search

snowflakedb / snowflake-connector-python

Snowflake Connector for Python
https://pypi.python.org/pypi/snowflake-connector-python/
Apache License 2.0
568 stars 456 forks source link

SNOW-1507358: OSCP validation fails if hostname is not provided #1980

Closed vinodseshadri closed 1 week ago

vinodseshadri commented 1 week ago

Python version

Python 3.10.12

Operating system and processor architecture

Linux-5.10.215-203.850.amzn2.x86_64-x86_64-with-glibc2.26

Installed packages

snowflake-conector-python==3.11.0

What did you do?

Write a simple connection code to any **private link** snowflake .

Shown below:

from snowflake import connector as sf

ctx = sf.connect(user = "xxxx",
                 account = "xxxxx.us-east-1.privatelink",
                 region = "us-east-1"
                 private_key = pkb,
                 database = "xxxx",
                 schema = "xxxxx",
                 warehouse = "xxxxx" )

What did you expect to see?

Expected

Connection created successfully.

Actual

Instead it timed out with JWT token

Debug Logs result In the debug logs, the below can be seen

DEBUG:snowflake.connector.ocsp_snowflake: Failed to get OCSP response cache from http://oscp.snowflakecomputing.com/ocsp_response_cache.json

Can you set logging to DEBUG and collect the logs?

import logging
import os

for logger_name in ('snowflake.connector',):
    logger = logging.getLogger(logger_name)
    logger.setLevel(logging.DEBUG)
    ch = logging.StreamHandler()
    ch.setLevel(logging.DEBUG)
    ch.setFormatter(logging.Formatter('%(asctime)s - %(threadName)s %(filename)s:%(lineno)d - %(funcName)s() - %(levelname)s - %(message)s'))
    logger.addHandler(ch)
sfc-gh-dszmolka commented 1 week ago

hi - thanks for raising this issue. neither the configuration, nor the error message looks right here. the driver should not even try to go to the public OCSP Cache Server (ocsp.snowflakecomputing.com) if the connection configuration is correct. That's the whole idea behind private link - traffic does not go to any public endpoint.

can you please try the following:

vinodseshadri commented 1 week ago
  • lose the region from your configuration, only use account = "xxxxx.us-east-1.privatelink",

Still fails . Based on what is present in construct_hostname I believe it shouldn't matter.

  • make double sure that the accountname.us-east-1.privatelink.snowflakecomputing.com hostname actually resolves to the VPCE IP(s) when doing a dig, host, nslookup, etc. from the host you're running the PythonConnector. This is important. This hostname should not resolve to the public LB IP's. If it does, you have a DNS configuration problem.

Yes it does resolve to internal AWS VPCE IPs

  • if it still does not work, please use the logging suggested here and share the full logs (of course account , JWT, other sensitive data sanitized) If you don't want to share it here publicly, you can raise a Support Case to work 1:1 with a Support Engineer.

I am not sure if I could do that. But would try raising a support ticket.
But I do believe the issue is in the python SDK since SYSTEM$ALLOWLIST_PRIVATELINK gives back the right ocsp (the one with the private link) and I can access that with curl with no issues.

BTW if I give host name as part of sf.connect to xxxxx.us-east-1.privatelink.snowflakecomputing.com it works fine

sfc-gh-dszmolka commented 1 week ago

thank you for testing. I strongly suggest continuing this in a Support Case because we will definitely need logs.

Many of our users use the Python Connector successfully in the private link setup so we'll need to figure out what is different in your case and logs are essential for that. I understand those can't be shared here, that's no problem. Thank you in advance ! (closing this one out in favour for the Support Case but still will monitor this ticket so if anything comes up, do comment please)