SNOW-1689931: Snowflake JDBC Driver does not allow using the SPCS /snowflake/session/token due to its permissions being globally read-write. #1902
Labels
bug
status-fixed_awaiting_release
The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector.
status-triage_done
Initial triage done, will be further handled by the driver team
In the latest version of the JDBC driver, users are unable to utilize a Snowpark Container Services OAuth token file because it has more than user read/write permissions.
I am one of our Principal Solutions Architects in Snowflake PS and I am building a container for one of my RSA customers. In my SPCS container I am leveraging the following connections.toml.template:
During the container startup, I am rendering this using
This works fine as intended until my application tries to connect using the jdbc:snowflake:auto URL that leverages my connections.toml file. The Java Spring application provides these messages:
This is occurring because these are the permissions on the
/snowflake/session/token
file in a Snowpark container:The JDBC code checks whether the oauth token file has a 0600 chmod. The following code calls the verifyFilePermissionSecure() method at lines 111-121 of SFConnectionConfigParser.java:
https://github.com/snowflakedb/snowflake-jdbc/blob/master/src/main/java/net/snowflake/client/config/SFConnectionConfigParser.java
All Snowflake drivers should ignore the token permissions if the token file is
/snowflake/session/token
. The driver at the lines above should skip calling verifyFilePermissionSecure() when the token is/snowflake/session/token
.Additionally, in my opinion, it would be ideal if the
jdbc:snowflake:auto
URL would automatically use the token and the SNOWFLAKE_ACCOUNT, SNOWFLAKE_HOST, SNOWFLAKE_DATABASE, and SNOWFLAKE_SCHEMA environment variables provided by SPCS whenever the values are not provided in a connections.toml. That would make the use of SPCS OAuth trivial in many packaged java applications and users would not need to use envsubst to populate the connections.toml file at runtime as I currently do.Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!
What version of JDBC driver are you using?
3.19.0
What operating system and processor architecture are you using?
Snowpark Container running an Ubuntu-based container image
FROM --platform=linux/amd64 eclipse-temurin:8-jre
What version of Java are you using?
Java 1.8
What did you do?
See above. I can provide the exact container if you Slack me internally.
See above. The JDBC driver should have allowed opening the connection using the SPCS token file.
I believe the logs above should be sufficient but I can if necessary try to get the DEBUG
AWS_CAS2 (Snowflake Professional Services)
The text was updated successfully, but these errors were encountered: