This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 7d2c1a72e7f Extract configuration-specific logic from
_get_static_conn_params() (#68597)
7d2c1a72e7f is described below
commit 7d2c1a72e7f0c4039e56c59166b4617b0074a9a2
Author: SameerMesiah97 <[email protected]>
AuthorDate: Fri Jun 26 19:37:22 2026 +0100
Extract configuration-specific logic from _get_static_conn_params() (#68597)
into dedicated helpers for connector options, workload identity,
authentication, and network configuration.
This simplifies the control flow, reduces method complexity, and
improves separation of concerns without changing behavior.
Co-authored-by: Sameer Mesiah <[email protected]>
---
.../airflow/providers/snowflake/hooks/snowflake.py | 193 +++++++++++++++------
1 file changed, 140 insertions(+), 53 deletions(-)
diff --git
a/providers/snowflake/src/airflow/providers/snowflake/hooks/snowflake.py
b/providers/snowflake/src/airflow/providers/snowflake/hooks/snowflake.py
index 56bd9afd2f3..15f3cf6f90a 100644
--- a/providers/snowflake/src/airflow/providers/snowflake/hooks/snowflake.py
+++ b/providers/snowflake/src/airflow/providers/snowflake/hooks/snowflake.py
@@ -453,37 +453,25 @@ class SnowflakeHook(DbApiHook):
conn_config.pop("password", None)
return conn_config
- @cached_property
- def _get_static_conn_params(self) -> dict[str, str | None]:
- """
- Return static Snowflake connection parameters.
+ def _build_base_conn_config(
+ self,
+ conn: Connection,
+ extra_dict: dict[str, Any],
+ ) -> dict[str, Any]:
- These parameters are cached for the lifetime of the hook and exclude
- time-sensitive values such as OAuth access tokens.
- """
- conn = self.get_connection(self.get_conn_id())
- extra_dict = conn.extra_dejson
account = self._get_field(extra_dict, "account") or ""
warehouse = self._get_field(extra_dict, "warehouse") or ""
database = self._get_field(extra_dict, "database") or ""
region = self._get_field(extra_dict, "region") or ""
role = self._get_field(extra_dict, "role") or ""
- insecure_mode = _try_to_boolean(self._get_field(extra_dict,
"insecure_mode"))
- json_result_force_utf8_decoding = _try_to_boolean(
- self._get_field(extra_dict, "json_result_force_utf8_decoding")
- )
+
schema = conn.schema or ""
- client_request_mfa_token = _try_to_boolean(self._get_field(extra_dict,
"client_request_mfa_token"))
- client_store_temporary_credential = _try_to_boolean(
- self._get_field(extra_dict, "client_store_temporary_credential")
- )
- # authenticator and session_parameters never supported long name so we
don't use _get_field
+ # authenticator and session_parameters never supported long name
authenticator = extra_dict.get("authenticator", "snowflake")
session_parameters = extra_dict.get("session_parameters")
- workload_identity_provider = self._get_field(extra_dict,
"workload_identity_provider")
- conn_config = {
+ return {
"user": conn.login,
"password": conn.password or "",
"schema": self.schema or schema,
@@ -494,9 +482,26 @@ class SnowflakeHook(DbApiHook):
"role": self.role or role,
"authenticator": self.authenticator or authenticator,
"session_parameters": self.session_parameters or
session_parameters,
- # application is used to track origin of the requests
"application": os.environ.get("AIRFLOW_SNOWFLAKE_PARTNER",
"AIRFLOW"),
}
+
+ def _add_connector_options(
+ self,
+ conn_config: dict[str, Any],
+ extra_dict: dict[str, Any],
+ ) -> None:
+ insecure_mode = _try_to_boolean(self._get_field(extra_dict,
"insecure_mode"))
+
+ json_result_force_utf8_decoding = _try_to_boolean(
+ self._get_field(extra_dict, "json_result_force_utf8_decoding")
+ )
+
+ client_request_mfa_token = _try_to_boolean(self._get_field(extra_dict,
"client_request_mfa_token"))
+
+ client_store_temporary_credential = _try_to_boolean(
+ self._get_field(extra_dict, "client_store_temporary_credential")
+ )
+
if insecure_mode:
conn_config["insecure_mode"] = insecure_mode
@@ -509,22 +514,44 @@ class SnowflakeHook(DbApiHook):
if client_store_temporary_credential:
conn_config["client_store_temporary_credential"] =
client_store_temporary_credential
- # Workload Identity Federation (keyless auth): when the connection sets
- # ``authenticator=WORKLOAD_IDENTITY``, the connector also needs to
know which
- # cloud the workload runs on. One value (AWS, AZURE, GCP or OIDC)
covers all
- # providers. See
https://docs.snowflake.com/en/user-guide/workload-identity-federation.
- if workload_identity_provider:
- conn_config["workload_identity_provider"] =
workload_identity_provider
- # AWS, AZURE and GCP fetch the identity token from the cloud's
metadata
- # service. OIDC instead requires the caller to supply the token,
either
- # inline (``token``) or from a file (``token_file_path``).
