Add Support for OAuth in athena-synapse Connector #2904
Conversation
AbdulR3hman
force-pushed
the
feature/synapse-oauth
branch
from
5ad608b to
939e606
Compare
|
|
||
| return credentialMap; | ||
| } | ||
| catch (Exception e) { |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that your code handles a broad swath of exceptions in the catch block, potentially trapping dissimilar issues or problems that should not be dealt with at this point in the program.
There was a problem hiding this comment.
Updated to handle specific exceptions with appropriate FederationSourceErrorCode values.
| } | ||
| return null; | ||
| } | ||
| catch (Exception e) { |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
It appears that your code handles a broad swath of exceptions in the catch block, potentially trapping dissimilar issues or problems that should not be dealt with at this point in the program.
There was a problem hiding this comment.
Updated to handle specific exceptions with appropriate FederationSourceErrorCode values.
| !oauthConfig.get(TENANT_ID).isEmpty(); | ||
| } | ||
|
|
||
| private String fetchAccessToken(Map<String, String> oauthConfig) throws Exception |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Methods are throwing general exception, instead try and throw specific exception for proper and easy error handling.
There was a problem hiding this comment.
Replaced generic Exception with specific exceptions (IOException, InterruptedException) to improve error handling and clarity.
| return fetchAndStoreNewToken(oauthConfig); | ||
| } | ||
|
|
||
| private String fetchAndStoreNewToken(Map<String, String> oauthConfig) throws Exception |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Methods are throwing general exception, instead try and throw specific exception for proper and easy error handling.
There was a problem hiding this comment.
Replaced generic Exception with specific exceptions (IOException, InterruptedException) to improve error handling and clarity.
| private static final String FETCHED_AT = "fetched_at"; | ||
| private static final String EXPIRES_IN = "expires_in"; | ||
|
|
||
| private static final String CLIENT_ID = "client_id"; |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential hardcoded credential detected. This code may contain sensitive data such as passwords or API keys embedded directly in the source. Hardcoded credentials can be extracted and misused, leading to unauthorized access to systems or data breaches. To remediate this, store secrets in environment variables or use a secrets management tool like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. Avoid committing credentials to version control. For best practices, refer to - https://cwe.mitre.org/data/definitions/798.html
There was a problem hiding this comment.
These are just constant field names used as keys to access the configuration, not actual credentials. The actual sensitive data is stored securely in AWS Secrets Manager.
| private static final String TENANT_ID = "tenant_id"; | ||
|
|
||
| private static final String USER = "user"; | ||
| private static final String PASSWORD = "password"; |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential hardcoded credential detected. This code may contain sensitive data such as passwords or API keys embedded directly in the source. Hardcoded credentials can be extracted and misused, leading to unauthorized access to systems or data breaches. To remediate this, store secrets in environment variables or use a secrets management tool like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. Avoid committing credentials to version control. For best practices, refer to - https://cwe.mitre.org/data/definitions/798.html
There was a problem hiding this comment.
These are just constant field names used as keys to access the configuration, not actual credentials. The actual sensitive data is stored securely in AWS Secrets Manager.
| private static final String EXPIRES_IN = "expires_in"; | ||
|
|
||
| private static final String CLIENT_ID = "client_id"; | ||
| private static final String CLIENT_SECRET = "client_secret"; |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential hardcoded credential detected. This code may contain sensitive data such as passwords or API keys embedded directly in the source. Hardcoded credentials can be extracted and misused, leading to unauthorized access to systems or data breaches. To remediate this, store secrets in environment variables or use a secrets management tool like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. Avoid committing credentials to version control. For best practices, refer to - https://cwe.mitre.org/data/definitions/798.html
There was a problem hiding this comment.
These are just constant field names used as keys to access the configuration, not actual credentials. The actual sensitive data is stored securely in AWS Secrets Manager.
|
|
||
| public class SynapseCredentialsProvider implements CredentialsProvider | ||
| { | ||
| private static final String ACCESS_TOKEN = "access_token"; |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential hardcoded credential detected. This code may contain sensitive data such as passwords or API keys embedded directly in the source. Hardcoded credentials can be extracted and misused, leading to unauthorized access to systems or data breaches. To remediate this, store secrets in environment variables or use a secrets management tool like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. Avoid committing credentials to version control. For best practices, refer to - https://cwe.mitre.org/data/definitions/798.html
There was a problem hiding this comment.
These are just constant field names used as keys to access the configuration, not actual credentials. The actual sensitive data is stored securely in AWS Secrets Manager.
Jithendar12
force-pushed
the
feature/synapse-oauth
branch
from
939e606 to
caa8e0b
Compare
| .timeout(Duration.ofSeconds(30)) | ||
| .build(); | ||
|
|
||
| HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString()); |
There was a problem hiding this comment.
If using VPC with synapse connector, is it possible token is failed to retrieve?
There was a problem hiding this comment.
Hi @ejeffrli,
We’ve tested the connector within a VPC as well, and it is successfully able to retrieve the token and fetch the data.
There was a problem hiding this comment.
