-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
streamline authentication #74
Comments
Great feedback
|
Windows authentication depends on Kerberos (or NTLM), which needs an Active Directory domain to authenticate the user in. Azure Active Directory does not handle Kerberos tokens. So users from on-premises can use windows authentication instead of AAD. |
az cli should be the way forward for interactive authentication as dbt- core based project development. I would suggest using az cli to fetch user token for interactive dbt-cloud integration as well. This will address non windows machines. @dataders , let me know what you think |
MSI profile does not make sense for dbt projects. |
Yeah we should start this conversation separately.
this should only be a consideration for SQL Server, right?
in this scenario, users could have their token/secret in an environment variable? perhaps this would be helpful in Codespace-based envs where they're auto-provisioned. |
|
I don't really agree with this proposal as I use |
after spending all day trying to debug a connection with
ActiveDirectoryServicePrincipal
authentication, I feel strongly that this spaghetti code that I helped to create must be refactored, for maintainer sanity :)For example I spent the better part of a day helping a developer debug some credentials, and I got lost in introspecting the authentication control flow. At the end of the day, the issue was that the developer was passing
1443
as the port instead of1433
.💀 💀 .Things I noticed
holdovers from on-prem SQL Server
server:port syntax
authentication: sql
is default and indicatesSqlPassword
authentication
simplificationRight now there's a lot of
get_*_access_token()
methods -- I'm not sure they're all needed.Right now there's three authentication scenarios for Fabric:
profiles.yml
and decalres the correctActiveDirectory*
type.az login
prior to invoking dbt-fabric . This path happens when user passes one of the following toauthentication
:"serviceprincipal", "cli", "msi", "auto", "environment"
We should predominately rely upon the first path, and extend only when needed. What doesn't fit into user-provided credentials are:
ActiveDirectoryInteractive
on non-Windows machines, we should support anauthentication=interactive
pathcached_az_token
or something?auto
is useful. like when would a user ever want to do what's specified inazure.identity.DefaultAzureCredential()
. Hey try a lot of things in a specific order? Seems like a recipe for trouble. but happy to be wrongsane defaults
alignment with underlying driver's defaults
I'm rather torn as to the value of having defaults that are the same as the underlying driver. This is especially complicated given that dbt Cloud also has a distinct set of defaults.
For example, if for msodbc, the default value of
Encrypt
isYes
, must we also specify it as a default? Perhaps so in this instance because with YAML it makes more sense to provide this as a Boolean T/F? Actually I thinkyaml
handlesYes
asTrue
anyway so 🤷🏻 ?Another question is if a user does not provide a value for
Encrypt
, should we still passEncrypt=Yes
into the connection string? or leave it out because it is equivalent?authentication
There should be no default authentication method (right now it is
sql
, but we should validate that user input is supported).dbt-fabric/dbt/adapters/fabric/fabric_credentials.py
Lines 9 to 22 in 89d59ca
general cleanup
there's some bare
assert
s, which is a python anti-pattern. e.g. -assert
ing thatauthentication
isNone
when the Credentials dataclass defines it as a default.Also the conditionals within the
.open()
method are hard to grok. Perhaps a standalone Class/function for connection string generation would be more self-evident as to what's going on.For example
ActiveDirectoryServicePrincipal
is not supported right now, but easily could be. #75 is one way to do this, but it smells wonky to have to add yet another conditional statement. either we exhaustively model all possible configurations, or make the logic simpler.dbt-fabric/dbt/adapters/fabric/fabric_connection_manager.py
Lines 333 to 357 in 89d59ca
The text was updated successfully, but these errors were encountered: