Skip to content

Commit

Permalink
Added support for a new browser authentication plugin called BrowserI…
Browse files Browse the repository at this point in the history 
…dcAuthPlugin to facilitate single-sign-on integration with AWS IAM Identity Center.
  • Loading branch information
@Brooke-white
Brooke-white committed Jul 31, 2024
1 parent 26fc02d commit 18c2d7a
Show file tree
Hide file tree
Showing 14 changed files with 780 additions and 5 deletions.
6 changes: 6 additions & 0 deletions README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -333,12 +333,18 @@ Connection Parameters
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
| iam_disable_cache | bool | This option specifies whether the IAM credentials are cached. By default the IAM credentials are cached. This improves performance when requests to the API gateway are throttled. | FALSE | No |
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
| idc_client_display_name | str | The client display name to be used in user consent in IdC browser auth. This is an optional value. The default value is "Amazon Redshift Python connector". | None | No |
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
| idc_region | str | The AWS region where AWS identity center instance is located. It is required for the IdC browser auth plugin. | None | No |
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
| identity_namespace | str | The identity namespace to be used for the IdC browser auth plugin and IdP token auth plugin. It is an optional value if there is only one IdC instance existing or if default identity namespace is set on the cluster - else it is required. | None | No |
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
| idp_response_timeout | int | The timeout for retrieving SAML assertion from IdP | 120 | No |
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
| idp_tenant | str | The IdP tenant | None | No |
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
| issuer_url | str | The issuer url for the AWS IdC access portal. It is required for the IdC browser auth plugin. | None | No |
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
| listen_port | int | The listen port IdP will send the SAML assertion to | 7890 | No |
+-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
| login_to_rp | str | Only for AdfsCredentialsProvider. Used to specify the loginToRp when performing IdpInitiatedSignOn as apart of form based authentication. | urn:amazon:webservices | No |
Expand Down
17 changes: 17 additions & 0 deletions redshift_connector/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@
_logger: logging.Logger = logging.getLogger(__name__)

IDC_PLUGINS_LIST = (
"redshift_connector.plugin.BrowserIdcAuthPlugin",
"BrowserIdcAuthPlugin",
"redshift_connector.plugin.IdpTokenAuthPlugin",
"IdpTokenAuthPlugin",
)
Expand All @@ -65,6 +67,8 @@
"BrowserAzureOAuth2CredentialsProvider",
"redshift_connector.plugin.BasicJwtCredentialsProvider",
"BasicJwtCredentialsProvider",
"redshift_connector.plugin.BrowserIdcAuthPlugin",
"BrowserIdcAuthPlugin",
"redshift_connector.plugin.IdpTokenAuthPlugin",
"IdpTokenAuthPlugin",
)
Expand Down Expand Up @@ -158,6 +162,9 @@ def connect(
serverless_work_group: typing.Optional[str] = None,
group_federation: typing.Optional[bool] = None,
identity_namespace: typing.Optional[str] = None,
idc_client_display_name: typing.Optional[str] = None,
idc_region: typing.Optional[str] = None,
issuer_url: typing.Optional[str] = None,
token: typing.Optional[str] = None,
token_type: typing.Optional[str] = None,
) -> Connection:
Expand Down Expand Up @@ -265,6 +272,12 @@ def connect(
Use the IDP Groups in the Redshift. Default value False.
identity_namespace: Optional[str]
The identity namespace to be used with IdC auth plugin. Default value is None.
idc_client_display_name: Optional[str]
The client display name to be used in user consent in IdC browser auth. Default value is `Amazon Redshift Python connector`.
idc_region: Optional[str]
The AWS region where IdC instance is located. Default value is None.
issuer_url: Optional[str]
The issuer url for the AWS IdC access portal. Default value is None.
token: Optional[str]
The access token to be used with IdC basic credentials provider plugin. Default value is None.
token_type: Optional[str]
Expand Down Expand Up @@ -296,10 +309,13 @@ def connect(
info.put("host", host)
info.put("iam", iam)
info.put("iam_disable_cache", iam_disable_cache)
info.put("idc_client_display_name", idc_client_display_name)
info.put("idc_region", idc_region)
info.put("identity_namespace", identity_namespace)
info.put("idp_host", idp_host)
info.put("idp_response_timeout", idp_response_timeout)
info.put("idp_tenant", idp_tenant)
info.put("issuer_url", issuer_url)
info.put("is_serverless", is_serverless)
info.put("listen_port", listen_port)
info.put("login_url", login_url)
Expand Down Expand Up @@ -398,6 +414,7 @@ def connect(
numeric_to_float=info.numeric_to_float,
identity_namespace=info.identity_namespace,
token_type=info.token_type,
idc_client_display_name=info.idc_client_display_name,
)


Expand Down
16 changes: 14 additions & 2 deletions redshift_connector/core.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -433,6 +433,7 @@ def __init__(
numeric_to_float: bool = False,
identity_namespace: typing.Optional[str] = None,
token_type: typing.Optional[str] = None,
idc_client_display_name: typing.Optional[str] = None,
):
"""
Creates a :class:`Connection` to an Amazon Redshift cluster. For more information on establishing a connection to an Amazon Redshift cluster using `federated API access <https://aws.amazon.com/blogs/big-data/federated-api-access-to-amazon-redshift-using-an-amazon-redshift-connector-for-python/>`_ see our examples page.
Expand Down Expand Up @@ -481,6 +482,8 @@ def __init__(
The identity namespace to be used with IdC auth plugin. Default value is None.
token_type: Optional[str]
The token type to be used for authentication using IdP Token auth plugin
idc_client_display_name: Optional[str]
The client display name to be used for user consent in IdC browser auth plugin.
"""
self.merge_socket_read = True

Expand Down Expand Up @@ -561,7 +564,10 @@ def get_calling_module() -> str:
redshift_native_auth = True
init_params["idp_type"] = "AzureAD"

if credentials_provider.split(".")[-1] in ("IdpTokenAuthPlugin",):
if credentials_provider.split(".")[-1] in (
"IdpTokenAuthPlugin",
"BrowserIdcAuthPlugin",
):
redshift_native_auth = True
self.set_idc_plugins_params(
init_params, credentials_provider, identity_namespace, token_type
Expand Down Expand Up @@ -2617,12 +2623,18 @@ def set_idc_plugins_params(
credentials_provider: typing.Optional[str] = None,
identity_namespace: typing.Optional[str] = None,
token_type: typing.Optional[str] = None,
idc_client_display_name: typing.Optional[str] = None,
) -> None:
plugin_name = typing.cast(str, credentials_provider).split(".")[-1]
init_params["idp_type"] = "AwsIdc"

if identity_namespace:
init_params["identity_namespace"] = identity_namespace

if token_type:
if plugin_name == "BrowserIdcAuthPlugin":
init_params["token_type"] = "ACCESS_TOKEN"
elif token_type:
init_params["token_type"] = token_type

if idc_client_display_name:
init_params["idc_client_display_name"] = idc_client_display_name
1 change: 1 addition & 0 deletions redshift_connector/plugin/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
from .browser_azure_oauth2_credentials_provider import (
BrowserAzureOAuth2CredentialsProvider,
)
from .browser_idc_auth_plugin import BrowserIdcAuthPlugin
from .browser_saml_credentials_provider import BrowserSamlCredentialsProvider
from .common_credentials_provider import CommonCredentialsProvider
from .idp_credentials_provider import IdpCredentialsProvider
Expand Down
Loading

0 comments on commit 18c2d7a

Please sign in to comment.