airflow icon indicating copy to clipboard operation
airflow copied to clipboard
verified publisher icon apache

Added JWT authentication to the TableauHook

Open dominikhei opened this issue 6 months ago • 7 comments

I added JWT Authentication to the TableauHook. If password and login are set, it is preferred over JWT Authentication. There are two options for using a token: Passing it as a string to the connection extras or using a path to a location on disk to a file. If both are set, the file will be used. closes: https://github.com/apache/airflow/issues/51453

dominikhei avatar Jun 15 '25 11:06 dominikhei

You probably need to run breeze static-checks --type update-providers-dependencies --all-files

eladkal avatar Jun 15 '25 12:06 eladkal

@eladkal The problem is between apache-airflow-providers-amazon[aiobotocore] and apache-airflow-providers-tableau:

  • botocore requires urllib3 versions between 1.25.4 and 1.27 for Python < 3.10
  • tableauserverclient>=0.27 (which we need for the JWT authentication) requires urllib3>=2.0.6

It seems like this issue is not a problem with Python>=3.10 only with < 3.10

dominikhei avatar Jun 15 '25 13:06 dominikhei

I think we can set the provider to be Python 3.10+ only. Python 3.9 is EOL very soon and anyway we don't introduce that many changes to the tableau provider. cc @potiuk WDYT?

eladkal avatar Jun 15 '25 14:06 eladkal

dependency issues seem to be resolved with python3.10 when testing locally. However breeze static-checks --type update-providers-dependencies --all-files always uses a python3.9 ci-image, no matter what I try to change.

dominikhei avatar Jun 16 '25 21:06 dominikhei

Can you push the changes? Lets see Probably need to set min Python version for the provider, not sure if we allow this per provider. Lets see what the CI says. We can also limit usage of the new feature for Python 3.10+ if needed without changing the min Python vesrion.

eladkal avatar Jun 16 '25 22:06 eladkal

@dominikhei try to run: breeze ci-image build --upgrade-to-newer-dependencies

eladkal avatar Jun 17 '25 12:06 eladkal

@dominikhei try to run: breeze ci-image build --upgrade-to-newer-dependencies

Already tried it, still tries to run the checks with the 3.9 ci-image. maybe its hardcoded somewhere because I can not find a way to use the 3.10 image, even though I have configured breeze to use it.

dominikhei avatar Jun 17 '25 14:06 dominikhei

@dominikhei try to run: breeze ci-image build --upgrade-to-newer-dependencies

Already tried it, still tries to run the checks with the 3.9 ci-image. maybe its hardcoded somewhere because I can not find a way to use the 3.10 image, even though I have configured breeze to use it.

We have a case of excluded Python 3.9 from a provider. apply similar logic as shown here:

https://github.com/apache/airflow/blob/a4a51a02db2994e4ea94b83887739dc79a4d11d9/providers/cloudant/pyproject.toml#L52-L63

eladkal avatar Jun 19 '25 17:06 eladkal

Apart from the failing doc checks, which i'll adjust, the CI still runs with 3.9 leading to tableauserverclient now not being included as a dependency (tableauserverclient>=0.27;python_version>=\"3.10\"). Locally the breeze static-checks --type update-providers-dependencies --all-files worked.

dominikhei avatar Jun 19 '25 19:06 dominikhei

Looks like we need also to make changes in global_constants.py add tableau to all Python 3.9 entries in remove-providers:

https://github.com/apache/airflow/blob/96c48a59e8233f5cd0ad729830190a633db8b996/dev/breeze/src/airflow_breeze/global_constants.py#L725-L744

might also need change in test-providers.yaml but not 100% sure, lets apply the above fix first and see if we need to change here too https://github.com/apache/airflow/blob/3198aad1bfd7cbf8b3de56c482dc9d96e00d3a69/.github/workflows/test-providers.yml#L129-L132

We just need to read the errors to get direction of what is the issue and then look up for cloudant key word in the code base to see what special treatment it gets. The issue of excluding Python version in a specific provider is not common thus we don't have 1 line fix for this yet.

eladkal avatar Jun 20 '25 11:06 eladkal

Might be helpful for later once we made it work, to also adjust the Contributors Guide with a section on this.

dominikhei avatar Jun 20 '25 12:06 dominikhei 

airflow-core/tests/unit/always/test_providers_manager.py:256: in test_hook_values
    raise AssertionError("There are warnings generated during hook imports. Please fix them")
E   AssertionError: There are warnings generated during hook imports. Please fix them

failure is because we are missing similar:

https://github.com/apache/airflow/blob/a4a51a02db2994e4ea94b83887739dc79a4d11d9/providers/cloudant/provider.yaml#L57-L62

eladkal avatar Jun 20 '25 12:06 eladkal

Might be helpful for later once we made it work, to also adjust the Contributors Guide with a section on this.

You will be the best person for the job. Ideally, if we can find automations I think it's better. we already have the excluded-python-versions per provider so I think it would be better to try to automate the tests to account for this

eladkal avatar Jun 20 '25 12:06 eladkal

OK looks like all cutrent failures are docs/examples and tableau tests

eladkal avatar Jun 20 '25 13:06 eladkal

OK looks like all cutrent failures are docs/examples and tableau tests

Seems like airflow/providers/tableau/docs/tableau.rstwas not previously tracked and I added it by accident

The failing tests are still linked to the python version:

_ ERROR collecting providers/tableau/tests/unit/tableau/sensors/test_tableau.py _
ModuleNotFoundError: No module named 'tableauserverclient'

dominikhei avatar Jun 20 '25 13:06 dominikhei

can you fix the other tests? Sometimes handling the other errors solves the doc problems

eladkal avatar Jun 20 '25 13:06 eladkal

Almost :) We need to skip tests on Python 3.9 runners - this needs to be done on all Tableau test files

https://github.com/apache/airflow/blob/4d5846f58fe0de9b43358c0be75dd72e968dacc4/providers/cloudant/tests/unit/cloudant/hooks/test_cloudant.py#L30-L37

eladkal avatar Jun 20 '25 16:06 eladkal

@eladkal the only failing static check is ts-compile-lint-ui due to some code quality violations in the frontend code. I just checked and the code responsible for one of the errors was last touched on 22.04.2025.

Do you know why this is failing now?

dominikhei avatar Jun 22 '25 04:06 dominikhei

@eladkal the only failing static check is ts-compile-lint-ui due to some code quality violations in the frontend code. I just checked and the code responsible for one of the errors was last touched on 22.04.2025.

Do you know why this is failing now?

we reverted dependaboat bumps, please rebase it should work now?

gopidesupavan avatar Jun 22 '25 09:06 gopidesupavan

I started [DISCUSS] Dropping Python 3.9 support lets see if we can get it passed soon thus making this PR easier

eladkal avatar Jun 22 '25 09:06 eladkal

I started [DISCUSS] Dropping Python 3.9 support lets see if we can get it passed soon thus making this PR easier

Should we just wait until we upgrade to 3.10, as the feedback was positive or add it for 3.9 with the workarounds? (Would need to rebase due to https://github.com/apache/airflow/pull/51930)

dominikhei avatar Jun 22 '25 15:06 dominikhei

https://github.com/apache/airflow/pull/52072 is merged. You can now proceed without the trouble of Python 3.9

eladkal avatar Jun 27 '25 13:06 eladkal

Nice!

eladkal avatar Jul 03 '25 18:07 eladkal

Thank you for implementing JWT authentication. This opens the door to migrating from PAT to Connected Apps.

I noticed the current implementation assumes the Tableau connection already contains a valid JWT token. Is there a reason you opted for this approach over generating the JWT within the Tableau hook? As far as I'm aware, it isn't possible to generate a long-lived JWT, so users would need to regenerate the JWT quite frequently (every couple of minutes).

armandduijn avatar Nov 21 '25 10:11 armandduijn