The snowflake connector requires a passphrase.

How to reproduce the bug

  1. Configure new database connection with the URI snowflake://{user}:{password}@{account}.{region}/{database}
  2. Add security extra:
{
    "auth_method": "keypair",
    "auth_params": {
        "privatekey_path":"/certs/my_cert.p8"
    }
}
  1. Click Finish
  2. See error

Expected results

The connection should work successfully.

Actual results

Error An error occurred while creating databases: 'privatekey_pass' appears.

Environment

(please complete the following information):

  • Firefox 109.0.1 (64-bit)
  • superset version: Superset 0.0.0-dev (
  • python version: Python 3.8.16
  • any feature flags active:
FROM apache/superset:latest

USER root

RUN pip install snowflake-sqlalchemy

USER superset

Checklist

Make sure to follow these steps before submitting your issue - thank you!

  • [✅] I have checked the superset logs for python stacktraces and included it here as text if there are any.
  • [✅] I have reproduced the issue with at least the latest released version of superset.
  • [✅] I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Here are other possible configurations and their errors:

{
    "auth_method": "keypair",
    "auth_params": {
        "privatekey_path":"/certs/my_cert.p8",
        "privatekey_pass": ""
    }
}

Error: An error occurred while creating databases: Password was given but private key is not encrypted.

{
    "auth_method": "keypair",
    "auth_params": {
        "privatekey_path":"/certs/my_cert.p8",
        "privatekey_pass": null
    }
}

Error: ERROR: 'NoneType' object has no attribute 'encode'

Solution(s)

Add logic to accept private key as is if no passphrase is provided.

Comment From: tonofll

Hi @betodealmeida , is there any update on this or a workaround to use a private key without password?

Issue is on line 373, since if password doesn't exists (null), it can't be encoded.

https://github.com/apache/superset/blob/ed14f36c558459c6dd231dcbcdf6fe52ca15998e/superset/db_engine_specs/snowflake.py#L371-L375

However serialization.load_pem_private_key accepts password null values (Optional[bytes])

https://github.com/pyca/cryptography/blob/75b002ae7fb1f263fdd4983d0c23493878e127fe/src/cryptography/hazmat/primitives/serialization/base.py#L16

def load_pem_private_key(
    data: bytes, password: typing.Optional[bytes], backend=None
) -> _PRIVATE_KEY_TYPES:
    backend = _get_backend(backend)
    return backend.load_pem_private_key(data, password)

Comment From: mvdbosch

Any update on this issue?

Comment From: rusackas

Tempted to close this as stale... and I swear this has been reported elsewhere, but giving a ping to @villebro as well, who might have run into this situation.

Comment From: emattson

I hit this same issue this morning

Comment From: rusackas

Can anyone validate if this is still an issue we're concerned with, and if it's in 4.1.1/5.0.0?

Comment From: junyoneyama

Can anyone validate if this is still an issue we're concerned with, and if it's in 4.1.1/5.0.0?

I met the same issue in 4.1.1.

Base Docker image: apache/superset:4.1.1 Additional dependency: snowflake-sqlalchemy==1.7.3

Comment From: stanislav-dombrovskiy-dp

I used this doc

snowflake://<Username>@<Account>/<Database>?role=<Role>&warehouse=<Warehouse>

{
     "auth_method": "keypair",
     "auth_params": {
         "privatekey_body": "-----BEGIN ENCRYPTED PRIVATE KEY-----\n...\n...\n-----END ENCRYPTED PRIVATE KEY-----",
         "privatekey_pass":"my_password"
    }
 }

And I get this error: An error occurred while creating databases: Password was given but private key is not encrypted.

Comment From: JohnDietrich-Pepper

Yep same issue which is a problem since Snowflake is moving to MFA or requiring key pair

Comment From: JDietrich-Pepper

@rusackas @villebro Looking for updates because we are getting close if we want to redevelop in a different platform before the MFA cutover.