Can this class use the OAuth class here? I can review above first if that is the case.
|
This PR will change a lot after #2932 is merged, adding this comment as a reminder to myself and other reviewers |
|
Hi, #2932 has been merged. Can you please update this PR? |
Trianz-Akshay
force-pushed
the
feature/synapse-oauth
branch
from
64d1fff to
b4d823f
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #2904 +/- ##
============================================
+ Coverage 63.67% 64.53% +0.85%
- Complexity 4344 4595 +251
============================================
Files 621 633 +12
Lines 23286 24067 +781
Branches 2859 2984 +125
============================================
+ Hits 14827 15531 +704
- Misses 7070 7107 +37
- Partials 1389 1429 +40 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Trianz-Akshay
force-pushed
the
feature/synapse-oauth
branch
from
b4d823f to
8809549
Compare
Jithendar12
force-pushed
the
feature/synapse-oauth
branch
from
8809549 to
60fe5e6
Compare
| // Constants for basic authentication fields | ||
| private static final String USER = "user"; | ||
| private static final String PASSWORD = "password"; | ||
| private static final String USERNAME = "username"; |
There was a problem hiding this comment.
these have been moved to a common constant file
There was a problem hiding this comment.
Hi @burhan94, yes, we have already moved to common CredentialsConstants file. Thank you!
| try { | ||
| final String derivedJdbcString; | ||
| if (null != credentialsProvider) { | ||
| final Properties connectionProps = new Properties(); |
There was a problem hiding this comment.
Is there a reason why we still need the SynapseJdbcConnectionFactory? Can we not use the GenericConnectionFactory like we do in the other connectors now?
There was a problem hiding this comment.
Hi @burhan94, thank you for your review. Yes, SynapseJdbcConnectionFactory is still required.
Reason: It provides Azure Active Directory Service Principal authentication that GenericJdbcConnectionFactory cannot handle.
| "password=" + credentialsProvider.getCredentialMap().get(CredentialsConstants.PASSWORD) | ||
| ); | ||
| // Check if this is OAuth credentials | ||
| if (credentialsProvider.getCredential() instanceof OAuthAccessTokenCredentials) { |
There was a problem hiding this comment.
hmm, the whole point of the abstraction we did was so that we don't need to put a specific credential provider type here...
There was a problem hiding this comment.
Hi @burhan94, yes, code has been updated, please review it. Thank you!
|
|
||
| String connectionString = databaseConnectionConfig.getJdbcConnectionString(); | ||
|
|
||
| if (connectionString.contains("authentication=ActiveDirectoryServicePrincipal")) { |
There was a problem hiding this comment.
I'm wondering if we should add a new method in the CredentialProvider interface that transforms the secret as well.
eg:
credentialProvider.transformSecretString(connectionString);
This way, we can keep the connectionFactories very generic.
There was a problem hiding this comment.
Hi @burhan94 ,
Yes, we can move secret replacement into the CredentialsProvider interface. We’ve made this change; please review. The SynapseJdbcConnectionFactory class is no longer required, as we can use the GenericJdbcConnectionFactory class, so we’ve deleted it. We can apply the same approach to other connectors as well, but that can be handled as a separate task since it will require testing all connectors once this PR is merged. Thank you!
Jithendar12
force-pushed
the
feature/synapse-oauth
branch
from
be1c0c2 to
513685f
Compare
| /** | ||
| * Azure Active Directory Service Principal credentials provider for Synapse. | ||
| */ | ||
| public class SynapseAADCredentialsProvider extends DefaultCredentialsProvider |
There was a problem hiding this comment.
Is this class being used anywhere? I was not able to find any reference.
There was a problem hiding this comment.
Hi @burhan94, thank you for pointing that out. We were curious how our tests passed without any reference to this class for ActiveDirectoryServicePrincipal authentication, so we investigated further. According to Microsoft’s official documentation, starting with driver version 9.4, it is no longer necessary to set principal ID and principal secret using AADSecurePrincipalId and AADSecurePrincipalSecret; they can instead be set using the username and password.
Our Dependabot has already upgraded the driver to version 12.10. As a result, we’ve reverted the previous commit, deleted the SynapseJdbcConnectionFactory class, and switched to using GenericJdbcConnectionFactory. Thank you!
