databricks/databricks-sql-pythonPublic

NotificationsYou must be signed in to change notification settings
Fork126
Star210

Commit270edcf

kravets-levko

authored and

varun-edachali-dbx

committed

[PECO-1857] Use SSL options with HTTPS connection pool (#425)

* [PECO-1857] Use SSL options with HTTPS connection poolSigned-off-by: Levko Kravets <levko.ne@gmail.com>* Some cleanupSigned-off-by: Levko Kravets <levko.ne@gmail.com>* Resolve circular dependenciesSigned-off-by: Levko Kravets <levko.ne@gmail.com>* Update existing testsSigned-off-by: Levko Kravets <levko.ne@gmail.com>* Fix MyPy issuesSigned-off-by: Levko Kravets <levko.ne@gmail.com>* Fix `_tls_no_verify` handlingSigned-off-by: Levko Kravets <levko.ne@gmail.com>* Add testsSigned-off-by: Levko Kravets <levko.ne@gmail.com>---------Signed-off-by: Levko Kravets <levko.ne@gmail.com>Signed-off-by: varun-edachali-dbx <varun.edachali@databricks.com>

1 parentb1faa09 commit270edcfCopy full SHA for 270edcf

File tree

11 files changed

+267

-159

lines changed

src/databricks/sql
- auth
  - thrift_http_client.py
- client.py
- cloudfetch
  - download_manager.py
  - downloader.py
- thrift_backend.py
- types.py
- utils.py
tests/unit

