Skip to content

feat: add kernel integration test lane + use_kernel auth support#1576

Merged
sd-db merged 10 commits into
mainfrom
sd-db/kernel-integration-test
Jul 8, 2026
Merged

feat: add kernel integration test lane + use_kernel auth support#1576
sd-db merged 10 commits into
mainfrom
sd-db/kernel-integration-test

Conversation

@sd-db

@sd-db sd-db commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Description

Adds a weekly integration-test lane that exercises the dbt-databricks functional suite through the databricks-sql-connector Rust kernel backend (use_kernel=True, connector 4.3.0), plus the adapter change required for connections to authenticate on that path.

Why an adapter change is needed

The kernel routes over the SEA (Statement Execution API) HTTP transport and owns the OAuth token lifecycle itself, so its auth bridge rejects the connector credentials_provider that dbt passes on the default Thrift path. Without a change, every connection under use_kernel=True fails at open. SqlUtils.prepare_connection_arguments now, when use_kernel is set, forwards the raw credential the bridge understands instead:

dbt auth Kernel handling
PAT (token) forward access_token
Databricks OAuth M2M (client_id/client_secret) forward oauth_client_id/oauth_client_secret + the credential manager's resolved oauth_scopes
OAuth U2M (auth_type: oauth) translate to kernel auth_type=databricks-oauth, forwarding the credential manager's resolved oauth_client_id + oauth_scopes (dbt's defaults, not the kernel's)
Native Azure SP (azure_client_id/azure_client_secret) raise a clear DbtConfigError — the kernel has no Azure-AD flow, so fail loud rather than misroute

The default (Thrift) path is unchanged.

Workflow

.github/workflows/integration-kernel.yml mirrors the SPOG scheduled smoke but runs a single job: it installs the optional databricks-sql-connector[kernel] extra and runs the databricks_uc_sql_endpoint profile with DBT_DATABRICKS_USE_KERNEL=1. Scheduled Saturday 09:17 UTC, clear of the daily nightly and Sunday SPOG slots that share the peco warehouse.

SEA is warehouse-only (the connector rejects an all-purpose-cluster http_path), so only the SQL-warehouse profile runs, and the handful of tests that pin a model to a cluster path/compute are marked @pytest.mark.skip_kernel (a new marker enforced by an autouse fixture, gated on DBT_DATABRICKS_USE_KERNEL).

Verification

  • New unit tests in tests/unit/test_handle.py pin each auth shape's forwarded kwargs (PAT, M2M with/without dose prefix, oauth_scopes, U2M with/without explicit client_id, native-Azure guard).
  • Auth routing independently validated against the real kernel wheel via dummy connections: PAT / M2M / U2M reach the network (bridge accepts); native Azure SP guards before connect.
  • Live end-to-end on a SQL warehouse: use_kernel=True opens a KernelDatabricksClient and a basic table materialization passes (6/6); serverless Python models pass (their SQL connection stays on the warehouse).
  • Full unit suite green (1250 passed); skip_kernel-marked tests skip under the flag and run normally without it.

@sd-db sd-db force-pushed the sd-db/kernel-integration-test branch from 87bdea7 to ddc574e Compare July 6, 2026 13:06
@sd-db sd-db changed the title Add kernel integration test lane + use_kernel auth support feat: add kernel integration test lane + use_kernel auth support Jul 6, 2026
@sd-db sd-db marked this pull request as ready for review July 6, 2026 13:10
@sd-db sd-db requested a review from jprakash-db as a code owner July 6, 2026 13:10
@sd-db sd-db force-pushed the sd-db/kernel-integration-test branch from ddc574e to ef3c482 Compare July 6, 2026 13:12
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)
Lines missing
  dbt/adapters/databricks
  handle.py
Project Total  

This report was generated by python-coverage-comment-action

Comment thread dbt/adapters/databricks/handle.py Outdated
"(azure_client_id/azure_client_secret). Use a personal access token "
"or Databricks OAuth (client_id/client_secret) instead, or drop "
"use_kernel to use the default backend."
)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we let this error be raised at the kernel level?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

umm maybe that's not possible

sd-db added 2 commits July 7, 2026 10:45
Adds a weekly SQL-warehouse integration workflow that runs the functional
suite through the databricks-sql-connector Rust kernel backend
(use_kernel=True), and the adapter change needed for connections to
authenticate on that path.

The kernel routes over SEA and owns the OAuth token lifecycle itself, so
its auth bridge rejects the connector credentials_provider dbt passes on
the Thrift path. prepare_connection_arguments now forwards the raw
credential the bridge understands (PAT, Databricks OAuth M2M, or OAuth
U2M) when use_kernel is set, and raises a clear error for native Azure
service-principal auth (which the kernel cannot serve) rather than
misrouting it. SEA is warehouse-only, so the workflow runs only the
databricks_uc_sql_endpoint profile and tests that pin a model to a
cluster are marked @pytest.mark.skip_kernel.
@sd-db sd-db force-pushed the sd-db/kernel-integration-test branch from 23e2dcb to ffa6ae3 Compare July 7, 2026 05:16
The kernel's oauth-m2m flow owns the full token lifecycle including refresh
(re-mints via workspace OIDC), so forwarding raw client_id/client_secret keeps
long-running connections authenticated. Reverts to raw-cred forwarding as the
primary path for PAT and Databricks OAuth (M2M/U2M).

Azure service principals have no kernel-native flow, so they remain a fallback:
dbt resolves the Azure exchange and forwards the resulting bearer token to the
kernel's PAT path, with a warning that this token does not auto-refresh. Routing
uses dbt's resolved config.auth_type, since an Azure SP may arrive either via
azure_client_id/secret or (legacily) the client_id/client_secret fields.

Fixes the CI invalid_client failure (peco is an Azure SP) without giving up
token refresh for the common PAT/Databricks-OAuth cases.
Split _add_kernel_auth_arguments into three clear identification paths per
review — PAT, U2M, and M2M — and reject/route the Azure SP up front:

- Native Azure SP (azure_client_id/secret) routes to the bearer fallback
  before the M2M resolution, since it has no kernel-native flow.
- U2M is identified simply as auth_type == "oauth" with no client secret.
- M2M forwards raw creds when the resolved config.auth_type is oauth-m2m
  (kernel owns refresh); a legacy Azure SP passed via client_id/client_secret
  resolves to azure-client-secret and takes the bearer fallback.

Extract the bearer-fallback into a helper. Terser docstring and CHANGELOG.
sd-db added 2 commits July 7, 2026 16:40
…t setup

Per review, the production kernel path should support only what the kernel
natively does: PAT, Databricks OAuth M2M (raw creds so the kernel owns refresh),
and OAuth U2M. Any other auth — notably an Azure service principal, which the
kernel has no flow for — is rejected with a DbtConfigError directing the user to
the default backend. Removes the in-adapter Azure->bearer-token conversion that
was only needed to run CI on a peco Azure SP.

That conversion now lives in test setup (tests/profiles.py): when
DBT_DATABRICKS_USE_KERNEL=1 and the credential is an SP, resolve it to a
workspace token and hand the kernel a PAT. Marked temporary — the resolved token
does not auto-refresh, and it goes away once the kernel gains native Azure
support.

Also restores test concurrency to -n 10 to match the other integration lanes.
…ken TTL

The kernel evicts SEA sessions under sustained -n 10 load, so late in-test
verification queries intermittently fail with "Cannot execute_command without
an open session". Drop the kernel lane to -n 4 to keep the concurrent session
count low.

At -n 4 the 3-shard run took ~60min/shard — right at the ~1h lifetime of the
Azure token the tests use — so split into 5 shards (~35min each) to keep every
job well clear of that boundary. Both are kernel-lane workarounds documented in
the workflow; the other lanes stay at -n 10 / 3 shards.
The temp trigger was added to validate the workflow on PR #1576; CI is green
across all shards (run 28882012926), so revert to the intended
workflow_dispatch + weekly schedule triggers.
Forward kernel OAuth fields from the credential manager so default client IDs and scopes match the normal auth path while avoiding SDK auth initialization on short-circuit flows.
@sd-db sd-db merged commit 55543ea into main Jul 8, 2026
16 of 17 checks passed
@sd-db sd-db deleted the sd-db/kernel-integration-test branch July 8, 2026 13:52
sd-db added a commit that referenced this pull request Jul 9, 2026
## Summary

Release prep for **dbt-databricks 1.12.2**. Touches only the two release
files:

- `CHANGELOG.md` — set the `1.12.2` heading date to `Jul 9, 2026` and
finalize the section (conformance cleanup + newly-added entries; see
below).
- `dbt/adapters/databricks/__version__.py` — bump `1.12.1` → `1.12.2`.

## CHANGELOG changes in this PR

- **Add `#1508`** (Under the Hood): record/replay instrumentation for
`add_query`, `get_relation_config`, `is_uniform`, `has_dbr_capability`,
`is_cluster` (test-only, no runtime impact).
- **Consolidate the coverage-run test work** into a single
Under-the-Hood entry spanning the release's ~38 test/CI PRs, replacing
the several partial test lines that were scattered across the section.
The `#1576` kernel integration-test workflow line is kept separate (tied
to the kernel feature).
- **Conformance pass** per `AGENTS.md`: fix bare PR links
(`[1440]`/`[1467]`/`[1539]` → `[#…]`), normalize `partially solves` →
`partially resolves` and `closes` → `resolves` on the touched entries.

## Test plan

- [x] `hatch run code-quality` — ruff / ruff format / mypy pass.
(`uv-lock --check` is a known local-config false-negative; this PR does
not touch `pyproject.toml` / `uv.lock`.)
- [x] `hatch run unit` — 1258 passed, 6 skipped, 0 failures.
- [x] `hatch run pre-commit run --files CHANGELOG.md
dbt/adapters/databricks/__version__.py` — pass.
- [x] CI (code quality, unit 3.10–3.13, build) to run on this PR.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants