Skip to content

Feature/957 more auth mechanisms #1453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ghjklw wants to merge 7 commits into
base: main
Choose a base branch
from
+488 −120
Open

Feature/957 more auth mechanisms #1453

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ab24a41
Merge pull request #1 from ghjklw/claude/pull-from-main-CALzv
ghjklw May 10, 2026
a31eec8
test: document all legacy auth dispatch and validation behaviors
claude May 12, 2026
e57d441
refactor: simplify auth dispatch and fix SDK delegation gaps
claude May 12, 2026
daff8f9
test: update changed cases and add new-behavior coverage
claude May 12, 2026
eda9a78
feat: forward oauth_scopes to SDK Config; remove oauth_redirect_url
claude May 12, 2026
b5cf6b6
Deprecate implicit client_secret heuristic; update README auth priori…
claude May 12, 2026
4170c87
Merge branch 'main' into feature/957-more-auth-mechanisms
ghjklw May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,82 @@ your_profile_name:
token: [dapiXXXXXXXXXXXXXXXXXXXXXXX]
```

### Authentication

The adapter supports all [Databricks unified authentication](https://docs.databricks.com/dev-tools/auth/unified-auth.html) methods. For a full setup walkthrough, see the **[Connect to Databricks](https://docs.getdbt.com/docs/core/connect-data-platform/databricks-setup)** guide on docs.getdbt.com.

The method is selected automatically based on which fields are present in your profile. Priority order (first match wins):

| Method | Required profile fields |
|---|---|
| Personal Access Token (PAT) | `token` |
| Azure service principal | `azure_client_id` + `azure_client_secret` |
| Any explicit SDK auth type | `auth_type` (see values below) |
| OAuth user-to-machine (browser) | `client_id` only (no `client_secret`), or _(none of the above — opens browser)_ |
| OAuth M2M / legacy Azure SP | `client_secret` without `auth_type` _(deprecated — set `auth_type` explicitly)_ |

#### `auth_type` values

Set `auth_type` in your profile to delegate entirely to the Databricks SDK for that auth method:

| `auth_type` value | Description |
|---|---|
| `oauth` | U2M browser login (legacy dbt alias for `external-browser`) |
| `oauth-m2m` | Service principal via OAuth M2M; requires `client_id` + `client_secret` |
| `azure-cli` | Azure CLI (`az login`) |
| `azure-msi` | Azure Managed Service Identity |
| `databricks-cli` | Databricks CLI credential chain |
| `google-credentials` | Google service account |
| `metadata-service` | Databricks metadata service |

#### Auth-specific profile fields

```nofmt
# OAuth M2M / service principal
client_id: ...
client_secret: ...

# Azure service principal (explicit)
azure_client_id: ...
azure_client_secret: ...

# Azure common options
azure_tenant_id: ...
azure_environment: ... # e.g. usgovernment
azure_workspace_resource_id: ...

# Azure MSI (user-assigned identity)
auth_type: azure-msi
azure_client_id: ... # omit for system-assigned

# Databricks CLI
auth_type: databricks-cli
databricks_cli_profile: ... # optional: named profile in ~/.databrickscfg

# Google
auth_type: google-credentials
google_credentials: ... # path to service account JSON
google_service_account: ...

# Metadata service / OIDC
metadata_service_url: ...
oidc_token_env: ...
oidc_token_filepath: ...

# Escape hatch: any extra Databricks SDK Config kwarg not listed above
databricks_sdk_parameters:
some_sdk_field: value
```

New auth methods added to the Databricks Python SDK are available automatically via `auth_type` + `databricks_sdk_parameters` without requiring an adapter update.

> **Deprecated:** Omitting `auth_type` when using `client_secret` triggers a legacy heuristic that guesses between `oauth-m2m` and `azure-client-secret` based on the secret format. This produces a deprecation warning at runtime. Migrate by setting `auth_type` explicitly:
> ```yaml
> auth_type: oauth-m2m # for Databricks OAuth M2M service principals
> # or
> auth_type: azure-client-secret # for Azure AD service principals
> ```

### Documentation

For comprehensive documentation on Databricks-specific features, configurations, and capabilities:
Expand Down
3 changes: 1 addition & 2 deletions dbt/adapters/databricks/api_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
from dbt.adapters.databricks import utils
from dbt.adapters.databricks.__version__ import version
from dbt.adapters.databricks.credentials import (
DatabricksCredentialManager,
DatabricksCredentials,
)
from dbt.adapters.databricks.logging import logger
Expand Down Expand Up @@ -945,7 +944,7 @@ def __init__(
use_user_folder: bool = False,
polling_interval: int = DEFAULT_POLLING_INTERVAL,
):
workspace_client = DatabricksCredentialManager.create_from(credentials).api_client
workspace_client = credentials.authenticate().api_client
self.libraries = LibraryApi(workspace_client)
self.clusters = ClusterApi(workspace_client, self.libraries)
self.command_contexts = CommandContextApi(workspace_client, self.clusters, self.libraries)
Expand Down
Loading