-
Notifications
You must be signed in to change notification settings - Fork 107
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Andre Furlan <andre.furlan@databricks.com> Signed-off-by: Jesse Whitehouse <jesse.whitehouse@databricks.com> Co-authored-by: Jesse <jesse.whitehouse@databricks.com>
- Loading branch information
1 parent
418401f
commit f1671ed
Showing
12 changed files
with
407 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,4 +16,4 @@ test.env | |
.vscode | ||
*.log | ||
logs/ | ||
.venv | ||
.venv* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
from typing import Any, Dict, Optional | ||
from databricks.sdk.oauth import ClientCredentials, Token, TokenSource | ||
from databricks.sdk.core import CredentialsProvider, HeaderFactory, Config, credentials_provider | ||
|
||
|
||
class token_auth(CredentialsProvider): | ||
_token: str | ||
|
||
def __init__(self, token: str) -> None: | ||
self._token = token | ||
|
||
def auth_type(self) -> str: | ||
return "token" | ||
|
||
def as_dict(self) -> dict: | ||
return {"token": self._token} | ||
|
||
@staticmethod | ||
def from_dict(raw: Optional[dict]) -> CredentialsProvider: | ||
if not raw: | ||
return None | ||
return token_auth(raw["token"]) | ||
|
||
def __call__(self, *args: tuple, **kwargs: Dict[str, Any]) -> HeaderFactory: | ||
static_credentials = {"Authorization": f"Bearer {self._token}"} | ||
|
||
def inner() -> Dict[str, str]: | ||
return static_credentials | ||
|
||
return inner | ||
|
||
|
||
class m2m_auth(CredentialsProvider): | ||
_token_source: TokenSource = None | ||
|
||
def __init__(self, host: str, client_id: str, client_secret: str) -> None: | ||
@credentials_provider("noop", []) | ||
def noop_credentials(_: Any): # type: ignore | ||
return lambda: {} | ||
|
||
config = Config(host=host, credentials_provider=noop_credentials) | ||
oidc = config.oidc_endpoints | ||
scopes = ["offline_access", "all-apis"] | ||
if not oidc: | ||
raise ValueError(f"{host} does not support OAuth") | ||
if config.is_azure: | ||
# Azure AD only supports full access to Azure Databricks. | ||
scopes = [f"{config.effective_azure_login_app_id}/.default", "offline_access"] | ||
self._token_source = ClientCredentials( | ||
client_id=client_id, | ||
client_secret=client_secret, | ||
token_url=oidc.token_endpoint, | ||
scopes=scopes, | ||
use_header="microsoft" not in oidc.token_endpoint, | ||
use_params="microsoft" in oidc.token_endpoint, | ||
) | ||
|
||
def auth_type(self) -> str: | ||
return "oauth" | ||
|
||
def as_dict(self) -> dict: | ||
if self._token_source: | ||
return {"token": self._token_source.token().as_dict()} | ||
else: | ||
return {"token": {}} | ||
|
||
@staticmethod | ||
def from_dict(host: str, client_id: str, client_secret: str, raw: dict) -> CredentialsProvider: | ||
c = m2m_auth(host=host, client_id=client_id, client_secret=client_secret) | ||
c._token_source._token = Token.from_dict(raw["token"]) | ||
return c | ||
|
||
def __call__(self, *args: tuple, **kwargs: Dict[str, Any]) -> HeaderFactory: | ||
def inner() -> Dict[str, str]: | ||
token = self._token_source.token() | ||
return {"Authorization": f"{token.token_type} {token.access_token}"} | ||
|
||
return inner |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Configure OAuth for DBT Databricks | ||
|
||
This feature is in [Public Preview](https://docs.databricks.com/release-notes/release-types.html). | ||
|
||
Databricks DBT adapter now supports authentication via OAuth in AWS and Azure. This is a much safer method as it enables you to generate short-lived (one hour) OAuth access tokens, which eliminates the risk of accidentally exposing longer-lived tokens such as Databricks personal access tokens through version control checkins or other means. OAuth also enables better server-side session invalidation and scoping. | ||
|
||
Once an admin correctly configured OAuth in Databricks, you can simply add the config `auth_type` and set it to `oauth`. Config `token` is no longer necessary. | ||
|
||
For Azure, you admin needs to create a Public AD application for dbt and provide you with its client_id. | ||
|
||
``` YAML | ||
jaffle_shop: | ||
outputs: | ||
dev: | ||
host: <databricks host name> | ||
http_path: <http path for warehouse or cluster> | ||
catalog: <UC catalog name> | ||
schema: <schema name> | ||
auth_type: oauth # new | ||
client_id: <azure application ID> # only necessary for Azure | ||
type: databricks | ||
target: dev | ||
``` | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,4 @@ | ||
databricks-sql-connector>=2.5.0 | ||
dbt-spark==1.4.* | ||
dbt-spark>=1.4.0 | ||
databricks-sdk>=0.1.1 | ||
keyring>=23.13.* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.