korbit-ai[bot] commented on code in PR #34619:
URL: https://github.com/apache/superset/pull/34619#discussion_r2263040945
##########
superset/db_engine_specs/databricks.py:
##########
@@ -424,6 +448,17 @@ class
DatabricksNativeEngineSpec(DatabricksDynamicBaseEngineSpec):
supports_dynamic_catalog = True
supports_cross_catalog_queries = True
+ # OAuth 2.0 support
+ supports_oauth2 = True
+ oauth2_exception = OAuth2RedirectError
+ oauth2_scope = "sql"
+ oauth2_authorization_request_uri = (
+ "https://accounts.cloud.databricks.com/oidc/accounts/{}/v1/authorize";
+ )
+ oauth2_token_request_uri = (
+ "https://accounts.cloud.databricks.com/oidc/accounts/{}/v1/token"; #
noqa: S105
+ )
Review Comment:
### Duplicated OAuth2 Configuration <sub></sub>
<details>
<summary>Tell me more</summary>
###### What is the issue?
OAuth2 URIs are duplicated between DatabricksNativeEngineSpec and
DatabricksPythonConnectorEngineSpec classes.
###### Why this matters
Violates DRY principle and makes maintenance harder. If the OAuth2 endpoints
need to change, they need to be updated in multiple places.
###### Suggested change ∙ *Feature Preview*
Extract OAuth2 configuration into a mixin class or move it to the base class
DatabricksDynamicBaseEngineSpec:
```python
class DatabricksOAuth2Mixin:
supports_oauth2 = True
oauth2_exception = OAuth2RedirectError
oauth2_scope = "sql"
oauth2_authorization_request_uri =
"https://accounts.cloud.databricks.com/oidc/accounts/{}/v1/authorize";
oauth2_token_request_uri =
"https://accounts.cloud.databricks.com/oidc/accounts/{}/v1/token";
class DatabricksNativeEngineSpec(DatabricksOAuth2Mixin,
DatabricksDynamicBaseEngineSpec):
...
class DatabricksPythonConnectorEngineSpec(DatabricksOAuth2Mixin,
DatabricksDynamicBaseEngineSpec):
...
```
###### Provide feedback to improve future suggestions
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/106c51aa-1d04-4384-8ea5-ec022d66758a/upvote)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/106c51aa-1d04-4384-8ea5-ec022d66758a?what_not_true=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/106c51aa-1d04-4384-8ea5-ec022d66758a?what_out_of_scope=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/106c51aa-1d04-4384-8ea5-ec022d66758a?what_not_in_standard=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/106c51aa-1d04-4384-8ea5-ec022d66758a)
</details>
<sub>
💬 Looking for more details? Reply to this comment to chat with Korbit.
</sub>
<!--- korbi internal id:da3ffc86-e18c-4c90-b2e1-408b7ccf3843 -->
[](da3ffc86-e18c-4c90-b2e1-408b7ccf3843)
##########
superset/db_engine_specs/databricks.py:
##########
@@ -424,6 +448,17 @@
supports_dynamic_catalog = True
supports_cross_catalog_queries = True
+ # OAuth 2.0 support
+ supports_oauth2 = True
+ oauth2_exception = OAuth2RedirectError
+ oauth2_scope = "sql"
+ oauth2_authorization_request_uri = (
+ "https://accounts.cloud.databricks.com/oidc/accounts/{}/v1/authorize";
+ )
Review Comment:
### Hardcoded OAuth2 endpoints limit cloud provider support <sub></sub>
<details>
<summary>Tell me more</summary>
###### What is the issue?
The OAuth2 authorization and token URIs are hardcoded to a specific
Databricks cloud provider (cloud.databricks.com), but Databricks can be hosted
on different cloud providers (AWS, Azure, GCP) with different authentication
endpoints.
###### Why this matters
Users with Databricks deployments on Azure or GCP won't be able to
authenticate as their OAuth2 endpoints differ from the hardcoded AWS endpoint.
###### Suggested change ∙ *Feature Preview*
Make the OAuth2 endpoints configurable based on the cloud provider. A
suggested implementation:
```python
OAUTH2_ENDPOINTS = {
'aws': {
'auth':
'https://accounts.cloud.databricks.com/oidc/accounts/{}/v1/authorize',
'token':
'https://accounts.cloud.databricks.com/oidc/accounts/{}/v1/token'
},
'azure': {
'auth': 'https://login.microsoftonline.com/{}/oauth2/v2.0/authorize',
'token': 'https://login.microsoftonline.com/{}/oauth2/v2.0/token'
},
'gcp': {
'auth':
'https://accounts.gcp.databricks.com/oidc/accounts/{}/v1/authorize',
'token':
'https://accounts.gcp.databricks.com/oidc/accounts/{}/v1/token'
}
}
```
Then derive the endpoints based on the host or configuration.
