snowflake-connector-python icon indicating copy to clipboard operation
snowflake-connector-python copied to clipboard
verified publisher icon snowflakedb

SNOW-996175: Support for RFC1123 compliant Snowflake tenancy FQDN

Open Seethaar opened this issue 2 years ago • 5 comments

What is the current behavior?

The FQDN to access Snowflake public endpoint seem to derived from the Snowflake account name and when the account name contains underscores _, that gets carried forward to the FQDN. This violates RFC1123 apparently. While Snowflake support says, _ is interchangeable with -, this is being not supported by Snowflake connector. Hence we are forced to stay with the non-compliant URLs which are incompatible with the Next Generation Firewalls, which invalidates such URLs, which opens security gaps.

What is the desired behavior?

Snowflake connector should accomodate FQDNs with - some how.

How would this improve snowflake-connector-python?

Having an RFC compliance improves Customer Experience.

References and other background

https://www.digicert.com/kb/ssl-support/underscores-not-allowed-in-fqdns.htm

What is your Snowflake account identifier, if any?

quantium_dg_cip_dev, quantium_dg_cip_prd

Seethaar avatar Dec 21 '23 20:12 Seethaar

hi and thank you for raising this issue, taking a look (also the support case your colleague raised)

sfc-gh-dszmolka avatar Jan 10 '24 11:01 sfc-gh-dszmolka

as mentioned in the support case: could not reproduce the issue with snowflake-connector-python==3.6.0

import snowflake.connector
import logging
import os
 
for logger_name in ['snowflake','botocore']:
  logger = logging.getLogger(logger_name)
  logger.setLevel(logging.DEBUG)
  ch = logging.FileHandler('python_connector.log')
  ch.setLevel(logging.DEBUG)
  ch.setFormatter(logging.Formatter('%(asctime)s - %(threadName)s %(filename)s:%(lineno)d - %(funcName)s() - %(levelname)s - %(message)s'))
  logger.addHandler(ch)
 
for myaccount in ['d_sz_m_o_l_k_a', 'd-sz-m-o-l-k-a']:
    print(f'Trying account notation {myaccount}')
    con = snowflake.connector.connect(
        user='admin',
        account='myorgname-' + myaccount,
        password='password'
    )
 
    print(con.cursor().execute("select current_user()").fetchall())
    con.close()

results in

# python test.py 
Trying account notation d_sz_m_o_l_k_a
[('ADMIN',)]
Trying account notation d-sz-m-o-l-k-a
[('ADMIN',)]

can you please try it with this version of the driver and see if it reproduces for you? if it does, would it be please possible to provide a runnable piece of code which when run, leads to the issue you're seeing; hyphens - not supported in the Connector?

sfc-gh-dszmolka avatar Jan 16 '24 10:01 sfc-gh-dszmolka

closing this issue as there's no activity for a while now - if this is still an issue, do let us know please and we can reopen if it needs further investigation

sfc-gh-dszmolka avatar Feb 05 '24 12:02 sfc-gh-dszmolka

Hey @sfc-gh-dszmolka, it's Florian from dbt Labs :)

We are seeing issues popping up on that with dbt-snowflake and Python 3.11.

Users and customers with _ in their Snowflake account name encounter an error due to a change in Python 3.11 SSL. Apparently it no longer supports URLs with underscores.

If indeed _ and - are interchangeable for your account names, it would be lovely if the connector would just replace them outright?

Fleid avatar May 31 '24 15:05 Fleid

thanks for the feedback! reopening the issue for the driver team to consider this enhancement request for future plans

sfc-gh-dszmolka avatar Jun 01 '24 15:06 sfc-gh-dszmolka