11 files changed

+267

-159

lines changed

`‎src/databricks/sql/auth/thrift_http_client.py‎`

Lines changed: 25 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,11 @@`
`1`	`1`	`importbase64`
`2`	`2`	`importlogging`
`3`	`3`	`importurllib.parse`
`4`		`-fromtypingimportDict,Union`
	`4`	`+fromtypingimportDict,Union,Optional`
`5`	`5`
`6`	`6`	`importsix`
`7`	`7`	`importthrift`
`8`	`8`
`9`		`-logger=logging.getLogger(__name__)`
`10`		`-`
`11`	`9`	`importssl`
`12`	`10`	`importwarnings`
`13`	`11`	`fromhttp.clientimportHTTPResponse`
`@@ -16,6 +14,9 @@`
`16`	`14`	`fromurllib3importHTTPConnectionPool,HTTPSConnectionPool,ProxyManager`
`17`	`15`	`fromurllib3.utilimportmake_headers`
`18`	`16`	`fromdatabricks.sql.auth.retryimportCommandType,DatabricksRetryPolicy`
	`17`	`+fromdatabricks.sql.typesimportSSLOptions`
	`18`	`+`
	`19`	`+logger=logging.getLogger(__name__)`
`19`	`20`
`20`	`21`
`21`	`22`	`classTHttpClient(thrift.transport.THttpClient.THttpClient):`
`@@ -25,13 +26,12 @@ def __init__(`
`25`	`26`	`uri_or_host,`
`26`	`27`	`port=None,`
`27`	`28`	`path=None,`
`28`		`-cafile=None,`
`29`		`-cert_file=None,`
`30`		`-key_file=None,`
`31`		`-ssl_context=None,`
	`29`	`+ssl_options:Optional[SSLOptions]=None,`
`32`	`30`	`max_connections:int=1,`
`33`	`31`	`retry_policy:Union[DatabricksRetryPolicy,int]=0,`
`34`	`32`	`):`
	`33`	`+self._ssl_options=ssl_options`
	`34`	`+`
`35`	`35`	`ifportisnotNone:`
`36`	`36`	`warnings.warn(`
`37`	`37`	`"Please use the THttpClient('http{s}://host:port/path') constructor",`
`@@ -48,13 +48,11 @@ def __init__(`
`48`	`48`	`self.scheme=parsed.scheme`
`49`	`49`	`assertself.schemein ("http","https")`
`50`	`50`	`ifself.scheme=="https":`
`51`		`-self.certfile=cert_file`
`52`		`-self.keyfile=key_file`
`53`		`-self.context= (`
`54`		`-ssl.create_default_context(cafile=cafile)`
`55`		`-if (cafileandnotssl_context)`
`56`		`-elsessl_context`
`57`		`- )`
	`51`	`+ifself._ssl_optionsisnotNone:`
	`52`	`+# TODO: Not sure if those options are used anywhere - need to double-check`
	`53`	`+self.certfile=self._ssl_options.tls_client_cert_file`
	`54`	`+self.keyfile=self._ssl_options.tls_client_cert_key_file`
	`55`	`+self.context=self._ssl_options.create_ssl_context()`
`58`	`56`	`self.port=parsed.port`
`59`	`57`	`self.host=parsed.hostname`
`60`	`58`	`self.path=parsed.path`
`@@ -109,12 +107,23 @@ def startRetryTimer(self):`
`109`	`107`	`defopen(self):`
`110`	`108`
`111`	`109`	`# self.__pool replaces the self.__http used by the original THttpClient`
	`110`	`+_pool_kwargs= {"maxsize":self.max_connections}`
	`111`	`+`
`112`	`112`	`ifself.scheme=="http":`
`113`	`113`	`pool_class=HTTPConnectionPool`
`114`	`114`	`elifself.scheme=="https":`
`115`	`115`	`pool_class=HTTPSConnectionPool`
`116`		`-`
`117`		`-_pool_kwargs= {"maxsize":self.max_connections}`
	`116`	`+_pool_kwargs.update(`
	`117`	`+ {`
	`118`	`+"cert_reqs":ssl.CERT_REQUIRED`
	`119`	`+ifself._ssl_options.tls_verify`
	`120`	`+elsessl.CERT_NONE,`
	`121`	`+"ca_certs":self._ssl_options.tls_trusted_ca_file,`
	`122`	`+"cert_file":self._ssl_options.tls_client_cert_file,`
	`123`	`+"key_file":self._ssl_options.tls_client_cert_key_file,`
	`124`	`+"key_password":self._ssl_options.tls_client_cert_key_password,`
	`125`	`+ }`
	`126`	`+ )`
`118`	`127`
`119`	`128`	`ifself.using_proxy():`
`120`	`129`	`proxy_manager=ProxyManager(`

`‎src/databricks/sql/client.py‎`

Lines changed: 16 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@`
`35`	`35`	`)`
`36`	`36`
`37`	`37`
`38`		`-fromdatabricks.sql.typesimportRow`
	`38`	`+fromdatabricks.sql.typesimportRow,SSLOptions`
`39`	`39`	`fromdatabricks.sql.auth.authimportget_python_sql_connector_auth_provider`
`40`	`40`	`fromdatabricks.sql.experimental.oauth_persistenceimportOAuthPersistence`
`41`	`41`
`@@ -178,8 +178,9 @@ def read(self) -> Optional[OAuthToken]:`
`178`	`178`	`# _tls_trusted_ca_file`
`179`	`179`	`# Set to the path of the file containing trusted CA certificates for server certificate`
`180`	`180`	`# verification. If not provide, uses system truststore.`
`181`		`-# _tls_client_cert_file, _tls_client_cert_key_file`
	`181`	`+# _tls_client_cert_file, _tls_client_cert_key_file, _tls_client_cert_key_password`
`182`	`182`	`# Set client SSL certificate.`
	`183`	`+# See https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain`
`183`	`184`	`# _retry_stop_after_attempts_count`
`184`	`185`	`# The maximum number of attempts during a request retry sequence (defaults to 24)`
`185`	`186`	`# _socket_timeout`
`@@ -220,12 +221,25 @@ def read(self) -> Optional[OAuthToken]:`
`220`	`221`
`221`	`222`	`base_headers= [("User-Agent",useragent_header)]`
`222`	`223`
	`224`	`+self._ssl_options=SSLOptions(`
	`225`	`+# Double negation is generally a bad thing, but we have to keep backward compatibility`
	`226`	`+tls_verify=notkwargs.get(`
	`227`	`+"_tls_no_verify",False`
	`228`	`+ ),# by default - verify cert and host`
	`229`	`+tls_verify_hostname=kwargs.get("_tls_verify_hostname",True),`
	`230`	`+tls_trusted_ca_file=kwargs.get("_tls_trusted_ca_file"),`
	`231`	`+tls_client_cert_file=kwargs.get("_tls_client_cert_file"),`
	`232`	`+tls_client_cert_key_file=kwargs.get("_tls_client_cert_key_file"),`
	`233`	`+tls_client_cert_key_password=kwargs.get("_tls_client_cert_key_password"),`
	`234`	`+ )`
	`235`	`+`
`223`	`236`	`self.thrift_backend=ThriftBackend(`
`224`	`237`	`self.host,`
`225`	`238`	`self.port,`
`226`	`239`	`http_path,`
`227`	`240`	`(http_headersor [])+base_headers,`
`228`	`241`	`auth_provider,`
	`242`	`+ssl_options=self._ssl_options,`
`229`	`243`	`_use_arrow_native_complex_types=_use_arrow_native_complex_types,`
`230`	`244`	`**kwargs,`
`231`	`245`	`)`

