User/password based auth

HGInsights / avalanche

Avalanche is an Elixir Snowflake Connector built on top of the Snowflake SQL API v2.

Apache License 2.0

17 stars 3 forks source link

User/password based auth #53

Open bglusman opened 1 month ago

bglusman commented 1 month ago

Is your feature request related to a problem? Please describe. I can see why you might prefer not to support basic user/password auth, but it's what we currently use in production, and changing may have some difficulty... we can probably change to OAuth with some support from another team, but being depdendent on them, and on doing oAuth client integration are both some work, and having ability to use same credentials/auth mechanism with this library or with snowflex, out current library, would be a nice-to-have

Describe the solution you'd like I guess either token would no longer be required for request, or token would gain support for uid and pwd keys?

Describe alternatives you've considered OAuth, Private key based auth are all I think Avalanche currently supports.

Additional context Not necessarily looking for you to implement this @forest (though if you want to, it's welcome), but, considering the order of operations of switching to avalanche, between this issue, desire in other issue for streaming support, and thought I'd at least raise the issue to get thoughts before deciding path forward.

forest commented 1 month ago

@bglusman are you able to use priv_key? It is very similar to password-based auth but easier to rotate since Snowflake supports two keys. This is what we use in production.

To create a key:

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out snowflake-key.p8 -nocrypt
openssl rsa -in snowflake-key.p8 -pubout -out snowflake-key.pub

Update your Snowflake user setting the value of rsa_public_key to the contents of the snowflake-key.pub key. You need to remove all the newlines.

Then in avalanche, you set token to something like this:

token:  [
        account: "my-account",
        user: "my-user",
        priv_key: "contents of the snowflake-key.p8 file"
      ]

bglusman commented 1 month ago

This is what the team and I use locally with avalanche (we use it in livebook over snowflex at present since much easier dependencies), but at the moment the team that maintains snowflake isn't comfortable setting this up for production for reasons not totally clear to me. They are looking into oAuth though, but wanted to at least discuss user/pass based auth as well.

forest commented 1 month ago

I would not recommend OAuth for production as tokens expire. Great for local development with short-lived tokens (8 hrs).

priv_key is more secure that passwords and it is possible to rotate without downtime.

If this really won't work for you, I'm open to PRs to add password based auth. I think you can add something like:

token:  [
        user: "my-user",
        password: "pass"
      ]

bglusman commented 1 month ago

RIght, if we were doing oAuth we'd probably fetch a new token via a client before every request or something, but no idea if that's practical/clean or not, never done oAuth in the background like that without user interaction that I recall.... anyway, I guess I'll try and look into adding support via token at some point, hopefully not huge effort, just wanted your input first.