Skip to content

Commit 78de760

Browse files
Brooke-whiteBrooke-white
committed
feat: Identity Center authentication support with new plugins
1 parent 858abad commit 78de760

13 files changed

+661
-19
lines changed

README.rst

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -306,6 +306,14 @@ Connection Parameters
306306
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
307307
| iam_disable_cache | bool | This option specifies whether the IAM credentials are cached. By default the IAM credentials are cached. This improves performance when requests to the API gateway are throttled. | FALSE | No |
308308
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
309+
| idc_client_display_name | str | The client display name to be used in user consent in IdC browser auth. This is an optional value. The default value is "Amazon Redshift Python connector". | None | No |
310+
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
311+
| idc_region | str | The AWS region where IdC instance is located. It is required for the IdC browser auth plugin. | None | No |
312+
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
313+
| idc_response_timeout | int | The timeout value in seconds for the IdC browser auth plugin. This is an optional value. | 120 | No |
314+
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
315+
| identity_namespace | str | The identity namespace to be used for the IdC browser auth plugin and IdP token auth plugin. It is an optional value if there is only one IdC instance existing or if default identity namespace is set on the cluster - else it is required. | None | No |
316+
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
309317
| idp_response_timeout | int | The timeout for retrieving SAML assertion from IdP | 120 | No |
310318
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
311319
| idp_tenant | str | The IdP tenant | None | No |
@@ -354,8 +362,14 @@ Connection Parameters
354362
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
355363
| sslmode | str | The security of the connection to Amazon Redshift. verify-ca and verify-full are supported. | verify_ca | No |
356364
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
365+
| start_url | str | The directory or start url for the AWS IdC access portal. It is required for the IdC browser auth plugin. | None | No |
366+
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
357367
| timeout | int | The number of seconds before the connection to the server will timeout. | None | No |
358368
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
369+
| token | str | The access token required for the IdP token auth plugin. | None | No |
370+
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
371+
| token_type | str | The token type required for the IdP token auth plugin. | ACCESS_TOKEN | No |
372+
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
359373
| user | str | The username to use for authentication | None | No |
360374
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------+
361375
| web_identity_token | str | The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. Your application must get this token by authenticating the user who is using your application with a web identity provider. This parameter is used by JwtCredentialsProvider. For this provider, this is a mandatory parameter. | None | No |

redshift_connector/__init__.py

Lines changed: 48 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,14 @@
5656
logging.getLogger(__name__).addHandler(logging.NullHandler())
5757
_logger: logging.Logger = logging.getLogger(__name__)
5858

