[PECOBLR-587] Azure Service Principal Credential Provider #621
Conversation
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
jprakash-db
requested review from
deeksha-db,
samikshya-db,
jackyhu-db,
madhav-db,
gopalldb,
jayantsing-db,
vikrantpuppala and
shivam2680
as code owners
jprakash-db
changed the title
jprakash-db
removed request for
jackyhu-db,
madhav-db,
jayantsing-db and
deeksha-db
|
|
||
| [tool.poetry.extras] | ||
| pyarrow = ["pyarrow"] | ||
|
|
||
| [tool.poetry.dev-dependencies] | ||
| [tool.poetry.group.dev.dependencies] |
There was a problem hiding this comment.
does the poetry update have to go in the same PR?
|
|
||
| if auth_type == AuthType.AZURE_SP_M2M.value: | ||
| pass | ||
| else: |
There was a problem hiding this comment.
why not just do if if auth_type != AuthType.AZURE_SP_M2M.value:
| oauth_redirect_port_range=[kwargs["oauth_redirect_port"]] | ||
| if kwargs.get("oauth_client_id") and kwargs.get("oauth_redirect_port") | ||
| if client_id and kwargs.get("oauth_redirect_port") |
There was a problem hiding this comment.
this is behaviour change from before i.e. earlier we required client_id to come in from kwargs and now it is ok even if we derive it from get_client_id_and_redirect_port, is this intended?
|
|
||
| # Private API: this is an evolving interface and it will change in the future. | ||
| # Please must not depend on it in your applications. | ||
| from databricks.sql.experimental.oauth_persistence import OAuthToken, OAuthPersistence | ||
|
|
||
| logger = logging.getLogger(__name__) |
There was a problem hiding this comment.
don't think this is being used, can we add logging?
| return app_id | ||
|
|
||
| # default databricks resource id | ||
| return "2ff814a6-3304-4ab8-85cb-cd0e6f879c1d" |
There was a problem hiding this comment.
can we add these IDs as constants at the top so they're in one place
|
|
||
| @abstractmethod | ||
| def refresh(self) -> Token: | ||
| pass |
There was a problem hiding this comment.
can we add a comment here that we have duplicate code here with the sdk (with the code pointer) and in the long term we should try to unify?
| self.token = self.refresh() | ||
| return self.token | ||
|
|
||
| def refresh(self) -> Token: |
There was a problem hiding this comment.
how is the refresh mechanism being handled for the existing credential providers? is there opportunity to dedup/reuse?
|
|
||
| # Singleton class for common Http Client | ||
| class DatabricksHttpClient: | ||
| ## TODO: Unify all the http clients in the PySQL Connector |
There was a problem hiding this comment.
why can't this be done right now? can we not use the existing http client?
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for Azure Service Principal M2M authentication to the PySQL Connector by introducing a shared HTTP client, a client-credentials token source, and a new credentials provider for Azure SP.
- Introduce
DatabricksHttpClientfor unified HTTP logic - Add
TokenandClientCredentialsTokenSourceto manage OAuth client-credentials flow - Implement
AzureServicePrincipalCredentialProviderand wire it throughget_auth_provider
Reviewed Changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/test_thrift_field_ids.py | Formatting cleanup and consistent quote style |
| tests/unit/test_auth.py | Added tests for ClientCredentialsTokenSource and SP credential provider, JWT fixtures |
| src/databricks/sql/common/http.py | New singleton DatabricksHttpClient with retry logic |
| src/databricks/sql/auth/oauth.py | Introduced Token, RefreshableTokenSource, and ClientCredentialsTokenSource |
| src/databricks/sql/auth/common.py | Extended AuthType and helper for mapping Azure login app IDs |
| src/databricks/sql/auth/authenticators.py | Added AzureServicePrincipalCredentialProvider |
| src/databricks/sql/auth/auth.py | Updated ClientContext, get_auth_provider, and auth provider resolution for SP |
| pyproject.toml | Added pyjwt, moved dev dependencies under [tool.poetry.group.dev.dependencies] |
| from typing import Optional, List | ||
|
|
||
| from databricks.sql.auth.authenticators import ( | ||
| AuthProvider, | ||
| AccessTokenAuthProvider, | ||
| ExternalAuthProvider, | ||
| DatabricksOAuthProvider, | ||
| AzureServicePrincipalCredentialProvider, |
| cfg.hostname, | ||
| cfg.oauth_client_id, | ||
| cfg.oauth_client_secret, | ||
| cfg.azure_tenant_id, |
There was a problem hiding this comment.
We were talking about this in JDBC if tenant ID can be derived dynamically and not be a required config
|
|
||
| # Enums for HTTP Methods | ||
| class HttpMethod(str, Enum): | ||
| GET = "GET" |
There was a problem hiding this comment.
there are no existing enums for these?
| @@ -24,6 +18,9 @@ def __init__( | |||
| auth_type: Optional[str] = None, | |||
| oauth_scopes: Optional[List[str]] = None, | |||
| oauth_client_id: Optional[str] = None, | |||
| oauth_client_secret: Optional[str] = None, | |||
| azure_tenant_id: Optional[str] = None, | |||
There was a problem hiding this comment.
Can we add a todo to remove the need of passing tenant id ? databricks/databricks-sdk-py#638
Also see : https://databricks.atlassian.net/browse/PECOBLR-212
| @@ -0,0 +1,65 @@ | |||
| import requests | |||
There was a problem hiding this comment.
@varun-edachali-dbx has added a http client already, I suggest you two collaborate to push the common http to main first https://github.com/databricks/databricks-sql-python/blob/sea-migration/src/databricks/sql/backend/sea/utils/http_client.py
Description
This pull request introduces support for Azure Service Principal M2M (SP) authentication to the PySQL Connector
Key Changes
grant_type: client_credentialsNew dependencies
Tests
Expanded unit tests to cover:
Manual Testing