- Notifications
You must be signed in to change notification settings - Fork126
federation follow up [draft]#565
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Open
madhav-db wants to merge46 commits intomainChoose a base branch
base:main
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
Uh oh!
There was an error while loading.Please reload this page.
Open
Changes fromall commits
Commits
Show all changes
46 commits Select commitHold shift + click to select a range
56a854f initial commit
madhav-dbaedb3bf update vars
madhav-dbd06672c mod
madhav-db9aff811 debugging patch
madhav-db299b5ae mod
madhav-db10a5016 debug
madhav-db3bb9b3d debug
madhav-db708c13b debug
madhav-dba1e9894 fix
madhav-db00e015c fix
madhav-dbd538b75 fix
madhav-db4b48ac9 fix
madhav-dbe8d4a48 debug
madhav-db5b74b60 debug
madhav-dbedc6027 debug
madhav-db3613cb0 debug
madhav-dbe87b52d readability
madhav-db929191b separate py script
madhav-db82d0be2 addresses codecheck errors
madhav-db1e60750 adds unit test
madhav-dbde48411 Fix: Apply Black formatting to auth and token_federation modules
madhav-dbd54ba93 Enhance token federation refresh to get fresh external tokens
madhav-dbaa2d1b9 refresh
madhav-db34413f3 fmt
madhav-dba93dd4b clean up
madhav-db76df22e update and add todo for future work
madhav-dbc37cd01 refactoring
madhav-dbf2d4516 update test
madhav-dbaeeca66 fmt
madhav-dbae28649 remove idp detection
madhav-db541e82f fmt
madhav-db49eab2a fmt
madhav-dbe6733cb Apply black formatting to auth files
madhav-db29f95f2 Fix token refresh to use fresh token from provider
madhav-db2e12935 general improvements
madhav-dbe9de21a minor
madhav-dbefb9149 test improvements
madhav-db7ab4068 Refactor token exchange parameters to be instance-specific in Databri…
madhav-db9fc4c0c Refactor token expiry handling in DatabricksTokenFederationProvider a…
madhav-db85d0cd9 addresses comments
madhav-db5040569 initial commit
madhav-db22a4681 change github test to adapt
madhav-dbf1346b0 implement add headers to tf provider
madhav-db4c5bce1 Enhance authentication providers by implementing CredentialsProvider …
madhav-dbbafef75 Add Databricks SQL Token Federation examples and enhance authenticati…
madhav-db19dc0b1 formatted
madhav-dbFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
78 changes: 78 additions & 0 deletions.github/workflows/token-federation-test.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| name: Token Federation Test | ||
| # Tests token federation functionality with GitHub Actions OIDC tokens | ||
| on: | ||
| # Manual trigger with required inputs | ||
| workflow_dispatch: | ||
| inputs: | ||
| databricks_host: | ||
| description: 'Databricks host URL (e.g., example.cloud.databricks.com)' | ||
| required: true | ||
| databricks_http_path: | ||
| description: 'Databricks HTTP path (e.g., /sql/1.0/warehouses/abc123)' | ||
| required: true | ||
| identity_federation_client_id: | ||
| description: 'Identity federation client ID' | ||
| required: true | ||
| # Run on PRs that might affect token federation | ||
| pull_request: | ||
| branches: [main] | ||
| paths: | ||
| - 'src/databricks/sql/auth/**' | ||
| - 'examples/token_federation_*.py' | ||
| - 'tests/token_federation/**' | ||
| - '.github/workflows/token-federation-test.yml' | ||
| # Run on push to main that affects token federation | ||
| push: | ||
| branches: [main] | ||
| paths: | ||
| - 'src/databricks/sql/auth/**' | ||
| - 'examples/token_federation_*.py' | ||
| - 'tests/token_federation/**' | ||
| - '.github/workflows/token-federation-test.yml' | ||
| permissions: | ||
| id-token: write # Required for GitHub OIDC token | ||
| contents: read | ||
| jobs: | ||
| test-token-federation: | ||
| name: Test Token Federation | ||
| runs-on: | ||
| group: databricks-protected-runner-group | ||
| labels: linux-ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Set up Python 3.9 | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.9' | ||
| cache: 'pip' | ||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install -e . | ||
| pip install pyarrow | ||
| - name: Get GitHub OIDC token | ||
| id: get-id-token | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| script: | | ||
| const token = await core.getIDToken('https://github.com/databricks') | ||
| core.setSecret(token) | ||
| core.setOutput('token', token) | ||
| - name: Test token federation with GitHub OIDC token | ||
| env: | ||
| DATABRICKS_HOST_FOR_TF: ${{ github.event_name == 'workflow_dispatch' && inputs.databricks_host || secrets.DATABRICKS_HOST_FOR_TF }} | ||
| DATABRICKS_HTTP_PATH_FOR_TF: ${{ github.event_name == 'workflow_dispatch' && inputs.databricks_http_path || secrets.DATABRICKS_HTTP_PATH_FOR_TF }} | ||