- build(deps): bump io.confluent:kafka-avro-serializer from 8.0.0 to 8.0.2 (#3055) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.35.0 to 2.35.5 (#3057) - build(deps): bump org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0 (#3061) - Remove timestamp case from SnowflakeQueryStringBuilder (#2997) - build(deps): bump io.substrait.version from 0.65.0 to 0.66.0 (#3051) - build(deps): bump com.google.cloud:google-cloud-storage from 2.58.0 to 2.58.1 (#3059) - build(deps): bump org.postgresql:postgresql from 42.7.7 to 42.7.8 (#3063) - build(deps): bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (#3062) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.4 to 4.9.6 (#3058) - build(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (#3060) - build(deps): bump net.sf.jt400:jt400 from 21.0.5 to 21.0.6 (#3053) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.50 to 20.00.00.51 (#3054) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.3 to 9.1.5 (#3056) - build(deps): bump org.bouncycastle:bcpkix-jdk18on from 1.81 to 1.82 (#3050) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.6 to 5.2.0 (#3052) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.114.1 to 1.115.0 (#3048) - build(deps): bump aws-sdk-v2.version from 2.34.5 to 2.35.0 (#3039) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.1.1 to 4.2 (#3037) - build(deps): bump aws-sdk.version from 1.12.791 to 1.12.792 (#3035) - build(deps): bump net.java.dev.jna:jna-platform from 5.17.0 to 5.18.1 (#3038) - build(deps-dev): bump log4j2Version from 2.25.1 to 2.25.2 (#3029) - build(deps): bump io.substrait.version from 0.52.0 to 0.65.0 (#3021) - build(deps): bump org.assertj:assertj-core from 3.27.4 to 3.27.6 (#3019) - build(deps): bump com.amazonaws:aws-lambda-java-core from 1.3.0 to 1.4.0 (#3020) - build(deps): bump net.java.dev.jna:jna from 5.17.0 to 5.18.1 (#3034) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib from 2.2.10 to 2.2.20 (#3027) - build(deps): bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (#3033) - build(deps): bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 (#3022) - build(deps): bump org.bouncycastle:bcutil-jdk18on from 1.81 to 1.82 (#3024) - build(deps): bump org.sonatype.central:central-publishing-maven-plugin from 0.8.0 to 0.9.0 (#3026) - build(deps): bump org.codehaus.mojo:license-maven-plugin from 2.6.0 to 2.7.0 (#3023) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.33.8 to 2.35.0 (#3040) - Add Support for OAuth in athena-saphana Connector (#2894) - build(deps): bump aws-actions/configure-aws-credentials from 4 to 5 (#2975) - build(deps): bump actions/setup-node from 4 to 5 (#2976) - [Neptune] Add doc details on how multi-valued properties are handled. (#2995) - build(deps): bump org.jetbrains.kotlin:kotlin-reflect from 2.2.10 to 2.2.20 (#3028) - build(deps): bump software.amazon.glue:schema-registry-serde from 1.1.24 to 1.1.25 (#3030) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib-jdk8 from 2.2.10 to 2.2.20 (#3031) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.49 to 20.00.00.50 (#3032) - build(deps): bump aws-sdk-v2.version from 2.34.3 to 2.34.5 (#3017) - Add Support for OAuth in athena-sqlserver Connector (#3006) - Add Support for OAuth in athena-synapse Connector (#2904) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.113.0 to 1.114.1 (#2979) - build(deps): bump org.apache.calcite.version from 1.39.0 to 1.40.0 (#2980) - build(deps): bump aws-sdk.version from 1.12.788 to 1.12.791 (#2981) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.4 to 5.1.5 (#2983) - build(deps): bump com.clickhouse:clickhouse-jdbc from 0.9.1 to 0.9.2 (#2985) - build(deps): bump net.snowflake:snowflake-jdbc from 3.26.0 to 3.26.1 (#2987) - build(deps): bump org.yaml:snakeyaml from 2.4 to 2.5 (#2988) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.0.9 to 4.1 (#2998) - build(deps): bump aws-sdk-v2.version from 2.32.29 to 2.33.9 (#2999) - build(deps): bump org.apache.kafka:kafka-clients from 4.0.0 to 4.1.0 (#3000) - build(deps): bump surefire.failsafe.version from 3.5.3 to 3.5.4 (#3001) - build(deps): bump com.microsoft.azure:msal4j from 1.22.0 to 1.23.1 (#3002) - build(deps): bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 (#3003) - build(deps): bump com.google.cloud:google-cloud-storage from 2.55.0 to 2.57.0 (#3004) - build(deps): bump com.sap.cloud.db.jdbc:ngdbc from 2.25.12 to 2.26.6 (#3012) - build(deps): bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.14.1 (#3011) - Fixing error messages to not leak sensitive info (#3008) - Include linked accounts option when querying metric_samples table. (#2922)
