Add support for Snowflake SSO authentication #1185
Conversation
There was a problem hiding this comment.
Hey @adriank-convoy thanks for the PR! This largely looks great, but I did leave you some comments.
One thing I'd love to understand is what it actually looks like to use externalbrowser SSO. I'd hope that this opens the authentication window one time right when dbt starts running, and then never again for the duration of the run.
I'm not very familiar with Okta but this seems like a great alternative auth strategy.
@drewbanin we can add Okta auth for Snowflake to Sinter as well (although not externalbrowser).
|
Regarding the external browser experience - if you're not already logged to your SSO provider it opens the login page when you run DBT. If you're already logged in, it just opens a page, redirects, and dbt start running (page doesn't close automatically which is a bit annoying). The downside is that it does open a page every time you run DBT =/ It's actually not as smooth as I thought, but I figured I'd add it in as an option. If you have access to snowflake you can just try creating the snowflake connector in python which is the same experience. Edit: also full disclosure - our Snowflake Okta app has the post back url misconfigured so I wasn't able to actually get a successful DBT run until our infra team can fix that, but it does go through the authentication flow in the Snowflake connector code so I don't see why it wouldn't work... If you guys want to hold off merging until I can get a successful run that's fine with me. |
|
Also I realized I only tested a single model - if the connector gets recreated for each model it will open multiple times. I'll test that now... Edit: It does 😞 |
|
Ok I figured out why I'm unable to authenticate using the Okta url authenticator - we have multi-factor auth turned on in Okta, and it appears the the snowflake connector does not handle that situation correctly. I'm going to put this PR on hold given that:
I'm going to open an issue for Okta MFA on https://github.com/snowflakedb/snowflake-connector-python, and I'll get back to this PR once that's resolved. |
|
@adriank-convoy seems like there are some options based on the conversation in snowflakedb/snowflake-connector-python#140. ping me here or @connormcarthur in dbt slack when you want me to have another look at this! |
Feature request #1172 - adds support for SSO authentication through the Snowflake Python connector, more details in the issue. I updated the Snowflake connection contract to add an 'authenticator' field, then just updated the Snowflake adapter to pass in whatever combo of authentication args was specified to the connector. Validation of the actual args is left up to the connector itself, which gives good error messages when they're invalid.
Unit tests verify everything's getting passed through correctly, and I manually tested that I can authenticate through both the 'externalbrowser' and Okta authenticator.
I did remove 'password' from the required fields in the Snowflake contract, but the error message returned by Snowflake when you forget it is pretty good:
ERROR: Database Error251006: None: Password is empty