`‎src/databricks/sql/cloudfetch/download_manager.py‎`

Lines changed: 5 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`	`1`	`importlogging`
`2`	`2`
`3`		`-fromsslimportSSLContext`
`4`	`3`	`fromconcurrent.futuresimportThreadPoolExecutor,Future`
`5`	`4`	`fromtypingimportList,Union`
`6`	`5`
`@@ -9,6 +8,8 @@`
`9`	`8`	`DownloadableResultSettings,`
`10`	`9`	`DownloadedFile,`
`11`	`10`	`)`
	`11`	`+fromdatabricks.sql.typesimportSSLOptions`
	`12`	`+`
`12`	`13`	`fromdatabricks.sql.thrift_api.TCLIService.ttypesimportTSparkArrowResultLink`
`13`	`14`
`14`	`15`	`logger=logging.getLogger(__name__)`
`@@ -20,7 +21,7 @@ def __init__(`
`20`	`21`	`links:List[TSparkArrowResultLink],`
`21`	`22`	`max_download_threads:int,`
`22`	`23`	`lz4_compressed:bool,`
`23`		`-ssl_context:SSLContext,`
	`24`	`+ssl_options:SSLOptions,`
`24`	`25`	`):`
`25`	`26`	`self._pending_links:List[TSparkArrowResultLink]= []`
`26`	`27`	`forlinkinlinks:`
`@@ -38,7 +39,7 @@ def __init__(`
`38`	`39`	`self._thread_pool=ThreadPoolExecutor(max_workers=self._max_download_threads)`
`39`	`40`
`40`	`41`	`self._downloadable_result_settings=DownloadableResultSettings(lz4_compressed)`
`41`		`-self._ssl_context=ssl_context`
	`42`	`+self._ssl_options=ssl_options`
`42`	`43`
`43`	`44`	`defget_next_downloaded_file(`
`44`	`45`	`self,next_row_offset:int`
`@@ -95,7 +96,7 @@ def _schedule_downloads(self):`
`95`	`96`	`handler=ResultSetDownloadHandler(`
`96`	`97`	`settings=self._downloadable_result_settings,`
`97`	`98`	`link=link,`
`98`		`-ssl_context=self._ssl_context,`
	`99`	`+ssl_options=self._ssl_options,`
`99`	`100`	`)`
`100`	`101`	`task=self._thread_pool.submit(handler.run)`
`101`	`102`	`self._download_tasks.append(task)`