###### Provide feedback to improve future suggestions
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/7436fefc-9263-43c4-b7ef-0897c13dab56/upvote)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/7436fefc-9263-43c4-b7ef-0897c13dab56?what_not_true=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/7436fefc-9263-43c4-b7ef-0897c13dab56?what_out_of_scope=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/7436fefc-9263-43c4-b7ef-0897c13dab56?what_not_in_standard=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/7436fefc-9263-43c4-b7ef-0897c13dab56)
</details>
<sub>
💬 Looking for more details? Reply to this comment to chat with Korbit.
</sub>
<!--- korbi internal id:4c2ff88d-3089-475c-af77-2a30ada6083d -->
[](4c2ff88d-3089-475c-af77-2a30ada6083d)
##########
docs/docs/configuration/databases.mdx:
##########
@@ -519,6 +519,63 @@ For a connection to a SQL endpoint you need to use the
HTTP path from the endpoi
{"connect_args": {"http_path": "/sql/1.0/endpoints/****", "driver_path":
"/path/to/odbc/driver"}}
```
+##### OAuth2 Authentication
+
+Superset supports OAuth2 authentication for Databricks, allowing users to
authenticate with their personal Databricks accounts instead of using shared
access tokens. This provides better security and audit capabilities.
+
+###### Prerequisites
+
+1. Create an OAuth2 application in your Databricks account:
+ - Go to your Databricks account console
+ - Navigate to **Settings** → **Developer** → **OAuth apps**
+ - Create a new OAuth app with the redirect URI:
`http://your-superset-host:port/api/v1/database/oauth2/`
+
+2. Configure OAuth2 in your `superset_config.py`:
+
+```python
+from datetime import timedelta
+
+# OAuth2 configuration for Databricks
+DATABASE_OAUTH2_CLIENTS = {
+ "Databricks (legacy)": {
+ "id": "your-databricks-client-id",
+ "secret": "your-databricks-client-secret",
+ "scope": "sql",
+ "authorization_request_uri":
"https://accounts.cloud.databricks.com/oidc/accounts/{account_id}/v1/authorize";,
+ "token_request_uri":
"https://accounts.cloud.databricks.com/oidc/accounts/{account_id}/v1/token";,
+ },
Review Comment:
### OAuth Client Secrets Exposed in Config File <sub></sub>
<details>
<summary>Tell me more</summary>
###### What is the issue?
The OAuth2 configuration example shows sensitive client credentials being
stored directly in the Python configuration file, rather than using environment
variables or a secure secret store.
###### Why this matters
Storing OAuth client secrets in code files increases risk of credential
exposure through version control, file system access, or application dumps. An
attacker with access to the config file would be able to impersonate the
application.
###### Suggested change ∙ *Feature Preview*
Replace hardcoded OAuth client secrets with environment variables or secure
secret management:
```python
import os
DATABASE_OAUTH2_CLIENTS = {
"Databricks": {
"id": os.environ["DATABRICKS_CLIENT_ID"],
"secret": os.environ["DATABRICKS_CLIENT_SECRET"],
"scope": "sql",
"authorization_request_uri":
"https://accounts.cloud.databricks.com/oidc/accounts/{account_id}/v1/authorize";,
"token_request_uri":
"https://accounts.cloud.databricks.com/oidc/accounts/{account_id}/v1/token";,
}
}
```
###### Provide feedback to improve future suggestions
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/266d0c39-a9c5-40f9-87f4-68c5baba8ac3/upvote)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/266d0c39-a9c5-40f9-87f4-68c5baba8ac3?what_not_true=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/266d0c39-a9c5-40f9-87f4-68c5baba8ac3?what_out_of_scope=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/266d0c39-a9c5-40f9-87f4-68c5baba8ac3?what_not_in_standard=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/266d0c39-a9c5-40f9-87f4-68c5baba8ac3)
</details>
<sub>
💬 Looking for more details? Reply to this comment to chat with Korbit.
</sub>
<!--- korbi internal id:1af4171b-252d-44a4-873c-99a4f91858ef -->
[](1af4171b-252d-44a4-873c-99a4f91858ef)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