59+
IDC_PLUGINS_LIST = ("redshift_connector.plugin.BrowserIdcAuthPlugin", "BrowserIdcAuthPlugin",
60+
"redshift_connector.plugin.IdpTokenAuthPlugin", "IdpTokenAuthPlugin")
61+
IDC_OR_NATIVE_IDP_PLUGINS_LIST = (
62+
"redshift_connector.plugin.BrowserAzureOAuth2CredentialsProvider", "BrowserAzureOAuth2CredentialsProvider",
63+
"redshift_connector.plugin.BasicJwtCredentialsProvider", "BasicJwtCredentialsProvider",
64+
"redshift_connector.plugin.BrowserIdcAuthPlugin", "BrowserIdcAuthPlugin",
65+
"redshift_connector.plugin.IdpTokenAuthPlugin", "IdpTokenAuthPlugin")
66+
5967
# Copyright (c) 2007-2009, Mathieu Fenniak
6068
# Copyright (c) The Contributors
6169
# All rights reserved.
@@ -143,6 +151,13 @@ def connect(
143151
serverless_acct_id: typing.Optional[str] = None,
144152
serverless_work_group: typing.Optional[str] = None,
145153
group_federation: typing.Optional[bool] = None,
154+
start_url: typing.Optional[str] = None,
155+
idc_region: typing.Optional[str] = None,
156+
idc_response_timeout: typing.Optional[int] = None,
157+
identity_namespace: typing.Optional[str] = None,
158+
idc_client_display_name: typing.Optional[str] = None,
159+
token: typing.Optional[str] = None,
160+
token_type: typing.Optional[str] = None,
146161
) -> Connection:
147162
"""
148163
Establishes a :class:`Connection` to an Amazon Redshift cluster. This function validates user input, optionally authenticates using an identity provider plugin, then constructs a :class:`Connection` object.
@@ -246,6 +261,20 @@ def connect(
246261
The name of work group for serverless end point. Default value None.
247262
group_federation: Optional[bool]
248263
Use the IDP Groups in the Redshift. Default value False.
264+
start_url: Optional[str]
265+
The directory or start url for the AWS IdC access portal. Default value is None.
266+
idc_region: Optional[str]
267+
The AWS region where IdC instance is located. Default value is None.
268+
idc_response_timeout: Optional[int]
269+
The timeout value in seconds for the IdC browser auth. Default value is `120`.
270+
identity_namespace: Optional[str]
271+
The identity namespace to be used with IdC auth plugin. Default value is None.
272+
idc_client_display_name: Optional[str]
273+
The client display name to be used in user consent in IdC browser auth. Default value is `Amazon Redshift Python connector`.
274+
token: Optional[str]
275+
The access token to be used with IdC basic credentials provider plugin. Default value is None.
276+
token_type: Optional[str]
277+
The token type to be used for authentication using IdP token auth plugin. Default value is None.
249278
Returns
250279
-------
251280
A Connection object associated with the specified Amazon Redshift cluster: :class:`Connection`
@@ -273,6 +302,10 @@ def connect(
273302
info.put("host", host)
274303
info.put("iam", iam)
275304
info.put("iam_disable_cache", iam_disable_cache)
305+
info.put("idc_client_display_name", idc_client_display_name)
306+
info.put("idc_region", idc_region)
307+
info.put("idc_response_timeout", idc_response_timeout)
308+
info.put("identity_namespace", identity_namespace)
276309
info.put("idp_host", idp_host)
277310
info.put("idp_response_timeout", idp_response_timeout)
278311
info.put("idp_tenant", idp_tenant)
@@ -298,11 +331,14 @@ def connect(
298331
info.put("serverless_work_group", serverless_work_group)
299332
info.put("session_token", session_token)
300333
info.put("source_address", source_address)
334+
info.put("start_url", start_url)
301335
info.put("ssl", ssl)
302336
info.put("ssl_insecure", ssl_insecure)
303337
info.put("sslmode", sslmode)
304338
info.put("tcp_keepalive", tcp_keepalive)
305339
info.put("timeout", timeout)
340+
info.put("token", token)
341+
info.put("token_type", token_type)
306342
info.put("unix_sock", unix_sock)
307343
info.put("user_name", user)
308344
info.put("web_identity_token", web_identity_token)
@@ -313,8 +349,15 @@ def connect(
313349
_logger.debug(mask_secure_info_in_props(info).__str__())
314350
_logger.debug(make_divider_block())
315351

316-
if (info.ssl is False) and (info.iam is True):
317-
raise InterfaceError("Invalid connection property setting. SSL must be enabled when using IAM")
352+
_logger.debug("plugin = {} and iam={}".format(info.credentials_provider, info.iam))
353+
if (info.credentials_provider in IDC_PLUGINS_LIST) and (info.iam is True):
354+
raise InterfaceError("You can not use this authentication plugin with IAM enabled.")
355+
356+
if info.ssl is False:
357+
if info.iam is True:
358+
raise InterfaceError("Invalid connection property setting. SSL must be enabled when using IAM")
359+
if info.credentials_provider in IDC_OR_NATIVE_IDP_PLUGINS_LIST:
360+
raise InterfaceError("Authentication must use an SSL connection.")
318361

319362
if (info.iam is False) and (info.ssl_insecure is False):
320363
raise InterfaceError("Invalid connection property setting. IAM must be enabled when using ssl_insecure")
@@ -362,6 +405,9 @@ def connect(
362405
provider_name=info.provider_name,
363406
web_identity_token=info.web_identity_token,
364407
numeric_to_float=info.numeric_to_float,
408+
identity_namespace=info.identity_namespace,
409+
token_type=info.token_type,
410+
idc_client_display_name=info.idc_client_display_name,
365411
)
366412

367413

0 commit comments

Comments
 (0)