- Update runner and slug - Update GitHub Actions workflows to build with Java 11 and 17 - Remove hard-coded Glue list-jobs --max-results 100 to find all Glue jobs (awslabs#3127) - Added unit tests in athena-synapse Connector (awslabs#2963) - Updating EncryptionKeyFactory to add overirde AWS request configuration in KMS calls made generate encryption key (awslabs#3103) - Fix epoch date conversion correctness issue when machine time zone is not in UTC (awslabs#3108) - Fix CVE-2025-48924: Upgrade Apache Commons Lang3 to 3.19.0 (awslabs#3100) - Revise Athena Federated Queries instructions in README (awslabs#3069) - fix snowflake QPT return empty result (awslabs#3106) - add view into oracle paginated query (awslabs#3107) - build(deps): bump com.google.protobuf:protobuf-bom from 4.32.1 to 4.33.0 (awslabs#3071) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.7 to 4.9.8 (awslabs#3076) - build(deps): bump org.apache.avro:avro from 1.12.0 to 1.12.1 (awslabs#3075) - Handle ResourceNotFoundException from Dynamodb as AthenaConnectorExce… (awslabs#3098) - Added unit tests for bigquery (awslabs#2950) - Update PostgreSQL engine version to 15.10 (awslabs#3099) - Add unit tests for athena-oracle. (awslabs#2836) - Adding support to use custom SecretManagerClient for Google Big Query (awslabs#2846) - Added unit tests for athena-cloudera-impala Connector (awslabs#2880) - added unit tests for athena-vertica. (awslabs#2783) - added unit tests for athena-redshift. (awslabs#2733) - Always include partition column when get-table-layout (awslabs#3045) - fix cloudwatch glue connection cfn template (awslabs#3013) - Added unit tests for JDBC module (awslabs#2732) - Added pagination for Db2 connector (awslabs#2772) - [Fix] Include default truststore path when passing JAVA_TOOL_OPTIONS for Java 17 image (awslabs#3007) - build(deps): bump com.google.guava:guava from 33.4.0-jre to 33.4.8-jre (awslabs#2728) - Handle KMS and DDB NotFoundExceptions by throwing AthenaConnectorException (awslabs#3064) - build(deps): bump aws-sdk-v2.version from 2.35.1 to 2.35.5 (awslabs#3047) - build(deps): bump io.confluent:kafka-avro-serializer from 8.0.0 to 8.0.2 (awslabs#3055) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.35.0 to 2.35.5 (awslabs#3057) - build(deps): bump org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0 (awslabs#3061) - Remove timestamp case from SnowflakeQueryStringBuilder (awslabs#2997) - build(deps): bump io.substrait.version from 0.65.0 to 0.66.0 (awslabs#3051) - build(deps): bump com.google.cloud:google-cloud-storage from 2.58.0 to 2.58.1 (awslabs#3059) - build(deps): bump org.postgresql:postgresql from 42.7.7 to 42.7.8 (awslabs#3063) - build(deps): bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (awslabs#3062) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.4 to 4.9.6 (awslabs#3058) - build(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (awslabs#3060) - build(deps): bump net.sf.jt400:jt400 from 21.0.5 to 21.0.6 (awslabs#3053) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.50 to 20.00.00.51 (awslabs#3054) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.3 to 9.1.5 (awslabs#3056) - build(deps): bump org.bouncycastle:bcpkix-jdk18on from 1.81 to 1.82 (awslabs#3050) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.6 to 5.2.0 (awslabs#3052) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.114.1 to 1.115.0 (awslabs#3048) - build(deps): bump aws-sdk-v2.version from 2.34.5 to 2.35.0 (awslabs#3039) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.1.1 to 4.2 (awslabs#3037) - build(deps): bump aws-sdk.version from 1.12.791 to 1.12.792 (awslabs#3035) - build(deps): bump net.java.dev.jna:jna-platform from 5.17.0 to 5.18.1 (awslabs#3038) - build(deps-dev): bump log4j2Version from 2.25.1 to 2.25.2 (awslabs#3029) - build(deps): bump io.substrait.version from 0.52.0 to 0.65.0 (awslabs#3021) - build(deps): bump org.assertj:assertj-core from 3.27.4 to 3.27.6 (awslabs#3019) - build(deps): bump com.amazonaws:aws-lambda-java-core from 1.3.0 to 1.4.0 (awslabs#3020) - build(deps): bump net.java.dev.jna:jna from 5.17.0 to 5.18.1 (awslabs#3034) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib from 2.2.10 to 2.2.20 (awslabs#3027) - build(deps): bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (awslabs#3033) - build(deps): bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 (awslabs#3022) - build(deps): bump org.bouncycastle:bcutil-jdk18on from 1.81 to 1.82 (awslabs#3024) - build(deps): bump org.sonatype.central:central-publishing-maven-plugin from 0.8.0 to 0.9.0 (awslabs#3026) - build(deps): bump org.codehaus.mojo:license-maven-plugin from 2.6.0 to 2.7.0 (awslabs#3023) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.33.8 to 2.35.0 (awslabs#3040) - Add Support for OAuth in athena-saphana Connector (awslabs#2894) - build(deps): bump aws-actions/configure-aws-credentials from 4 to 5 (awslabs#2975) - build(deps): bump actions/setup-node from 4 to 5 (awslabs#2976) - [Neptune] Add doc details on how multi-valued properties are handled. (awslabs#2995) - build(deps): bump