Full JDBC connection string.

Typically jdbc:vdb://<host>:<port>/<virtual_database>. Replace <virtual_database> with the name of the Denodo database you want to scan.

username*

Denodo VDP username.

password*

Denodo VDP password for the VDP user. Can be encrypted.

includeDatabases

List of virtual databases to include in lineage extraction.

excludeDatabases

List of virtual databases to exclude from lineage extraction.

ssl

Optional SSL/TLS configuration for encrypted connections to the Denodo VDP JDBC endpoint. If omitted, the scanner connects without TLS. See SSL configuration.

Denodo scanner example configuration (plain connection)

{
  "scannerConfigs": [
    {
      "name": "DenodoScan",
      "sourceType": "DENODO",
      "description": "Scan corporate Denodo VDP",
      "connection": {
        "jdbcUrl": "jdbc:vdb://denodo-vdp.company.example:9999/analytics_vdb",
        "username": "lineage_scanner_svc",
        "password": "@@ref:ata:[DENODO_PASSWORD]"
      },
      "includeDatabases": ["db1"],
      "excludeDatabases": []
    }
  ]
}

SSL configuration

To encrypt the JDBC connection, add an ssl object inside connection. Providing a truststore enables one-way TLS — the scanner verifies the Denodo server certificate. Adding a keystore on top enables mutual TLS (mTLS) — the scanner also presents a client certificate.

For each keystore and truststore, supply the file as a secret reference (@@ref:ata:) to a file uploaded via the ONE web application, or as an absolute path to a file on the scanner host for local deployments.

Property Description

Property	Description
`ssl.truststore`	Truststore containing the CA or server certificate that signed the Denodo VDP certificate. Required to enable SSL.
`ssl.truststorePassword`	Password protecting the truststore. Treat as a secret.
`ssl.keystore`	Client keystore for mutual TLS. Optional — omit for one-way TLS.
`ssl.keystorePassword`	Password protecting the client keystore. Treat as a secret.

ssl.truststore

Truststore containing the CA or server certificate that signed the Denodo VDP certificate. Required to enable SSL.

ssl.truststorePassword

Password protecting the truststore. Treat as a secret.

ssl.keystore

Client keystore for mutual TLS. Optional — omit for one-way TLS.

ssl.keystorePassword

Password protecting the client keystore. Treat as a secret.

One-way TLS — truststore uploaded via Ataccama ONE UI

{
  "scannerConfigs": [
    {
      "name": "DenodoScan",
      "sourceType": "DENODO",
      "description": "Scan corporate Denodo VDP over TLS",
      "connection": {
        "jdbcUrl": "jdbc:vdb://denodo-vdp.company.example:9999/analytics_vdb",
        "username": "lineage_scanner_svc",
        "password": "@@ref:ata:[DENODO_PASSWORD]",
        "ssl": {
          "truststore": "@@ref:ata:[DENODO_TRUSTSTORE]",
          "truststorePassword": "@@ref:ata:[DENODO_TRUSTSTORE_PASSWORD]"
        }
      },
      "includeDatabases": ["db1"],
      "excludeDatabases": []
    }
  ]
}

One-way TLS — truststore by local file path

{
  "scannerConfigs": [
    {
      "name": "DenodoScan",
      "sourceType": "DENODO",
      "description": "Scan corporate Denodo VDP over TLS",
      "connection": {
        "jdbcUrl": "jdbc:vdb://denodo-vdp.company.example:9999/analytics_vdb",
        "username": "lineage_scanner_svc",
        "password": "@@ref:ata:[DENODO_PASSWORD]",
        "ssl": {
          "truststore": { "path": "/etc/scanner/denodo-truststore.jks" },
          "truststorePassword": "@@ref:ata:[DENODO_TRUSTSTORE_PASSWORD]"
        }
      },
      "includeDatabases": ["db1"],
      "excludeDatabases": []
    }
  ]
}

Mutual TLS (mTLS)

{
  "scannerConfigs": [
    {
      "name": "DenodoScan",
      "sourceType": "DENODO",
      "description": "Scan corporate Denodo VDP over mTLS",
      "connection": {
        "jdbcUrl": "jdbc:vdb://denodo-vdp.company.example:9999/analytics_vdb",
        "username": "lineage_scanner_svc",
        "password": "@@ref:ata:[DENODO_PASSWORD]",
        "ssl": {
          "truststore": "@@ref:ata:[DENODO_TRUSTSTORE]",
          "truststorePassword": "@@ref:ata:[DENODO_TRUSTSTORE_PASSWORD]",
          "keystore": "@@ref:ata:[DENODO_KEYSTORE]",
          "keystorePassword": "@@ref:ata:[DENODO_KEYSTORE_PASSWORD]"
        }
      },
      "includeDatabases": ["db1"],
      "excludeDatabases": []
    }
  ]
}

Was this page useful?