Skip to content

feat(adbc): add ADBC Snowflake Auth Related #24118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tabVersion merged 3 commits into from
Dec 16, 2025
Merged

feat(adbc): add ADBC Snowflake Auth Related #24118

tabVersion merged 3 commits into from
Dec 16, 2025

Conversation

@tabVersion
Copy link
Contributor

@tabVersion tabVersion commented Dec 15, 2025
edited
Loading

  • Renamed jwt_private_key to jwt_private_key_path for clarity.
  • Added new fields: jwt_private_key_pkcs8_value and jwt_private_key_pkcs8_password to support additional JWT authentication methods.
  • Updated the builder logic to accommodate the new fields for improved authentication handling.

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

Checklist

  • I have written necessary rustdoc comments.
  • I have added necessary unit tests and integration tests.
  • I have added test labels as necessary.
  • I have added fuzzing tests or opened an issue to track them.
  • My PR contains breaking changes.
  • My PR changes performance-critical code, so I will run (micro) benchmarks and present the results.
  • I have checked the Release Timeline and Currently Supported Versions to determine which release branches I need to cherry-pick this PR into.

Manual Test Results

Conclusion: the sdk can work with Key Pair Auth

Setup

On snowflake side (for MYDB.PUBLIC.ALL_TYPES_DEMO)

CREATE ROLE IF NOT EXISTS APP_ROLE;

CREATE USER IF NOT EXISTS APP_USER
  DEFAULT_ROLE = APP_ROLE
  DEFAULT_WAREHOUSE = COMPUTE_WH
  MUST_CHANGE_PASSWORD = FALSE
  DISABLED = FALSE;

# no pub key header/footer and \n
ALTER USER APP_USER SET RSA_PUBLIC_KEY = 'MII ... AB'; 

GRANT USAGE ON DATABASE MYDB TO ROLE APP_ROLE;
GRANT USAGE ON SCHEMA MYDB.PUBLIC TO ROLE APP_ROLE;
GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON TABLE MYDB.PUBLIC.ALL_TYPES_DEMO TO ROLE APP_ROLE;

Test On RW Side

  • Not enough privilege

    • show error message: Protocol error: Failed to create connection: IO: [Snowflake] 390201 (08004): The requested schema does not exist or not authorized. (sqlstate: [48, 56, 48, 48, 52], vendor_code: 390201)

  • PKCS#1

create table t (primary key ("ID_PART1", "ID_PART2")) with ( connector = 'adbc_snowflake', adbc_snowflake.account = 'yipqner-bu12886', adbc_snowflake.username = 'APP_USER',

adbc_snowflake.auth_type = 'auth_jwt',
adbc_snowflake.jwt_private_key_path = secret private_key as file ,

adbc_snowflake.database ='MYDB', adbc_snowflake.schema = 'PUBLIC', adbc_snowflake.warehouse = 'COMPUTE_WH', adbc_snowflake.table = 'ALL_TYPES_DEMO', refresh_mode = 'FULL_RELOAD') ;
  • PKCS#8 (without encrypt)
    • For PKCS#8 private key you need to pass as raw bytes instead of file path.
    • It can also accept adbc_snowflake.jwt_private_key_pkcs8_password, but will be ignored
create table t (primary key ("ID_PART1", "ID_PART2")) with ( connector = 'adbc_snowflake', adbc_snowflake.account = 'yipqner-bu12886', adbc_snowflake.username = 'APP_USER', 

adbc_snowflake.auth_type = 'auth_jwt',
adbc_snowflake.jwt_private_key_pkcs8_value = secret pk_without_pass ,

adbc_snowflake.database ='MYDB', adbc_snowflake.schema = 'PUBLIC', adbc_snowflake.warehouse = '
COMPUTE_WH', adbc_snowflake.table = 'ALL_TYPES_DEMO', refresh_mode = 'FULL_RELOAD') ;
  • PKCS#8 (with encrypt)
 create table t (primary key ("ID_PART1", "ID_PART2")) with ( connector = 'adbc_snowflake', adbc_snowflake.account = 'yipqner-bu12886', adbc_snowflake.username = 'APP_USER',

adbc_snowflake.auth_type = 'auth_jwt',
adbc_snowflake.jwt_private_key_pkcs8_value = secret pk_w_pass ,
adbc_snowflake.jwt_private_key_pkcs8_password = 'testpassword123',

adbc_snowflake.database ='MYDB', adbc_snowflake.schema = 'PUBLIC', adbc_snowflake.warehouse = '
COMPUTE_WH', adbc_snowflake.table = 'ALL_TYPES_DEMO', refresh_mode = 'FULL_RELOAD') ;

Need to provide both adbc_snowflake.jwt_private_key_pkcs8_value and adbc_snowflake.jwt_private_key_pkcs8_password.
Otherwise will get Protocol error: Failed to build database: InvalidArguments: adbc.snowflake.sql.client_option.jwt_private_key_pkcs8_password is not configured (sqlstate: [0, 0, 0, 0, 0], vendor_code: -2147483648)

Summary

  • for PKCS#1 format (begins with BEGIN RSA PRIVATE KEY), pass to adbc_snowflake.jwt_private_key_path as file path.
  • For PKCS#8 format (begins with BEGIN PRIVATE KEY or BEGIN ENCRYPTED PRIVATE KEY), pass to adbc_snowflake.jwt_private_key_pkcs8_value as raw bytes.
  • If format mismatch, get error like
Protocol error: Failed to build database: InvalidArguments: failed parsing private key file '.../risingwave/.risingwave/secrets/c27bed26-c930-4246-88ef-862f29c42959/2/26': asn1: structure error: tags don't match (2 vs {class:0 tag:16 length:87 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} int @2 (sqlstate: [0, 0, 0, 0, 0], vendor_code: -2147483648)

Documentation

  • My PR needs documentation updates.
Release note

@github-actions github-actions bot added the type/feature Type: New feature. label Dec 15, 2025
@tabVersion tabVersion changed the title feat(adbc): add ADBC Snowflake driver support and related configurations feat(adbc): add ADBC Snowflake Auth Related Dec 15, 2025
@tabVersion tabVersion requested a review from chenzl25 December 15, 2025 10:54
tab added 3 commits December 16, 2025 13:42
feat(adbc): update ADBC Snowflake properties for JWT authentication
ebc9651 
- Renamed `jwt_private_key` to `jwt_private_key_path` for clarity.
- Added new fields: `jwt_private_key_pkcs8_value` and `jwt_private_key_pkcs8_password` to support additional JWT authentication methods.
- Updated the builder logic to accommodate the new fields for improved authentication handling.
feat(adbc): update ADBC Snowflake properties to support optional pass…
eba0e87 
…word

- Changed the `password` field in `AdbcSnowflakeProperties` from `String` to `Option<String>` to allow for optional password authentication.
- Updated the builder logic to conditionally include the password only if it is provided, enhancing flexibility in authentication methods.
fix
86cd5fc
chenzl25
chenzl25 approved these changes Dec 16, 2025
View reviewed changes
Copy link
Contributor

@chenzl25 chenzl25 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chenzl25 chenzl25 requested a review from yuhao-su December 16, 2025 07:05
@tabVersion tabVersion merged commit 76671bb into tab/snowflake Dec 16, 2025
28 of 30 checks passed
@tabVersion tabVersion deleted the tab/snowflake-auth branch December 16, 2025 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chenzl25 chenzl25 chenzl25 approved these changes

@yuhao-su yuhao-su Awaiting requested review from yuhao-su

Assignees

No one assigned

Labels

type/feature Type: New feature.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tabVersion @chenzl25