-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert cert default, add require_certificate_validation Behavior Flag #447
Revert cert default, add require_certificate_validation Behavior Flag #447
Conversation
Thank you for your pull request! We could not find a changelog entry for this change. For details on how to document a change, see the contributing guide. |
8ca4377
to
b63c640
Compare
This reverts commit 2aa6317.
8bf749a
to
ab506cd
Compare
dbt/adapters/trino/connections.py
Outdated
@@ -464,6 +470,11 @@ def open(cls, connection): | |||
return connection | |||
|
|||
credentials = connection.credentials | |||
verify = ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know that this captures the logic that I was picturing. In my mind, it looks like this:
- if the user has set
cert
, take that setting - if the behavior flag evaluates to true (in this case because the user set it to True since the default is False), then take whatever
cert
is (not the flag itself) - if the behavior flag evaluates to false (could be the user did not set, or specifically set it to false) then set
cert=False
(the legacy default)
I think this also means the default setting above for cert
should remain True
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, logic is as follows:
-
If
cert
is explicitly set toTrue
,False
, or a string containing a certificate path, that value is used, and the behavior flag is not taken into consideration.As I understand it, behavior flag is intended to control default behavior when cert is not set.
-
If
cert
is not set and the behavior flag is not set, the flag defaults toFalse
. In this case,False
is passed to Trino Python Clientverify
parameter, meaning SSL verification is disabled. This aligns with the default behavior before the 1.8.3 release. -
If cert is not set but the behavior flag is set to
True
,True
is passed to the TPC, enabling SSL verification. This is the behavior I would expect when using a flag namedrequire_certificate_validation
.
Falling back to thecert
value when the flag is explicitly set toTrue
feels counterintuitive to me.
Does this logic make sense? Or do you think it needs to be adjusted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I understand it, behavior flag is intended to control default behavior when cert is not set.
Ah, I think this is where we differ. And it's more confusing since we're effectively using a boolean to set another boolean. The behavior flag indicates whether we are using the new behavior. The new behavior just so happens to line up with the behavior flag itself. So technically we should have (pseudocode):
if behavior_flag is False:
default(cert) = None
elif behavior_flag is True:
default(cert) = True
But since None
and False
are both "false-y" and we only check the bool of the value after checking whether the user supplied it, you're right that this could be represented as:
bool(default(cert)) == bool(behavior_flag)
Personally, I would still jump through the hoop to make it clear that the behavior flag and the cert
default setting are not the same thing; perhaps I'm being pedantic. Either way, the current logic should work. Since this is yours to maintain, I'm good with it if you are.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can see it now, thanks! I’ve updated it so that the behavior flag now controls the default cert
value. I also added a new test test_cert_default_value
which checks the value that cert is set to for a specific behavior flag.
ab506cd
to
6f12e46
Compare
Hi @damian3031 hope you're well. With regards to scenarios where the behavior flag is not set and default is False, we're throwing a lot of warnings:
Is there any way to implement a fix to silence these warnings? There are hundreds of them in each dbt Cloud job run and are rendering our console logs practically useless for the users. |
We have the same request as @Tonayya , these warnings are filling up our logs and make it impossible to read through the run metrics. |
Hi @nguyenann13 this is being addressed in this PR. 😸 |
@Tonayya @nguyenann13 We added the ability to silence |
cert
default toFalse
.require_certificate_validation
, which defaults toFalse
for now.cert
isn't explicitly specified andrequire_certificate_validation
flag is set toFalse
(or left at the default):require_certificate_validation
toTrue
is equivalent to settingcert
toTrue
(ifcert
isn't specified explicitly).