`‎src/databricks/sql/cloudfetch/downloader.py‎`

Lines changed: 5 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,13 +3,12 @@`
`3`	`3`
`4`	`4`	`importrequests`
`5`	`5`	`fromrequests.adaptersimportHTTPAdapter,Retry`
`6`		`-fromsslimportSSLContext,CERT_NONE`
`7`	`6`	`importlz4.frame`
`8`	`7`	`importtime`
`9`	`8`
`10`	`9`	`fromdatabricks.sql.thrift_api.TCLIService.ttypesimportTSparkArrowResultLink`
`11`		`-`
`12`	`10`	`fromdatabricks.sql.excimportError`
	`11`	`+fromdatabricks.sql.typesimportSSLOptions`
`13`	`12`
`14`	`13`	`logger=logging.getLogger(__name__)`
`15`	`14`
`@@ -66,11 +65,11 @@ def __init__(`
`66`	`65`	`self,`
`67`	`66`	`settings:DownloadableResultSettings,`
`68`	`67`	`link:TSparkArrowResultLink,`
`69`		`-ssl_context:SSLContext,`
	`68`	`+ssl_options:SSLOptions,`
`70`	`69`	`):`
`71`	`70`	`self.settings=settings`
`72`	`71`	`self.link=link`
`73`		`-self._ssl_context=ssl_context`
	`72`	`+self._ssl_options=ssl_options`
`74`	`73`
`75`	`74`	`defrun(self)->DownloadedFile:`
`76`	`75`	`"""`
`@@ -95,14 +94,13 @@ def run(self) -> DownloadedFile:`
`95`	`94`	`session.mount("http://",HTTPAdapter(max_retries=retryPolicy))`
`96`	`95`	`session.mount("https://",HTTPAdapter(max_retries=retryPolicy))`
`97`	`96`
`98`		`-ssl_verify=self._ssl_context.verify_mode!=CERT_NONE`
`99`		`-`
`100`	`97`	`try:`
`101`	`98`	`# Get the file via HTTP request`
`102`	`99`	`response=session.get(`
`103`	`100`	`self.link.fileLink,`
`104`	`101`	`timeout=self.settings.download_timeout,`
`105`		`-verify=ssl_verify,`
	`102`	`+verify=self._ssl_options.tls_verify,`
	`103`	+# TODO: Pass cert from `self._ssl_options`
`106`	`104`	`)`
`107`	`105`	`response.raise_for_status()`
`108`	`106`

