-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for viewer-based Databricks & Snowflake credentials #853
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there some place that this will get an integration test?
databricks_auth_args <- function(host, uid = NULL, pwd = NULL, session = NULL) { | ||
# If a session is supplied, any viewer-based auth takes precedence. | ||
if (!is.null(session)) { | ||
access_token <- connect_viewer_token(session, paste0("https://", host)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we emit something here? Seems like it would be useful to know when you've opted-in and it's not working. (And it wouldn't be too annoying to see that message when running locally.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modified this so you see the following when running locally:
! Ignoring `sesssion` parameter.
ℹ Viewer-based credentials are only available when running on Connect.
1bad351
to
1b084f2
Compare
FWIW I ran the general user-facing API design by @jcheng5 in some depth yesterday and he was on board. |
LGTM. Feel free to squash-merge when you're done. |
I got a chance to test this @atheriel, and it worked as expected. This is such a nice improvement! I will outline my experience below: SnowflakeWith the following code in my app:
Running on Workbench works with no extra messages and the app deploys successfully to Connect but the data pull fails with this in the logs:
Changing the code to:
Runs on Workbench successfully with the expected message:
It publishes successfully to Connect, and with the OAuth integration assigned and the user logged in, the data displays as expected. DatabricksWith the following code in my app:
Running on Workbench works with no extra messages and the app deploys successfully to Connect but the data pull fails with this in the logs:
Changing the code to:
Runs on Workbench successfully with the expected message:
It publishes successfully to Connect, and with the OAuth integration assigned and the user logged in, the data displays as expected. |
Can we detect if we're running connect and/or workbench and add an extra hint to the error?
|
I like adding that to make users aware especially if they accidentally omit session since they won't be used to passing it before. I have seen the Connect team use |
1b084f2
to
a293b4d
Compare
Pushed a bunch of unit tests to cover the new errors and info conditions. We now also hint about viewer-based credentials on Connect, and are more careful about what "running on Connect" means:
With Trevor's testing I now consider this safe enough to merge. |
a293b4d
to
9c625c4
Compare
This commit expands the `databricks()` and `snowflake()` helpers to support the viewer-based OAuth credentials recently introduced in Posit Connect [0]. It is designed to support writing Shiny apps that take the following form: ```r library(shiny) ui <- fluidPage(textOutput("user")) server <- function(input, output, session) { conn <- reactive({ pool::dbPool(odbc::snowflake(), session = session) }) output$user <- renderText({ res <- DBI::dbGetQuery(conn(), "SELECT CURRENT_USER()") res[[1]] }) } shinyApp(ui = ui, server = server) ``` Checks for viewer-based credentials are designed to fall back gracefully to existing authentication methods in some cases. This is intended to allow users to -- for example -- develop and test a Shiny app that uses Databricks or Snowflake credentials in desktop RStudio or Posit Workbench and deploy it with no code changes to Connect. In addition, making the caller pass a `session` argument (rather than just detecting, for example, if we're in a Shiny server context) is very intentional: it makes them express that they *want* viewer-based credentials, as opposed to using shared credentials for all viewers. It seems likely to reduce the number of cases where publisher credentials are used unexpectedly. Internally we implement the raw HTTP calls to make the token exchange with Connect to avoid taking a dependency on the `connectapi` package. Unit tests are included for most of the new error paths, but it's pretty hard to emulate what Connect is doing here without extensive mocking. [0]: https://docs.posit.co/connect/user/oauth-integrations/ Signed-off-by: Aaron Jacobs <[email protected]>
9c625c4
to
c079094
Compare
This commit brings support for Posit Connect's "viewer-based credentials" feature [0] to the Databricks and Cortex chatbots. Similar to the recent work in `odbc` [1], the way this is exposed to R users is to require them to pass a Shiny session argument to `chat_databricks()` or `chat_cortex()`. Checks for viewer-based credentials are designed to fall back gracefully to existing authentication methods. This is intended to allow users to -- for example -- develop and test a Shiny app that uses Databricks or Snowflake credentials in desktop Positron/RStudio or Posit Workbench and deploy it with no code changes to Connect. Most of the actual work is outsourced to a new shared package, `connectcreds` [2]. Note that this commit also brings the internal auth handling for Snowflake much closer to Databricks, notably by making `cortex_credentials()` internal and analogous to `databricks_token()`. Unit tests are included. [0]: https://docs.posit.co/connect/user/oauth-integrations/ [1]: r-dbi/odbc#853 [2]: https://github.com/posit-dev/connectcreds/ Signed-off-by: Aaron Jacobs <[email protected]>
This commit brings support for Posit Connect's "viewer-based credentials" feature [0] to `gh`. Similar to the recent work in `odbc` [1], the way this is exposed to R users is to require them to pass a Shiny session argument to `gh_token()`, either directly or via `gh()` or `gh_gql()`. Checks for viewer-based credentials are designed to fall back gracefully to existing authentication methods. This is intended to allow users to -- for example -- develop and test a Shiny app that uses GitHub credentials in desktop Positron/RStudio or Posit Workbench and deploy it with no code changes to Connect. Most of the actual work is outsourced to a new shared package, `connectcreds` [2]. Unit tests are included. [0]: https://docs.posit.co/connect/user/oauth-integrations/ [1]: r-dbi/odbc#853 [2]: https://github.com/posit-dev/connectcreds/ Signed-off-by: Aaron Jacobs <[email protected]>
This commit brings support for Posit Connect's "viewer-based credentials" feature [0] to `gh`. Similar to the recent work in `odbc` [1], the way this is exposed to R users is to require them to pass a Shiny session argument to `gh_token()`, either directly or via `gh()` or `gh_gql()`. Checks for viewer-based credentials are designed to fall back gracefully to existing authentication methods. This is intended to allow users to -- for example -- develop and test a Shiny app that uses GitHub credentials in desktop Positron/RStudio or Posit Workbench and deploy it with no code changes to Connect. Most of the actual work is outsourced to a new shared package, `connectcreds` [2]. Unit tests are included. [0]: https://docs.posit.co/connect/user/oauth-integrations/ [1]: r-dbi/odbc#853 [2]: https://github.com/posit-dev/connectcreds/ Signed-off-by: Aaron Jacobs <[email protected]>
This commit expands the
databricks()
andsnowflake()
helpers to support the viewer-based OAuth credentials recently introduced in Posit Connect.It is designed to support writing Shiny apps that take the following form:
Checks for viewer-based credentials are designed to fall back gracefully to existing authentication methods. This is intended to allow users to -- for example -- develop and test a Shiny app that uses Databricks or Snowflake credentials in desktop RStudio or Posit Workbench and deploy it with no code changes to Connect.
In addition, making the caller pass a
session
argument (rather than just detecting, for example, if we're in a Shiny server context) is very intentional: it makes them express that they want viewer-based credentials, as opposed to using shared credentials for all viewers. It seems likely to reduce the number of cases where publisher credentials are used unexpectedly.Internally we implement the raw HTTP calls to make the token exchange with Connect to avoid taking a dependency on the
connectapi
package.Unfortunately, there are no new tests for this change; it's pretty hard to emulate what Connect is doing here without extensive mocking.