org.jetbrains.kotlin:kotlin-reflect from 2.2.10 to 2.2.20 (awslabs#3028) - build(deps): bump software.amazon.glue:schema-registry-serde from 1.1.24 to 1.1.25 (awslabs#3030) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib-jdk8 from 2.2.10 to 2.2.20 (awslabs#3031) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.49 to 20.00.00.50 (awslabs#3032) - build(deps): bump aws-sdk-v2.version from 2.34.3 to 2.34.5 (awslabs#3017) - Add Support for OAuth in athena-sqlserver Connector (awslabs#3006) - Add Support for OAuth in athena-synapse Connector (awslabs#2904) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.113.0 to 1.114.1 (awslabs#2979) - build(deps): bump org.apache.calcite.version from 1.39.0 to 1.40.0 (awslabs#2980) - build(deps): bump aws-sdk.version from 1.12.788 to 1.12.791 (awslabs#2981) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.4 to 5.1.5 (awslabs#2983) - build(deps): bump com.clickhouse:clickhouse-jdbc from 0.9.1 to 0.9.2 (awslabs#2985) - build(deps): bump net.snowflake:snowflake-jdbc from 3.26.0 to 3.26.1 (awslabs#2987) - build(deps): bump org.yaml:snakeyaml from 2.4 to 2.5 (awslabs#2988) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.0.9 to 4.1 (awslabs#2998) - build(deps): bump aws-sdk-v2.version from 2.32.29 to 2.33.9 (awslabs#2999) - build(deps): bump org.apache.kafka:kafka-clients from 4.0.0 to 4.1.0 (awslabs#3000) - build(deps): bump surefire.failsafe.version from 3.5.3 to 3.5.4 (awslabs#3001) - build(deps): bump com.microsoft.azure:msal4j from 1.22.0 to 1.23.1 (awslabs#3002) - build(deps): bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 (awslabs#3003) - build(deps): bump com.google.cloud:google-cloud-storage from 2.55.0 to 2.57.0 (awslabs#3004) - build(deps): bump com.sap.cloud.db.jdbc:ngdbc from 2.25.12 to 2.26.6 (awslabs#3012) - build(deps): bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.14.1 (awslabs#3011) - Fixing error messages to not leak sensitive info (awslabs#3008) - Include linked accounts option when querying metric_samples table. (awslabs#2922) - Updating Zookeeper to latest version 3.9.4 (awslabs#3005) - build(deps): bump com.google.protobuf:protobuf-bom from 4.29.3 to 4.32.0 (awslabs#2991) - Add serverless datalakegen2 support (awslabs#2973) - Abstract common OAuth handling and add OAuth support to Athena DataLake Gen2 Connector (awslabs#2932) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.32.29 to 2.33.4 (awslabs#2992) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.2 to 9.1.3 (awslabs#2993) - build(deps): bump io.lettuce:lettuce-core from 6.8.0.RELEASE to 6.8.1.RELEASE (awslabs#2994) - Hbase namespace issue (awslabs#2996)
- wait for release branch and checkout - wait for release branch and checkout - Update runner and slug - Update GitHub Actions workflows to build with Java 11 and 17 - Remove hard-coded Glue list-jobs --max-results 100 to find all Glue jobs (awslabs#3127) - Added unit tests in athena-synapse Connector (awslabs#2963) - Updating EncryptionKeyFactory to add overirde AWS request configuration in KMS calls made generate encryption key (awslabs#3103) - Fix epoch date conversion correctness issue when machine time zone is not in UTC (awslabs#3108) - Fix CVE-2025-48924: Upgrade Apache Commons Lang3 to 3.19.0 (awslabs#3100) - Revise Athena Federated Queries instructions in README (awslabs#3069) - fix snowflake QPT return empty result (awslabs#3106) - add view into oracle paginated query (awslabs#3107) - build(deps): bump com.google.protobuf:protobuf-bom from 4.32.1 to 4.33.0 (awslabs#3071) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.7 to 4.9.8 (awslabs#3076) - build(deps): bump org.apache.avro:avro from 1.12.0 to 1.12.1 (awslabs#3075) - Handle ResourceNotFoundException from Dynamodb as AthenaConnectorExce… (awslabs#3098) - Added unit tests for bigquery (awslabs#2950) - Update PostgreSQL engine version to 15.10 (awslabs#3099) - Add unit tests for athena-oracle. (awslabs#2836) - Adding support to use custom SecretManagerClient for Google Big Query (awslabs#2846) - Added unit tests for athena-cloudera-impala Connector (awslabs#2880) - added unit tests for athena-vertica. (awslabs#2783) - added unit tests for athena-redshift. (awslabs#2733) - Always include partition column when get-table-layout (awslabs#3045) - fix cloudwatch glue connection cfn template (awslabs#3013) - Added unit tests for JDBC module (awslabs#2732) - Added pagination for Db2 connector (awslabs#2772) - [Fix] Include default truststore path when passing JAVA_TOOL_OPTIONS for Java 17 image (awslabs#3007) - build(deps): bump com.google.guava:guava from 33.4.0-jre to 33.4.8-jre (awslabs#2728) - Handle KMS and DDB NotFoundExceptions by throwing AthenaConnectorException (awslabs#3064) - build(deps): bump aws-sdk-v2.version from 2.35.1 to 2.35.5 (awslabs#3047) - build(deps): bump