- token = self._get_field(extra_dict, "token")
- token_file_path = self._get_field(extra_dict, "token_file_path")
- if token:
- conn_config["token"] = token
- if token_file_path:
- conn_config["token_file_path"] = token_file_path
+ ocsp_fail_open = extra_dict.get("ocsp_fail_open")
+
+ if ocsp_fail_open is not None:
+ conn_config["ocsp_fail_open"] = _try_to_boolean(ocsp_fail_open)
+
+ def _add_workload_identity_config(
+ self,
+ conn_config: dict[str, Any],
+ extra_dict: dict[str, Any],
+ ) -> None:
+ workload_identity_provider = self._get_field(
+ extra_dict,
+ "workload_identity_provider",
+ )
+
+ if not workload_identity_provider:
+ return
+
+ conn_config["workload_identity_provider"] = workload_identity_provider
+
+ token = self._get_field(extra_dict, "token")
+ token_file_path = self._get_field(
+ extra_dict,
+ "token_file_path",
+ )
+
+ if token:
+ conn_config["token"] = token
+
+ if token_file_path:
+ conn_config["token_file_path"] = token_file_path
+ def _add_authentication_config(
+ self,
+ conn_config: dict[str, Any],
+ conn: Connection,
+ extra_dict: dict[str, Any],
+ ) -> None:
p_key = self.get_private_key()
if p_key:
@@ -537,41 +564,61 @@ class SnowflakeHook(DbApiHook):
conn_config["private_key"] = pkb
conn_config.pop("password", None)
- refresh_token = self._get_field(extra_dict, "refresh_token") or ""
+ refresh_token = (
+ self._get_field(
+ extra_dict,
+ "refresh_token",
+ )
+ or ""
+ )
+
if refresh_token:
conn_config["refresh_token"] = refresh_token
conn_config["authenticator"] = "oauth"
- grant_type = self._get_field(extra_dict, "grant_type") or ""
+ grant_type = (
+ self._get_field(
+ extra_dict,
+ "grant_type",
+ )
+ or ""
+ )
+
if grant_type:
conn_config["grant_type"] = grant_type
elif refresh_token:
conn_config["grant_type"] = "refresh_token"
- if conn_config.get("authenticator") == "oauth":
- conn_config["azure_conn_id"] = extra_dict.get("azure_conn_id")
+ if conn_config.get("authenticator") != "oauth":
+ return
+
+ conn_config["azure_conn_id"] = extra_dict.get("azure_conn_id")
- if not extra_dict.get("azure_conn_id"):
- conn_config["token_endpoint"] = self._get_field(extra_dict,
"token_endpoint") or ""
- conn_config["scope"] = self._get_field(extra_dict, "scope")
- conn_config["client_id"] = conn.login
- conn_config["client_secret"] = conn.password
+ if not extra_dict.get("azure_conn_id"):
+ conn_config["token_endpoint"] = self._get_field(extra_dict,
"token_endpoint") or ""
- # configure custom target hostname and port, if specified
+ conn_config["scope"] = self._get_field(
+ extra_dict,
+ "scope",
+ )
+
+ conn_config["client_id"] = conn.login
+ conn_config["client_secret"] = conn.password
+
+ def _add_network_config(
+ self,
+ conn_config: dict[str, Any],
+ extra_dict: dict[str, Any],
+ ) -> None:
snowflake_host = extra_dict.get("host")
snowflake_port = extra_dict.get("port")
+
if snowflake_host:
conn_config["host"] = snowflake_host
+
if snowflake_port:
conn_config["port"] = snowflake_port
- # if a value for ocsp_fail_open is set, pass it along.
- # Note the check is for `is not None` so that we can pass along
`False` as a value.
- ocsp_fail_open = extra_dict.get("ocsp_fail_open")
- if ocsp_fail_open is not None:
- conn_config["ocsp_fail_open"] = _try_to_boolean(ocsp_fail_open)
-
- # Add proxy configuration if specified
proxy_host = self._get_field(extra_dict, "proxy_host")
proxy_port = self._get_field(extra_dict, "proxy_port")
proxy_user = self._get_field(extra_dict, "proxy_user")
@@ -579,13 +626,53 @@ class SnowflakeHook(DbApiHook):
if proxy_host:
conn_config["proxy_host"] = proxy_host
+
if proxy_port:
conn_config["proxy_port"] = int(proxy_port) if
isinstance(proxy_port, str) else proxy_port
+
if proxy_user:
conn_config["proxy_user"] = proxy_user
+
if proxy_password:
conn_config["proxy_password"] = proxy_password
+ @cached_property
+ def _get_static_conn_params(self) -> dict[str, str | None]:
+ """
+ Return static Snowflake connection parameters.
+
+ These parameters are cached for the lifetime of the hook and exclude
+ time-sensitive values such as OAuth access tokens.
+ """
+ conn = self.get_connection(self.get_conn_id())
+ extra_dict = conn.extra_dejson
+
+ conn_config = self._build_base_conn_config(
+ conn,
+ extra_dict,
+ )
+
+ self._add_connector_options(
+ conn_config,
+ extra_dict,
+ )
+
+ self._add_workload_identity_config(
+ conn_config,
+ extra_dict,
+ )
+
+ self._add_authentication_config(
+ conn_config,
+ conn,
+ extra_dict,
+ )
+
+ self._add_network_config(
+ conn_config,
+ extra_dict,
+ )
+
return conn_config
def get_private_key(self) -> PrivateKeyTypes | None: