Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(sqlalchemy): Add Support for externalAuthentication #344

Merged
merged 1 commit into from
Sep 22, 2023

Conversation

IceS2
Copy link

@IceS2 IceS2 commented Mar 3, 2023

Description

Adds support for the 'externalAuthentication' Trino query URL parameter.

If 'externalAuthentication' is passed on the query arguments:

  • Sets 'http_scheme' to 'https'
  • Sets 'auth' to OAuth2Authentication()

Non-technical explanation

It allows to use SQLAlchemy with OAuth2Authentication.

Release notes

( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
( x ) Release notes are required, with the following suggested text:

* Add support to 'externalAuthentication' SQLAlchemy URL parameter.  ({issue}`#343`)

closes #343

@cla-bot
Copy link

cla-bot bot commented Mar 3, 2023

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@IceS2
Copy link
Author

IceS2 commented Mar 10, 2023

CLA should be good to go (=

@@ -106,6 +111,10 @@ def create_connect_args(self, url: URL) -> Tuple[Sequence[Any], Mapping[str, Any
kwargs["http_scheme"] = "https"
kwargs["auth"] = CertificateAuthentication(unquote_plus(url.query['cert']), unquote_plus(url.query['key']))

if "externalAuthentication" in url.query:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that it's aligning with JDBC driver, but you can simply pass "auth": OAuth2Authentication() in connect_args.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's what I've been doing when using the client directly. But I've been running into an issue passing it as a class when trying to use it from some other projects such as ipython-sql.
Eventually I found out that ipython-sql allows you to actually pass the -creator parameter to bypass the configuration by sending a connection straight away but it'd be great if it would work without this workaround.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have good behaviour when someone has externalAuthentication in URI and has explicitly set a different auth mechanism? What takes precedence? I'd like to avoid this situation of having multiple ways of configuring something since it leads to more combination of things to test and edge cases to think about.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @hashhar, I have similar feelings to be honest. I just extended the way it's being done for SQLAlchemy URIs (It's already done this way for Basic Authentication, JWT Authentication and Cert Authentication).

I think it makes sense to align with the JDBC driver and have this for SQLAlchemy... If the user passes multiple Auth Methods I think it's on the user side to be honest, but I guess it could be improved by validating if they did this somehow (checking the query args and connect_args)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This validation seems useful but out of scope of this PR because it needs to apply to other auth methods as outlined above.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean validating if the user passes multiple auth methods?

So you think it'd be fine to keep that responsibility on the user side so far? I'd be fine with it (=

@@ -106,6 +111,10 @@ def create_connect_args(self, url: URL) -> Tuple[Sequence[Any], Mapping[str, Any
kwargs["http_scheme"] = "https"
kwargs["auth"] = CertificateAuthentication(unquote_plus(url.query['cert']), unquote_plus(url.query['key']))

if "externalAuthentication" in url.query:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This validation seems useful but out of scope of this PR because it needs to apply to other auth methods as outlined above.

@hashhar
Copy link
Member

hashhar commented Apr 14, 2023

@cla-bot check

@cla-bot cla-bot bot added the cla-signed label Apr 14, 2023
@cla-bot
Copy link

cla-bot bot commented Apr 14, 2023

The cla-bot has been summoned, and re-checked this pull request!

@esemeniuc
Copy link

merge?

@hashhar
Copy link
Member

hashhar commented Sep 15, 2023

Sorry for forgetting to come back to this. I'll just squash the commits and then merge this.

Thanks for your work @esemeniuc.

After this change if 'externalAuthentication' is passed as a parameter
on the connection url we automatically set `http_schema` to `http` and
use `OAuth2Authentication`.
@hashhar
Copy link
Member

hashhar commented Sep 22, 2023

Squashed the commits + reworded commit msg, will merge once CI is finished.

@hashhar hashhar merged commit d9d46b0 into trinodb:master Sep 22, 2023
11 checks passed
@hashhar
Copy link
Member

hashhar commented Sep 22, 2023

Sorry this ended up waiting so long @IceS2.

We plan a release today/tomorrow and will announce on the #python-client on the Trino Slack.

@IceS2
Copy link
Author

IceS2 commented Sep 22, 2023

Sorry this ended up waiting so long @IceS2.

We plan a release today/tomorrow and will announce on the #python-client on the Trino Slack.

Hey! Don't worry (=
I know sometimes it takes time! I'm glad I could collaborate a bit with you folks o/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

SQLAlchemy support for externalAuthentication
4 participants