io.confluent:kafka-avro-serializer from 8.0.0 to 8.0.2 (awslabs#3055) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.35.0 to 2.35.5 (awslabs#3057) - build(deps): bump org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0 (awslabs#3061) - Remove timestamp case from SnowflakeQueryStringBuilder (awslabs#2997) - build(deps): bump io.substrait.version from 0.65.0 to 0.66.0 (awslabs#3051) - build(deps): bump com.google.cloud:google-cloud-storage from 2.58.0 to 2.58.1 (awslabs#3059) - build(deps): bump org.postgresql:postgresql from 42.7.7 to 42.7.8 (awslabs#3063) - build(deps): bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (awslabs#3062) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.4 to 4.9.6 (awslabs#3058) - build(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (awslabs#3060) - build(deps): bump net.sf.jt400:jt400 from 21.0.5 to 21.0.6 (awslabs#3053) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.50 to 20.00.00.51 (awslabs#3054) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.3 to 9.1.5 (awslabs#3056) - build(deps): bump org.bouncycastle:bcpkix-jdk18on from 1.81 to 1.82 (awslabs#3050) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.6 to 5.2.0 (awslabs#3052) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.114.1 to 1.115.0 (awslabs#3048) - build(deps): bump aws-sdk-v2.version from 2.34.5 to 2.35.0 (awslabs#3039) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.1.1 to 4.2 (awslabs#3037) - build(deps): bump aws-sdk.version from 1.12.791 to 1.12.792 (awslabs#3035) - build(deps): bump net.java.dev.jna:jna-platform from 5.17.0 to 5.18.1 (awslabs#3038) - build(deps-dev): bump log4j2Version from 2.25.1 to 2.25.2 (awslabs#3029) - build(deps): bump io.substrait.version from 0.52.0 to 0.65.0 (awslabs#3021) - build(deps): bump org.assertj:assertj-core from 3.27.4 to 3.27.6 (awslabs#3019) - build(deps): bump com.amazonaws:aws-lambda-java-core from 1.3.0 to 1.4.0 (awslabs#3020) - build(deps): bump net.java.dev.jna:jna from 5.17.0 to 5.18.1 (awslabs#3034) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib from 2.2.10 to 2.2.20 (awslabs#3027) - build(deps): bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (awslabs#3033) - build(deps): bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 (awslabs#3022) - build(deps): bump org.bouncycastle:bcutil-jdk18on from 1.81 to 1.82 (awslabs#3024) - build(deps): bump org.sonatype.central:central-publishing-maven-plugin from 0.8.0 to 0.9.0 (awslabs#3026) - build(deps): bump org.codehaus.mojo:license-maven-plugin from 2.6.0 to 2.7.0 (awslabs#3023) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.33.8 to 2.35.0 (awslabs#3040) - Add Support for OAuth in athena-saphana Connector (awslabs#2894) - build(deps): bump aws-actions/configure-aws-credentials from 4 to 5 (awslabs#2975) - build(deps): bump actions/setup-node from 4 to 5 (awslabs#2976) - [Neptune] Add doc details on how multi-valued properties are handled. (awslabs#2995) - build(deps): bump org.jetbrains.kotlin:kotlin-reflect from 2.2.10 to 2.2.20 (awslabs#3028) - build(deps): bump software.amazon.glue:schema-registry-serde from 1.1.24 to 1.1.25 (awslabs#3030) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib-jdk8 from 2.2.10 to 2.2.20 (awslabs#3031) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.49 to 20.00.00.50 (awslabs#3032) - build(deps): bump aws-sdk-v2.version from 2.34.3 to 2.34.5 (awslabs#3017) - Add Support for OAuth in athena-sqlserver Connector (awslabs#3006) - Add Support for OAuth in athena-synapse Connector (awslabs#2904) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.113.0 to 1.114.1 (awslabs#2979) - build(deps): bump org.apache.calcite.version from 1.39.0 to 1.40.0 (awslabs#2980) - build(deps): bump aws-sdk.version from 1.12.788 to 1.12.791 (awslabs#2981) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.4 to 5.1.5 (awslabs#2983) - build(deps): bump com.clickhouse:clickhouse-jdbc from 0.9.1 to 0.9.2 (awslabs#2985) - build(deps): bump net.snowflake:snowflake-jdbc from 3.26.0 to 3.26.1 (awslabs#2987) - build(deps): bump org.yaml:snakeyaml from 2.4 to 2.5 (awslabs#2988) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.0.9 to 4.1 (awslabs#2998) - build(deps): bump aws-sdk-v2.version from 2.32.29 to 2.33.9 (awslabs#2999) - build(deps): bump org.apache.kafka:kafka-clients from 4.0.0 to 4.1.0 (awslabs#3000) - build(deps): bump surefire.failsafe.version from 3.5.3 to 3.5.4 (awslabs#3001) - build(deps): bump com.microsoft.azure:msal4j from 1.22.0 to 1.23.1 (awslabs#3002) - build(deps): bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 (awslabs#3003) - build(deps): bump com.google.cloud:google-cloud-storage from 2.55.0 to 2.57.0 (awslabs#3004) - build(deps): bump com.sap.cloud.db.jdbc:ngdbc from 2.25.12 to 2.26.6 (awslabs#3012) - build(deps): bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.14.1 (awslabs#3011) - Fixing error messages to not leak sensitive info (awslabs#3008) - Include linked accounts option when querying metric_samples table. (awslabs#2922) - Updating Zookeeper to latest version 3.9.4 (awslabs#3005) - build(deps): bump com.google.protobuf:protobuf-bom from 4.29.3 to 4.32.0 (awslabs#2991) - Add serverless datalakegen2 support (awslabs#2973) - Abstract common OAuth handling and add OAuth support to Athena DataLake Gen2 Connector (awslabs#2932) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.32.29 to 2.33.4 (awslabs#2992) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.2 to 9.1.3 (awslabs#2993) - build(deps): bump io.lettuce:lettuce-core from 6.8.0.RELEASE to 6.8.1.RELEASE (awslabs#2994) - Hbase namespace issue (awslabs#2996)
- Update release workflow for Java version builds - Enhance cut_release workflow for Java 11 and 17 - wait for release branch and checkout - wait for release branch and checkout - Update runner and slug - Update GitHub Actions workflows to build with Java 11 and 17 - Remove hard-coded Glue list-jobs --max-results 100 to find all Glue jobs (awslabs#3127) - Added unit tests in athena-synapse Connector (awslabs#2963) - Updating EncryptionKeyFactory to add overirde AWS request configuration in KMS calls made generate encryption key (awslabs#3103) - Fix epoch date conversion correctness issue when machine time zone is not in UTC (awslabs#3108) - Fix CVE-2025-48924: Upgrade Apache Commons Lang3 to 3.19.0 (awslabs#3100) - Revise Athena Federated Queries instructions in README (awslabs#3069) - fix snowflake QPT return empty result (awslabs#3106) - add view into oracle paginated query (awslabs#3107) - build(deps): bump com.google.protobuf:protobuf-bom from 4.32.1 to 4.33.0 (awslabs#3071) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.7 to 4.9.8 (awslabs#3076) - build(deps): bump org.apache.avro:avro from 1.12.0 to 1.12.1 (awslabs#3075) - Handle ResourceNotFoundException from Dynamodb as AthenaConnectorExce… (awslabs#3098) - Added unit tests for bigquery (awslabs#2950) - Update PostgreSQL engine version to 15.10 (awslabs#3099) - Add unit tests for athena-oracle. (awslabs#2836) - Adding support to use custom SecretManagerClient for Google Big Query (awslabs#2846) - Added unit tests for athena-cloudera-impala Connector (awslabs#2880) - added unit tests for athena-vertica. (awslabs#2783) - added unit tests for athena-redshift. (awslabs#2733) - Always include partition column when get-table-layout (awslabs#3045) - fix cloudwatch glue connection cfn template (awslabs#3013) - Added unit tests for JDBC module (awslabs#2732) - Added pagination for Db2 connector (awslabs#2772) - [Fix] Include default truststore path when passing JAVA_TOOL_OPTIONS for Java 17 image (awslabs#3007) - build(deps): bump com.google.guava:guava from 33.4.0-jre to 33.4.8-jre (awslabs#2728) - Handle KMS and DDB NotFoundExceptions by throwing AthenaConnectorException (awslabs#3064) - build(deps): bump aws-sdk-v2.version from 2.35.1 to 2.35.5 (awslabs#3047) - build(deps): bump io.confluent:kafka-avro-serializer from 8.0.0 to 8.0.2 (awslabs#3055) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.35.0 to 2.35.5 (awslabs#3057) - build(deps): bump org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0 (awslabs#3061) - Remove timestamp case from SnowflakeQueryStringBuilder (awslabs#2997) - build(deps): bump io.substrait.version from 0.65.0 to 0.66.0 (awslabs#3051) - build(deps): bump com.google.cloud:google-cloud-storage from 2.58.0 to 2.58.1 (awslabs#3059) - build(deps): bump org.postgresql:postgresql from 42.7.7 to 42.7.8 (awslabs#3063) - build(deps): bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (awslabs#3062) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.4 to 4.9.6 (awslabs#3058) - build(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (awslabs#3060) - build(deps): bump net.sf.jt400:jt400 from 21.0.5 to 21.0.6 (awslabs#3053) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.50 to 20.00.00.51 (awslabs#3054) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.3 to 9.1.5 (awslabs#3056) - build(deps): bump org.bouncycastle:bcpkix-jdk18on from 1.81 to 1.82 (awslabs#3050) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.6 to 5.2.0 (awslabs#3052) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.114.1 to 1.115.0 (awslabs#3048) - build(deps): bump aws-sdk-v2.version from 2.34.5 to 2.35.0 (awslabs#3039) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.1.1 to 4.2 (awslabs#3037) - build(deps): bump aws-sdk.version from 1.12.791 to 1.12.792 (awslabs#3035) - build(deps): bump net.java.dev.jna:jna-platform from 5.17.0 to 5.18.1 (awslabs#3038) - build(deps-dev): bump log4j2Version from 2.25.1 to 2.25.2 (awslabs#3029) - build(deps): bump io.substrait.version from 0.52.0 to 0.65.0 (awslabs#3021) - build(deps): bump