`‎src/databricks/sql/thrift_backend.py‎`

Lines changed: 6 additions & 37 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,6 @@`
`5`	`5`	`importtime`
`6`	`6`	`importuuid`
`7`	`7`	`importthreading`
`8`		`-fromsslimportCERT_NONE,CERT_REQUIRED,create_default_context`
`9`	`8`	`fromtypingimportList,Union`
`10`	`9`
`11`	`10`	`importpyarrow`
`@@ -36,6 +35,7 @@`
`36`	`35`	`convert_decimals_in_arrow_table,`
`37`	`36`	`convert_column_based_set_to_arrow_table,`
`38`	`37`	`)`
	`38`	`+fromdatabricks.sql.typesimportSSLOptions`
`39`	`39`
`40`	`40`	`logger=logging.getLogger(__name__)`
`41`	`41`
`@@ -85,6 +85,7 @@ def __init__(`
`85`	`85`	`http_path:str,`
`86`	`86`	`http_headers,`
`87`	`87`	`auth_provider:AuthProvider,`
	`88`	`+ssl_options:SSLOptions,`
`88`	`89`	`staging_allowed_local_path:Union[None,str,List[str]]=None,`
`89`	`90`	`**kwargs,`
`90`	`91`	`):`
`@@ -93,16 +94,6 @@ def __init__(`
`93`	`94`	`# Tag to add to User-Agent header. For use by partners.`
`94`	`95`	`# _username, _password`
`95`	`96`	`# Username and password Basic authentication (no official support)`
`96`		`-# _tls_no_verify`
`97`		`-# Set to True (Boolean) to completely disable SSL verification.`
`98`		`-# _tls_verify_hostname`
`99`		`-# Set to False (Boolean) to disable SSL hostname verification, but check certificate.`
`100`		`-# _tls_trusted_ca_file`
`101`		`-# Set to the path of the file containing trusted CA certificates for server certificate`
`102`		`-# verification. If not provide, uses system truststore.`
`103`		`-# _tls_client_cert_file, _tls_client_cert_key_file, _tls_client_cert_key_password`
`104`		`-# Set client SSL certificate.`
`105`		`-# See https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain`
`106`	`97`	`# _connection_uri`
`107`	`98`	`# Overrides server_hostname and http_path.`
`108`	`99`	`# RETRY/ATTEMPT POLICY`
`@@ -162,29 +153,7 @@ def __init__(`
`162`	`153`	`# Cloud fetch`
`163`	`154`	`self.max_download_threads=kwargs.get("max_download_threads",10)`
`164`	`155`
`165`		`-# Configure tls context`
`166`		`-ssl_context=create_default_context(cafile=kwargs.get("_tls_trusted_ca_file"))`
`167`		`-ifkwargs.get("_tls_no_verify")isTrue:`
`168`		`-ssl_context.check_hostname=False`
`169`		`-ssl_context.verify_mode=CERT_NONE`
`170`		`-elifkwargs.get("_tls_verify_hostname")isFalse:`
`171`		`-ssl_context.check_hostname=False`
`172`		`-ssl_context.verify_mode=CERT_REQUIRED`
`173`		`-else:`
`174`		`-ssl_context.check_hostname=True`
`175`		`-ssl_context.verify_mode=CERT_REQUIRED`
`176`		`-`
`177`		`-tls_client_cert_file=kwargs.get("_tls_client_cert_file")`
`178`		`-tls_client_cert_key_file=kwargs.get("_tls_client_cert_key_file")`
`179`		`-tls_client_cert_key_password=kwargs.get("_tls_client_cert_key_password")`
`180`		`-iftls_client_cert_file:`
`181`		`-ssl_context.load_cert_chain(`
`182`		`-certfile=tls_client_cert_file,`
`183`		`-keyfile=tls_client_cert_key_file,`
`184`		`-password=tls_client_cert_key_password,`
`185`		`- )`
`186`		`-`
`187`		`-self._ssl_context=ssl_context`
	`156`	`+self._ssl_options=ssl_options`
`188`	`157`
`189`	`158`	`self._auth_provider=auth_provider`
`190`	`159`
`@@ -225,7 +194,7 @@ def __init__(`
`225`	`194`	`self._transport=databricks.sql.auth.thrift_http_client.THttpClient(`
`226`	`195`	`auth_provider=self._auth_provider,`
`227`	`196`	`uri_or_host=uri,`
`228`		`-ssl_context=self._ssl_context,`
	`197`	`+ssl_options=self._ssl_options,`
`229`	`198`	`**additional_transport_args,# type: ignore`
`230`	`199`	`)`
`231`	`200`
`@@ -776,7 +745,7 @@ def _results_message_to_execute_response(self, resp, operation_state):`
`776`	`745`	`max_download_threads=self.max_download_threads,`
`777`	`746`	`lz4_compressed=lz4_compressed,`
`778`	`747`	`description=description,`
`779`		`-ssl_context=self._ssl_context,`
	`748`	`+ssl_options=self._ssl_options,`
`780`	`749`	`)`
`781`	`750`	`else:`
`782`	`751`	`arrow_queue_opt=None`
`@@ -1008,7 +977,7 @@ def fetch_results(`
`1008`	`977`	`max_download_threads=self.max_download_threads,`
`1009`	`978`	`lz4_compressed=lz4_compressed,`
`1010`	`979`	`description=description,`
`1011`		`-ssl_context=self._ssl_context,`
	`980`	`+ssl_options=self._ssl_options,`
`1012`	`981`	`)`
`1013`	`982`
`1014`	`983`	`returnqueue,resp.hasMoreRows`

