feat(oauth): adding necessary changes to support bigquery oauth

[fisjac]

SUMMARY

Adding needed changes to support future implementation of OAuth2 functionality for BigQuery.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[fisjac]

BigQuery raises an error when running create_engine() necessitating another needs_oauth2(ex) check for the proper oauth2 exceptions to trigger the Oauth dance. Most DB's allow for an engine to be created without valid creds, and instead raises the exception on engine.connect()

[fisjac]

Database is required to create the BigQuery Client when using OAuth2

[fisjac]

aligning other specs to have database, and adding missing docstring

[fisjac]

adding database param

[fisjac]

Again, here BigQuery needs the Database object to build the client. Checks if the function signature has database as a param, then passes it.

[fisjac]

BigQuery takes project_id as a param in its OAuth2 parameters

[betodealmeida]

I think ideally we'd want to store the project id in the URI, to make it compatible with non-oauth2 use cases. And then later when you need you can grab it from database.sqlalchemy_uri.database.

[codecov]

Codecov Report

Attention: Patch coverage is 82.05128% with 7 lines in your changes missing coverage. Please review.

Project coverage is 70.86%. Comparing base (76d897e) to head (55b4d1b).
Report is 905 commits behind head on master.

Files with missing lines	Patch %	Lines
...aseModal/DatabaseConnectionForm/EncryptedField.tsx	0.00%	2 Missing ⚠️
superset/db_engine_specs/bigquery.py	50.00%	2 Missing ⚠️
...eModal/DatabaseConnectionForm/CommonParameters.tsx	50.00%	1 Missing ⚠️
superset/commands/database/test_connection.py	66.66%	1 Missing ⚠️
superset/db_engine_specs/base.py	75.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #30674       +/-   ##
===========================================
+ Coverage   60.48%   70.86%   +10.37%     
===========================================
  Files        1931     1988       +57     
  Lines       76236    80300     +4064     
  Branches     8568     9151      +583     
===========================================
+ Hits        46114    56904    +10790     
+ Misses      28017    21177     -6840     
- Partials     2105     2219      +114     

Flag	Coverage Δ
hive	48.89% <58.82%> (-0.27%)	⬇️
javascript	58.62% <40.00%> (+0.91%)	⬆️
mysql	76.81% <85.29%> (?)
postgres	76.90% <85.29%> (?)
presto	53.38% <58.82%> (-0.42%)	⬇️
python	83.93% <88.23%> (+20.45%)	⬆️
sqlite	76.36% <85.29%> (?)
unit	60.87% <82.35%> (+3.24%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[betodealmeida]

Looks good, but wondering if we need to modify _get_client here to take a database object.

[geido]

Let's localize the label

[geido]

Do we have sufficient test coverage for this case?

[betodealmeida]

Looks good, but I left a few comments on the handling of project_id. Happy to hop on a meeting to discuss it in more detail.

[betodealmeida]

Since this is BigQuery specific, it's better to not add it here, otherwise the interface loses its purpose. Ideally we want to keep only the common information that every oauth2 client has.

Can we have this in a separate attribute instead?

[fisjac]

The main reason I wanted to place this here is that, due to the flow for BigQuery, users will either add service creds, which contains the project_id, or they will add OAuth creds, which also contains the project_id. I agree in theory we should have a separate field, but that possibly gets even messier when you can have a project_id that can differ from the one used in the service creds.

[betodealmeida]

@fisjac but the OAuth2ClientInfo component is designed as a generic component to be used by all databases that support OAuth2, and should contain only the information that is specific to OAuth2.

if this were a small project it could be OK, but what's inevitably going to happen is that people are going to start adding more non-OAuth2 related fields here, and more if (db.engine === Engines.Foo) snippets, and the dynamic form builder is going to get even more messier than it already is.

Also, from a UX perspective, it's confusing to ask for a BigQuery project name in a panel called "OAuth2 client information".

Can't you just add a field for the project name to the BigQuery dynamic form? It would still be relevant regardless of if we're using OAuth2 of not, and would actually work as a nice sanity check in case someone adds the wrong credentials — we could check that the name in the project is equal to the provided project name.

[betodealmeida]

I think ideally we'd want to store the project id in the URI, to make it compatible with non-oauth2 use cases. And then later when you need you can grab it from database.sqlalchemy_uri.database.

[betodealmeida]

This looks great, but I have to push back on adding project name/ID to the OAuth2 client information. Can we try adding a field for it?

[betodealmeida]

@fisjac but the OAuth2ClientInfo component is designed as a generic component to be used by all databases that support OAuth2, and should contain only the information that is specific to OAuth2.

if this were a small project it could be OK, but what's inevitably going to happen is that people are going to start adding more non-OAuth2 related fields here, and more if (db.engine === Engines.Foo) snippets, and the dynamic form builder is going to get even more messier than it already is.

Also, from a UX perspective, it's confusing to ask for a BigQuery project name in a panel called "OAuth2 client information".

Can't you just add a field for the project name to the BigQuery dynamic form? It would still be relevant regardless of if we're using OAuth2 of not, and would actually work as a nice sanity check in case someone adds the wrong credentials — we could check that the name in the project is equal to the provided project name.

[betodealmeida]

Nice!

Does this work even though the method is a GET? I remember you mentioning that it was not the case?

[fisjac]

the transaction decorator works. It's necessary here because it's a GET request. in POST and PUT requests flask-appbuilder automatically runs a session.commit which is why they are not needed for the other standard endpoints. It's rare that we are persisting changes to the DB on a GET request, but necessary in this case.

[betodealmeida]

If EncryptedDict and EncryptedString are not used, why are you importing them?

Suggested change

	from superset.databases.types import ( # pylint:disable=unused-import
	EncryptedDict, # noqa: F401
	EncryptedField,
	EncryptedString, # noqa: F401
	)
	from superset.databases.types import EncryptedField

[fisjac]

They are being imported by other db engine specs that point to databases.schemas . Rather than change all of the references in every spec with encrypted extra, I thought it would be cleaner to still point to the Schemas, which is where they really should be located were it not for app_context issues.

[betodealmeida]

Nice! This is much more robust than my insert(0, ...) suggestion.

[betodealmeida]

Awesome!

[betodealmeida]

Looks great!