| IDENTITY_FEDERATION_CLIENT_ID: ${{ github.event_name == 'workflow_dispatch' && inputs.identity_federation_client_id || secrets.IDENTITY_FEDERATION_CLIENT_ID }} | ||
| OIDC_TOKEN: ${{ steps.get-id-token.outputs.token }} | ||
| run: python tests/token_federation/github_oidc_test.py |
109 changes: 109 additions & 0 deletionsexamples/token_federation_examples.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| """ | ||
| Databricks SQL Token Federation Examples | ||
| This script token federation flows: | ||
| 1. U2M + Account-wide federation | ||
| 2. U2M + Workflow-level federation | ||
| 3. M2M + Account-wide federation | ||
| 4. M2M + Workflow-level federation | ||
| 5. Access Token + Workflow-level federation | ||
| 6. Access Token + Account-wide federation | ||
| Token Federation Documentation: | ||
| ------------------------------ | ||
| For detailed setup instructions, refer to the official Databricks documentation: | ||
| - General Token Federation Overview: | ||
| https://docs.databricks.com/aws/en/dev-tools/auth/oauth-federation.html | ||
| - Token Exchange Process: | ||
| https://docs.databricks.com/aws/en/dev-tools/auth/oauth-federation-howto.html | ||
| - Azure OAuth Token Federation: | ||
| https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth/oauth-federation | ||
| Environment variables required: | ||
| - DATABRICKS_HOST: Databricks workspace hostname | ||
| - DATABRICKS_HTTP_PATH: HTTP path for the SQL warehouse | ||
| - AZURE_TENANT_ID: Azure tenant ID | ||
| - AZURE_CLIENT_ID: Azure client ID for service principal | ||
| - AZURE_CLIENT_SECRET: Azure client secret | ||
| - DATABRICKS_SERVICE_PRINCIPAL_ID: Databricks service principal ID for workflow federation | ||
| """ | ||
| import os | ||
| from databricks import sql | ||
| def run_query(connection, description): | ||
| cursor = connection.cursor() | ||
| cursor.execute("SELECT 1+1 AS result") | ||
| result = cursor.fetchall() | ||
| print(f"Query result: {result[0][0]}") | ||
| cursor.close() | ||
| def demonstrate_m2m_federation(env_vars, use_workflow_federation=False): | ||
| """Demonstrate M2M (service principal) token federation""" | ||
| connection_params = { | ||
| "server_hostname": env_vars["DATABRICKS_HOST"], | ||
| "http_path": env_vars["DATABRICKS_HTTP_PATH"], | ||
| "auth_type": "client-credentials", | ||
| "oauth_client_id": env_vars["AZURE_CLIENT_ID"], | ||
| "client_secret": env_vars["AZURE_CLIENT_SECRET"], | ||
| "tenant_id": env_vars["AZURE_TENANT_ID"], | ||
| "use_token_federation": True | ||
| } | ||
| if use_workflow_federation and env_vars["DATABRICKS_SERVICE_PRINCIPAL_ID"]: | ||
| connection_params["identity_federation_client_id"] = env_vars["DATABRICKS_SERVICE_PRINCIPAL_ID"] | ||
| description = "M2M + Workflow-level Federation" | ||
| else: | ||
| description = "M2M + Account-wide Federation" | ||
| with sql.connect(**connection_params) as connection: | ||
| run_query(connection, description) | ||
| def demonstrate_u2m_federation(env_vars, use_workflow_federation=False): | ||
| """Demonstrate U2M (interactive) token federation""" | ||
| connection_params = { | ||
| "server_hostname": env_vars["DATABRICKS_HOST"], | ||
| "http_path": env_vars["DATABRICKS_HTTP_PATH"], | ||
| "auth_type": "databricks-oauth", # Will open browser for interactive auth | ||
| "use_token_federation": True | ||
| } | ||
| if use_workflow_federation and env_vars["DATABRICKS_SERVICE_PRINCIPAL_ID"]: | ||
| connection_params["identity_federation_client_id"] = env_vars["DATABRICKS_SERVICE_PRINCIPAL_ID"] | ||
| description = "U2M + Workflow-level Federation (Interactive)" | ||
| else: | ||
| description = "U2M + Account-wide Federation (Interactive)" | ||
| # This will open a browser for interactive auth | ||
| with sql.connect(**connection_params) as connection: | ||
| run_query(connection, description) | ||
| def demonstrate_access_token_federation(env_vars): | ||
| """Demonstrate access token token federation""" | ||
| access_token = os.environ.get("ACCESS_TOKEN") # This is to demonstrate a token obtained from an identity provider | ||
| connection_params = { | ||
| "server_hostname": env_vars["DATABRICKS_HOST"], | ||
| "http_path": env_vars["DATABRICKS_HTTP_PATH"], | ||
| "access_token": access_token, | ||
| "use_token_federation": True | ||
| } | ||
| # Add workflow federation if available | ||
| if env_vars["DATABRICKS_SERVICE_PRINCIPAL_ID"]: | ||
| connection_params["identity_federation_client_id"] = env_vars["DATABRICKS_SERVICE_PRINCIPAL_ID"] | ||
| description = "Access Token + Workflow-level Federation" | ||
| else: | ||
| description = "Access Token + Account-wide Federation" | ||
| with sql.connect(**connection_params) as connection: | ||
| run_query(connection, description) | ||
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.