rusackas commented on code in PR #41421:
URL: https://github.com/apache/superset/pull/41421#discussion_r3479426267
##########
superset/db_engine_specs/databricks.py:
##########
@@ -277,6 +283,102 @@ class
DatabricksDynamicBaseEngineSpec(BasicParametersMixin, DatabricksBaseEngine
"port": "port",
}
+ # OAuth2 endpoints for different cloud providers
+ _oauth2_endpoints = {
+ "aws": {
+ "authorization_request_uri":
"https://accounts.cloud.databricks.com/oidc/accounts/{}/v1/authorize";,
+ "token_request_uri":
"https://accounts.cloud.databricks.com/oidc/accounts/{}/v1/token";,
+ },
+ "azure": {
+ "authorization_request_uri":
"https://login.microsoftonline.com/{}/oauth2/v2.0/authorize";,
+ "token_request_uri":
"https://login.microsoftonline.com/{}/oauth2/v2.0/token";,
+ },
+ "gcp": {
+ "authorization_request_uri":
"https://accounts.gcp.databricks.com/oidc/accounts/{}/v1/authorize";,
+ "token_request_uri":
"https://accounts.gcp.databricks.com/oidc/accounts/{}/v1/token";,
+ },
+ }
+
+ @classmethod
+ def _detect_cloud_provider(cls, database: Database) -> str:
+ """
+ Detect the cloud provider based on the database configuration.
+
+ Returns:
+ str: The cloud provider ('aws', 'azure', or 'gcp')
+ """
+ # Check if cloud provider is explicitly configured in extra
+ if "cloud_provider" in (extra := cls.get_extra_params(database)):
+ provider = extra["cloud_provider"].lower()
+ if provider in cls._oauth2_endpoints:
+ return provider
+
Review Comment:
Good catch — guarded it with an `isinstance` check so a non-string
`cloud_provider` just falls through to hostname detection instead of blowing
up. Added a test for the boolean case.
##########
superset/db_engine_specs/databricks.py:
##########
@@ -474,6 +576,74 @@ class
DatabricksNativeEngineSpec(DatabricksDynamicBaseEngineSpec):
supports_dynamic_catalog = True
supports_cross_catalog_queries = True
+ # OAuth 2.0 support
+ supports_oauth2 = True
+ oauth2_exception = OAuth2RedirectError
+ oauth2_scope = "sql"
+
+ # OAuth2 endpoints are determined dynamically based on cloud provider
+ oauth2_authorization_request_uri = "" # Set dynamically
+ oauth2_token_request_uri = "" # Set dynamically
+
+ @classmethod
+ def get_oauth2_authorization_uri(
+ cls,
+ config: "OAuth2ClientConfig",
+ state: "OAuth2State",
+ code_verifier: str | None = None,
+ ) -> str:
+ """
+ Return URI for initial OAuth2 request with dynamic endpoint detection.
+
+ A fully-resolved `authorization_request_uri` from
`DATABASE_OAUTH2_CLIENTS`
+ is preserved; only fall back to the auto-detected, account-resolved
+ endpoint when none is configured.
+ """
+ if not config.get("authorization_request_uri"):
+ from superset import db
+ from superset.models.core import Database
+
+ # Get the database to detect cloud provider
+ database_id = state["database_id"]
+ if database := db.session.get(Database, database_id):
+ provider = cls._detect_cloud_provider(database)
+ from typing import cast
+
+ config = cast(
+ "OAuth2ClientConfig",
+ dict(config)
+ | {
+ "authorization_request_uri":
cls._resolve_oauth2_endpoint(
+ database, provider, "authorization_request_uri"
+ )
+ },
+ )
+
+ return super().get_oauth2_authorization_uri(config, state,
code_verifier)
Review Comment:
here comes straight off the database we just built the state from in , so a
failed lookup isn't a reachable runtime path — and the base impl already
handles an empty URI. I'd rather not add a raise for a case that can't really
happen. Leaving as-is.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
