Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow no-passphrase private keys #1805

Closed
4 tasks
kmbenitez opened this issue Oct 4, 2019 · 2 comments · Fixed by #2164
Closed
4 tasks

Allow no-passphrase private keys #1805

kmbenitez opened this issue Oct 4, 2019 · 2 comments · Fixed by #2164
Labels
enhancement New feature or request snowflake

Comments

@kmbenitez
Copy link

Describe the bug

The Snowflake connector (at least) requires a passphrase in the profile file to open a private key connection.

Steps To Reproduce

Create a dbt target like the following:

    qa:
      type: snowflake
      account: my_account
      user: my_user
      role: ANALYST

      # Keypair config
      private_key_path: "path/to/my/no/passphrase/key"
      private_key_passphrase: None

      database: DB
      warehouse: WH
      schema: PUBLIC
      threads: 1
      client_session_keep_alive: False

Attempt to run against said DBT target. DBT will fail because no passphrase is provided. If, instead, a passphrase is provided, the connection will fail because the key is not encrypted.

Expected behavior

Perhaps a warning in output that unencrypted keys are not the norm, requiring additional setting of override field in profile. If that's set, go ahead with the unencrypted key.

System information

Which database are you using dbt with?

  • postgres
  • redshift
  • bigquery
  • [ x] snowflake
  • other (specify: ____________)

The output of dbt --version:

0.14.2

The operating system you're using:
OSX
The output of python --version:
Python 3.7.3
@kmbenitez kmbenitez added bug Something isn't working triage labels Oct 4, 2019
@kmbenitez
Copy link
Author

I know how to just make it work within the Snowflake connection, but don't know how to do more involved things like requiring a flag in the project or profile file.

@drewbanin drewbanin removed the triage label Oct 5, 2019
@drewbanin
Copy link
Contributor

Thanks for the suggestion @kmbenitez! The operative code for private key Snowflake connections is around here:
https://github.com/fishtown-analytics/dbt/blob/31e085b7df015eac92faee4912fa481d1085c4b9/plugins/snowflake/dbt/adapters/snowflake/connections.py#L53-L65

If you have an unencrypted .pem file, would we skip the serialization.load_pem_private_key step and instead just supply raw bytes from the .pem file to p_key.private_bytes()?

If that's the case, I think we can remove the guard or self.private_key_passphrase is None and instead do something like:

if  self.private_key_passphrase is None:
  logger.warn("The specified private key is not encrypted; this is not recommended")
  p_key = ... code to get raw bytes from the file....
else:
  p_key = serialization.load_pem_private_key( ... )

I don't think we'd need extra flags in the project or profile file in this case.

@drewbanin drewbanin added snowflake enhancement New feature or request and removed bug Something isn't working labels Oct 5, 2019
carlineng pushed a commit to carlineng/dbt that referenced this issue Jan 25, 2020
Allow for password-less private key (dbt-labs#1805)
c672cb4 
Simple change to allow private keys without passwords. The cryptography
package supports this behavior simply by passing `None` as the value for
the `password` parameter:

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.load_pem_private_key
@mhmcdonald mhmcdonald mentioned this issue Feb 27, 2020
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request snowflake
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

removing the requirement to have a passphrase on a Snowflake key mhmcdonald/dbt
2 participants
@drewbanin @kmbenitez