Skip to content

Add token refresh for UC Lineage ingestion using system tables #15698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Anshul759 wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add token refresh for UC Lineage ingestion using system tables #15698

Anshul759 wants to merge 6 commits into from
+381 −17

Conversation

@Anshul759
Copy link
Contributor

@Anshul759 Anshul759 commented Dec 17, 2025
edited
Loading

If using system tables to query lineage, the sql connection fails.
Reason - sql connection requires PAT to connect to databricks and run queries. As the token is valid for only 60mins, and some of the ingestions run for long duration, the sql connection expires and the process fails with authentication error.
Fix - To use azure credentials to generate tokens. Have updated the code to generate PAT using azure credentials. The validity of PAT is 60 mins here too, but we can refresh the PAT before expiring so that the process continues without any halt

@github-actions github-actions bot added ingestion PR or Issue related to the ingestion of metadata community-contribution PR or Issue raised by member(s) of DataHub Community labels Dec 17, 2025
@datahub-cyborg datahub-cyborg bot added the needs-review Label for PRs that need review from a maintainer. label Dec 17, 2025
kyungsoo-datahub
kyungsoo-datahub reviewed Dec 19, 2025
View reviewed changes
Copy link
Contributor

@kyungsoo-datahub kyungsoo-datahub left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Could you add some unit tests?

  2. For the future improvement, it would be nice if we can separate out the token provider part. For example:

class SqlConnectionTokenProvider(Protocol):                                                                             
    def get_token(self) -> str: ...                                                                                     
                                                                                                                        
class StaticTokenProvider:                                                                                              
    def __init__(self, token: str):                                                                                     
        self._token = token                                                                                             
                                                                                                                        
    def get_token(self) -> str:                                                                                         
        return self._token                                                                                              
                                                                                                                        
class AzureTokenProvider:
        ...

metadata-ingestion/src/datahub/ingestion/source/unity/proxy.py Outdated

# Refresh token if it expires within 5 minutes
remaining_time = self._token_expiration - datetime.now(timezone.utc)
return remaining_time < timedelta(minutes=10)
Copy link
Contributor

@kyungsoo-datahub kyungsoo-datahub Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to refresh within 10 mins before expiration? Line 414 says that it would be within 5 mins.

Copy link
Contributor Author

@Anshul759 Anshul759 Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have used authenticate function, so removed this part of the code

metadata-ingestion/src/datahub/ingestion/source/unity/proxy.py Outdated
def _refresh_workspace_client(self):
"""Refresh the workspace client with new credentials."""
if self._azure_auth:
logger.info("Refreshing workspace client with new Azure credentials")
Copy link
Contributor

@kyungsoo-datahub kyungsoo-datahub Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to be debug level logging.

Copy link
Contributor Author

@Anshul759 Anshul759 Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

metadata-ingestion/src/datahub/ingestion/source/unity/proxy.py Outdated
if self._azure_auth:
logger.info("Refreshing workspace client with new Azure credentials")
# Create a new workspace client with fresh credentials
self._workspace_client = WorkspaceClient(
Copy link
Contributor

@kyungsoo-datahub kyungsoo-datahub Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the brief investigation, recreating client is redundant. authenticate() will refresh token if it's expired. Please, check this.

authenticate() -> _header_factory() (config.py) -> OAuthCredentialsProvider.call() (credentials_provider.py) -> refreshed_headers() (credentials_provider.py) -> inner.token() (credentials_provider.py) -> token() (oath.py) -> _blocking_token() (oath.py) -> refresh() (oath.py)

Please, check token() and _blcoking_token() functions: https://github.com/databricks/databricks-sdk-py/blob/main/databricks/sdk/oauth.py#L280-L333

Copy link
Contributor Author

@Anshul759 Anshul759 Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion. authenticate function does refresh the token when expired.
For Testing, ran pipeline for around 3 hours without any error -
image

metadata-ingestion/src/datahub/ingestion/source/unity/proxy.py Outdated
product_version=nice_version_name(),
)

def _refresh_sql_connection_token(self):
Copy link
Contributor

@kyungsoo-datahub kyungsoo-datahub Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if it's safe with multi threads.

@datahub-cyborg datahub-cyborg bot added pending-submitter-response Issue/request has been reviewed but requires a response from the submitter and removed needs-review Label for PRs that need review from a maintainer. labels Dec 19, 2025
@datahub-cyborg datahub-cyborg bot added needs-review Label for PRs that need review from a maintainer. and removed pending-submitter-response Issue/request has been reviewed but requires a response from the submitter labels Dec 22, 2025
@Anshul759
Copy link
Contributor Author

Anshul759 commented Dec 22, 2025

@kyungsoo-datahub

  1. Have added unit test cases
  2. Seperated the token management in a different class
  3. Used inbuild authenticate function to refresh token instead of using custom logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kyungsoo-datahub kyungsoo-datahub kyungsoo-datahub left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

community-contribution PR or Issue raised by member(s) of DataHub Community ingestion PR or Issue related to the ingestion of metadata needs-review Label for PRs that need review from a maintainer.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Anshul759 @kyungsoo-datahub