org.assertj:assertj-core from 3.27.4 to 3.27.6 (awslabs#3019) - build(deps): bump com.amazonaws:aws-lambda-java-core from 1.3.0 to 1.4.0 (awslabs#3020) - build(deps): bump net.java.dev.jna:jna from 5.17.0 to 5.18.1 (awslabs#3034) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib from 2.2.10 to 2.2.20 (awslabs#3027) - build(deps): bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (awslabs#3033) - build(deps): bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 (awslabs#3022) - build(deps): bump org.bouncycastle:bcutil-jdk18on from 1.81 to 1.82 (awslabs#3024) - build(deps): bump org.sonatype.central:central-publishing-maven-plugin from 0.8.0 to 0.9.0 (awslabs#3026) - build(deps): bump org.codehaus.mojo:license-maven-plugin from 2.6.0 to 2.7.0 (awslabs#3023) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.33.8 to 2.35.0 (awslabs#3040) - Add Support for OAuth in athena-saphana Connector (awslabs#2894) - build(deps): bump aws-actions/configure-aws-credentials from 4 to 5 (awslabs#2975) - build(deps): bump actions/setup-node from 4 to 5 (awslabs#2976) - [Neptune] Add doc details on how multi-valued properties are handled. (awslabs#2995) - build(deps): bump org.jetbrains.kotlin:kotlin-reflect from 2.2.10 to 2.2.20 (awslabs#3028) - build(deps): bump software.amazon.glue:schema-registry-serde from 1.1.24 to 1.1.25 (awslabs#3030) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib-jdk8 from 2.2.10 to 2.2.20 (awslabs#3031) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.49 to 20.00.00.50 (awslabs#3032) - build(deps): bump aws-sdk-v2.version from 2.34.3 to 2.34.5 (awslabs#3017) - Add Support for OAuth in athena-sqlserver Connector (awslabs#3006) - Add Support for OAuth in athena-synapse Connector (awslabs#2904) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.113.0 to 1.114.1 (awslabs#2979) - build(deps): bump org.apache.calcite.version from 1.39.0 to 1.40.0 (awslabs#2980) - build(deps): bump aws-sdk.version from 1.12.788 to 1.12.791 (awslabs#2981) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.4 to 5.1.5 (awslabs#2983) - build(deps): bump com.clickhouse:clickhouse-jdbc from 0.9.1 to 0.9.2 (awslabs#2985) - build(deps): bump net.snowflake:snowflake-jdbc from 3.26.0 to 3.26.1 (awslabs#2987) - build(deps): bump org.yaml:snakeyaml from 2.4 to 2.5 (awslabs#2988) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.0.9 to 4.1 (awslabs#2998) - build(deps): bump aws-sdk-v2.version from 2.32.29 to 2.33.9 (awslabs#2999) - build(deps): bump org.apache.kafka:kafka-clients from 4.0.0 to 4.1.0 (awslabs#3000) - build(deps): bump surefire.failsafe.version from 3.5.3 to 3.5.4 (awslabs#3001) - build(deps): bump com.microsoft.azure:msal4j from 1.22.0 to 1.23.1 (awslabs#3002) - build(deps): bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 (awslabs#3003) - build(deps): bump com.google.cloud:google-cloud-storage from 2.55.0 to 2.57.0 (awslabs#3004) - build(deps): bump com.sap.cloud.db.jdbc:ngdbc from 2.25.12 to 2.26.6 (awslabs#3012) - build(deps): bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.14.1 (awslabs#3011) - Fixing error messages to not leak sensitive info (awslabs#3008) - Include linked accounts option when querying metric_samples table. (awslabs#2922) - Updating Zookeeper to latest version 3.9.4 (awslabs#3005) - build(deps): bump com.google.protobuf:protobuf-bom from 4.29.3 to 4.32.0 (awslabs#2991) - Add serverless datalakegen2 support (awslabs#2973) - Abstract common OAuth handling and add OAuth support to Athena DataLake Gen2 Connector (awslabs#2932) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.32.29 to 2.33.4 (awslabs#2992) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.2 to 9.1.3 (awslabs#2993) - build(deps): bump io.lettuce:lettuce-core from 6.8.0.RELEASE to 6.8.1.RELEASE (awslabs#2994) - Hbase namespace issue (awslabs#2996)
7 participants
Issue #, if available:
Description of changes:
This PR introduces support for OAuth-based authentication in the Synapse connector using Microsoft Entra ID with the client_credentials grant type. The connector obtains Bearer tokens directly from Entra ID and manages them securely via AWS Secrets Manager.
Users must store the following credentials in AWS Secrets Manager:
{
"client_id": "<your-entra-id-app-client-id>",
"client_secret": "<your-entra-id-app-client-secret>",
"tenant_id": "<your-entra-id-app-tenant-id>"
}
The connector uses these credentials to fetch a new access token from Microsoft Entra ID's token endpoint. After fetching, it updates the secret with access_token, fetched_at and expires_in. Token refresh is handled automatically when the token is close to expiry, using these stored values. Please find attached reference and test documents.
OAuth Integration in synapse.docx
synapse-oauth-testing.odt
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.