feat(kernel): session-level query tags + Thrift-parity OAuth scopes (configurable)#430
Open
msrathore-db wants to merge 4 commits into
Open
feat(kernel): session-level query tags + Thrift-parity OAuth scopes (configurable)#430msrathore-db wants to merge 4 commits into
msrathore-db wants to merge 4 commits into
Conversation
…ssion Ports the session-level query-tags wiring onto the post-#428 lib/kernel path (originally lib/sea/SeaBackend, before the SEA→kernel rename). openSession serializes request.queryTags into the reserved QUERY_TAGS session conf, which the kernel allowlists (SESSION_CONF_ALLOWLIST) and forwards onto the SEA CreateSession session_confs — mirroring ThriftBackend.openSession. queryTags takes precedence over an explicit configuration.QUERY_TAGS. Verified end-to-end against a live warehouse: the tag lands in system.query.history.query_tags. Co-authored-by: Isaac Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>
…thScopes
The kernel U2M flow passed no scopes, so it fell through to the kernel's bare
default (all-apis offline_access). The databricks-sql-connector OAuth app is
registered for `sql`, so U2M auth used the wrong scope set. Pass scopes
explicitly from the driver:
- U2M defaults to ['sql', 'offline_access'] (matches the Thrift driver's
defaultOAuthScopes), overriding the kernel's all-apis default.
- M2M defaults to ['all-apis'] (matches Thrift + the kernel's M2M default).
- Both overridable via a new `oauthScopes` connect option — closing the
configurability gap with pyo3, which already forwards `scopes` on M2M.
Driver-only change: the napi binding already forwards oauth_scopes and the
kernel's u2m.rs/m2m.rs feed them into the authorize/token request.
Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>
msrathore-db
force-pushed
the
msrathore/sea-query-tags-wiring
branch
from
21d31dd to
d6c0d81
Compare
msrathore-db
changed the title
vikrantpuppala
approved these changes
Jun 9, 2026
Per-statement options the kernel backend doesn't honour are now NO-OPs (logged at warn), not HiveDriverErrors, so call sites written for the Thrift backend are drop-in on the kernel path: - useCloudFetch / useLZ4Compression — kernel-governed perf/format hints - stagingAllowedLocalPath — staging not yet exposed on the kernel Ignoring these can't change query results. Parameter binding (compound/BINARY) is deliberately NOT no-op'd — a dropped param would silently change results, so it still throws. Co-authored-by: Isaac Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>
…U2M client id
Switch the kernel auth flow selector to key off the SECRET, matching the Thrift
driver (DBSQLClient.createAuthProvider): a usable oauthClientSecret => M2M,
otherwise => U2M. Previously the kernel keyed off oauthClientId *presence*, which
diverged from Thrift and rejected `id + no secret` rather than running U2M.
Consequences:
- `oauthClientId + no secret` now runs U2M (browser), like Thrift — instead of
an M2M "secret required" error.
- A non-blank oauthClientId on U2M is now forwarded as a *custom U2M client*
(parity with Thrift, which passes options.oauthClientId to its U2M flow); a
blank/reserved id is treated as absent and the napi default
(databricks-sql-connector) is used.
Blank/reserved literals (whitespace, "null", "undefined" — typical of an unset
env var) count as absent for routing. Trade-off vs the prior id-presence
routing: `id set + secret forgotten` now silently runs U2M (browser) rather than
a clear error — this matches Thrift's behaviour.
Updated the auth unit tests (u2m/m2m/edge-cases) that encoded the old
id-presence routing to the new secret-based semantics.
Co-authored-by: Isaac
Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two kernel-backend auth/session fixes (rebased onto the post-#428
lib/kernelpath).1. Session-level query tags (
KernelBackend.openSession)Serializes
request.queryTagsinto the reservedQUERY_TAGSsession conf, which the kernel allowlists (SESSION_CONF_ALLOWLIST) and forwards onto the SEACreateSessionsession_confs— mirroringThriftBackend.openSession.queryTagstakes precedence over an explicitconfiguration.QUERY_TAGS.Verified end-to-end against a live warehouse: the tag lands in
system.query.history.query_tags.2. Thrift-parity OAuth scopes (configurable via
oauthScopes)The kernel U2M flow passed no scopes, so it fell through to the kernel's bare default
all-apis offline_access. Thedatabricks-sql-connectorOAuth app is registered forsql, so U2M requested the wrong scope set. Now the driver passes scopes explicitly:['sql', 'offline_access'](matches the Thrift driver'sdefaultOAuthScopes).['all-apis'](matches Thrift + the kernel's M2M default).oauthScopesconnect option — closing the configurability gap with pyo3 (which already forwardsscopeson M2M).Driver-only: the napi binding already forwards
oauth_scopes, and the kernel'su2m.rs/m2m.rsfeed them into the authorize/token request.Tests
tests/unit/kernel/execution.test.ts— session-levelqueryTags→sessionConf.QUERY_TAGS, precedence overconfiguration.QUERY_TAGS.tests/unit/kernel/auth-u2m.test.ts/auth-m2m.test.ts— default scopes (U2Msql offline_access, M2Mall-apis), caller override, empty-array fallback.All 135 affected unit tests pass locally.
This pull request and its description were written by Isaac.