Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom TrinoCredentials support #413

Open
1 task done
sugibuchi opened this issue Jun 12, 2024 · 0 comments
Open
1 task done

Custom TrinoCredentials support #413

sugibuchi opened this issue Jun 12, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@sugibuchi
Copy link

sugibuchi commented Jun 12, 2024
edited
Loading

Describe the feature

Extend the model of DB connection profiles to support custom TrinoCredentials implementations.

Context

We are currently trying to use a custom version of TrinoJwtCredentials, which uses JTW tokens dynamically fetched from Azure Active Directory (Entra ID) at the runtime instead of static tokens written in profiles.yaml.

However, the current version of dbt-trino supports only 6 predefined authentication methods and there is no way to use custom TrinoCredentials.

Proposal

Add custom to the supported values of method field in DB connection profiles. If method="custom", then the Trino adapter should be initialized with a TrinoCredentials class specified by credentials_class field.

Example:

sample_proj:
  outputs:
    dev:
      type: trino
      method: custom
      credentials_class: my.package.CustomTrinoCredentials
      custom_param: abcdefg
      host: ...

We can relatively easily implement this extension in TrinoCredentialsFactory:

class TrinoCredentialsFactory:
    @classmethod
    def _create_trino_profile(cls, profile):
        if "method" in profile:
            method = profile["method"]
            if method == "ldap":
            ...
            elif method == "custom":
                if "credentials_class" not in profile:
                    raise ValueError("method=custom must be set in conjunction with credentials_class")
                from pydoc import locate
                return locate(profile["credentials_class"])
        return TrinoNoneCredentials

Describe alternatives you've considered

No response

Who will benefit?

This feature benefits only expert users who intend to develop their custom TrinoCredentials implementation. However, custom TrinoCredentials can sometimes be very helpful, particularly when we want to use an IAM service provided by a specific cloud platform to authenticate access to Trino.

For example, we are currently testing this feature in an Azure ASK Kubernetes environment where Azure Managed Identity (MI) is enabled. With this feature and our custom TrinoJwtCredentials, we don't need to manage secrets for accessing Trino at all. This can significantly simplify the production deployment of our dbt workflows. We can expect the same benefit in other environments including Azure VM and Synapse Pipelines.

Are you willing to submit PR?

  • Yes I am willing to submit a PR!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sugibuchi