Restrict total connection lifetime to prevent using invalidated credentials #3895
Description
At his point in time, this library does not offer any mechanism to control the total connection duration.
This is problematic as, when using a rotating token, such as in the case of a Workload Identity in Azure, the token is invalidated when the token rotates. As a result, after 24h, the session is invalidated and the connection fails (with an invalid username/password error)
There should be :
- A configurable option to control the total connection lifetime. All connections exceeding this timeout should be closed
- Connections should be re-opened when being close to reaching this timeout. A pool should not distribute connections that are too close to this timeout, and this delta should be configurable.
Note that :
- This issue is separate from the use of the StreamingCredentialProvider - connections should still be opened with a valid token
- The timeout options that exist are only valid for setting a delta limit on the response after a query. It does not control the total lifetime of the connection
As a workaround, we implemented a custom Connection Pool with a thread closing connections reaching a defined total lifetime (set to the remaining lifetime of the token last obtained from Azure). The use of both a StreamingCredentialProvider and a custom cache token ensure all connections are always opened with a valid token, and old ones are closed.