`‎src/databricks/sql/types.py‎`

Lines changed: 48 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,54 @@`
`19`	`19`	`fromtypingimportAny,Dict,List,Optional,Tuple,Union,TypeVar`
`20`	`20`	`importdatetime`
`21`	`21`	`importdecimal`
	`22`	`+fromsslimportSSLContext,CERT_NONE,CERT_REQUIRED,create_default_context`
	`23`	`+`
	`24`	`+`
	`25`	`+classSSLOptions:`
	`26`	`+tls_verify:bool`
	`27`	`+tls_verify_hostname:bool`
	`28`	`+tls_trusted_ca_file:Optional[str]`
	`29`	`+tls_client_cert_file:Optional[str]`
	`30`	`+tls_client_cert_key_file:Optional[str]`
	`31`	`+tls_client_cert_key_password:Optional[str]`
	`32`	`+`
	`33`	`+def__init__(`
	`34`	`+self,`
	`35`	`+tls_verify:bool=True,`
	`36`	`+tls_verify_hostname:bool=True,`
	`37`	`+tls_trusted_ca_file:Optional[str]=None,`
	`38`	`+tls_client_cert_file:Optional[str]=None,`
	`39`	`+tls_client_cert_key_file:Optional[str]=None,`
	`40`	`+tls_client_cert_key_password:Optional[str]=None,`
	`41`	`+ ):`
	`42`	`+self.tls_verify=tls_verify`
	`43`	`+self.tls_verify_hostname=tls_verify_hostname`
	`44`	`+self.tls_trusted_ca_file=tls_trusted_ca_file`
	`45`	`+self.tls_client_cert_file=tls_client_cert_file`
	`46`	`+self.tls_client_cert_key_file=tls_client_cert_key_file`
	`47`	`+self.tls_client_cert_key_password=tls_client_cert_key_password`
	`48`	`+`
	`49`	`+defcreate_ssl_context(self)->SSLContext:`
	`50`	`+ssl_context=create_default_context(cafile=self.tls_trusted_ca_file)`
	`51`	`+`
	`52`	`+ifself.tls_verifyisFalse:`
	`53`	`+ssl_context.check_hostname=False`
	`54`	`+ssl_context.verify_mode=CERT_NONE`
	`55`	`+elifself.tls_verify_hostnameisFalse:`
	`56`	`+ssl_context.check_hostname=False`
	`57`	`+ssl_context.verify_mode=CERT_REQUIRED`
	`58`	`+else:`
	`59`	`+ssl_context.check_hostname=True`
	`60`	`+ssl_context.verify_mode=CERT_REQUIRED`
	`61`	`+`
	`62`	`+ifself.tls_client_cert_file:`
	`63`	`+ssl_context.load_cert_chain(`
	`64`	`+certfile=self.tls_client_cert_file,`
	`65`	`+keyfile=self.tls_client_cert_key_file,`
	`66`	`+password=self.tls_client_cert_key_password,`
	`67`	`+ )`
	`68`	`+`
	`69`	`+returnssl_context`
`22`	`70`
`23`	`71`
`24`	`72`	`classRow(tuple):`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit270edcf

File tree

11 files changed

11 files changed

`‎src/databricks/sql/auth/thrift_http_client.py‎`

`‎src/databricks/sql/client.py‎`

`‎src/databricks/sql/cloudfetch/download_manager.py‎`

`‎src/databricks/sql/cloudfetch/downloader.py‎`

`‎src/databricks/sql/thrift_backend.py‎`

`‎src/databricks/sql/types.py‎`

0 commit comments