htamakos opened a new pull request, #36856: URL: https://github.com/apache/superset/pull/36856
<!--- Please write the PR title following the conventions at https://www.conventionalcommits.org/en/v1.0.0/ Example: fix(dashboard): load charts correctly --> ### SUMMARY <!--- Describe the change below, including rationale and design decisions --> This PR adds OAuth2 support for user impersonation when connecting to Snowflake. Specifically, it enables OAuth-based authentication for Snowflake connections while ensuring that OAuth is not used during test_connection execution, where validate_default_parameters=True is set in connect_args. This behavior is intentional to avoid authentication failures during connection validation. The implementation is designed to be backward-compatible with existing authentication methods and does not alter the default behavior unless OAuth-related parameters are explicitly configured. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF <!--- Skip this if not applicable --> <img width="1464" height="827" alt="image" src="https://github.com/user-attachments/assets/57636ee4-4106-4a78-87ce-37a0f2efcbdf"; /> <img width="1468" height="826" alt="image" src="https://github.com/user-attachments/assets/3ac1e853-a570-431f-b91b-2e9054dc8b36"; /> <img width="1454" height="814" alt="image" src="https://github.com/user-attachments/assets/f520e418-b70d-48a0-a7dd-b8d5b6b996c0"; /> ### TESTING INSTRUCTIONS <!--- Required! What steps can be taken to manually verify the changes? --> 1. Set up OAuth integration in Snowflake Create a Snowflake security integration for OAuth: ```sql CREATE SECURITY INTEGRATION test_superset TYPE = OAUTH ENABLED = TRUE OAUTH_CLIENT = CUSTOM OAUTH_CLIENT_TYPE = 'CONFIDENTIAL' OAUTH_USE_SECONDARY_ROLES = 'IMPLICIT' OAUTH_ALLOW_NON_TLS_REDIRECT_URI = TRUE OAUTH_REDIRECT_URI = 'http://localhost:8088/api/v1/database/oauth2/'; ``` Retrieve the client_id and client_secret generated for this integration. 2. Configure OAuth2 settings in superset_config.py Add the Snowflake OAuth2 configuration and enable the IMPERSONATE_WITH_EMAIL_PREFIX feature flag: ```python DATABASE_OAUTH2_CLIENTS = { "Snowflake": { "id": "<client_id from test_superset integration>", "secret": "<client_secret from test_superset integration>", "scope": " ".join( [ "refresh_token", ], ), "redirect_uri": "http://localhost:8088/api/v1/database/oauth2/";, "authorization_request_uri": "https://<snowflake account>.snowflakecomputing.com/oauth/authorize", "token_request_uri": "https://<snowflake account>.snowflakecomputing.com/oauth/token-request", }, } DATABASE_OAUTH2_JWT_ALGORITHM = "HS256" DATABASE_OAUTH2_REDIRECT_URI = "http://localhost:8088/api/v1/database/oauth2/"; DATABASE_OAUTH2_TIMEOUT = timedelta(seconds=30) FEATURE_FLAGS = {"IMPERSONATE_WITH_EMAIL_PREFIX": True} ``` Restart Superset to apply the configuration. 3. Configure the database in the Superset UI In Data → Databases, create or edit a Snowflake database with the following settings: - Key Pair Authentication - Impersonate user: true Save the database configuration. 4. Verification - Execute queries as a logged-in user and confirm that authentication is performed via OAuth2 with user impersonation. - Run Test Connection for the database and verify that: - The connection test succeeds. - OAuth authentication is not attempted during test_connection. ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: https://github.com/apache/superset/issues/20300 - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
