Normally, Databricks recommends utilizing OAuth as an alternative of Private Entry Tokens (PATs) for authentication with Databricks to boost safety. We are actually extending this suggestion to Databricks Git credentials and encourage the usage of OAuth over Git suppliers’ PATs when authenticating along with your Git suppliers.
Right now, we’re excited to announce the Basic Availability of OAuth Git credential help for Service Principals with GitHub and Azure DevOps, enhancing Git connection safety for automated workloads.
Databricks Git integration initially supported solely PATs for authentication. Customers created private entry tokens with their Git supplier and saved the tokens in Databricks. This method is now not advisable for a number of causes, together with:
- (Lengthy lifetimes) PATs supply longer entry durations (weeks/months) than short-lived tokens (hours/days). Though directors can implement shorter PAT lifespans, this creates operational challenges as customers should steadily replace their Databricks Git credentials to keep away from workflow failures upon expiration.
- (Insecure storage and switch) Customers usually manually copy PATs, which might go away traces in clipboards and paperwork.
- (Huge scopes) Some PATs, akin to GitHub Basic PATs, apply to each repo the consumer can entry. This behaviour can simply result in unintended privilege escalation and permit for lateral motion.
- (Lacking service principal help) Some Git suppliers, akin to Azure DevOps, don’t help producing PATs for service principals.
Our hottest Git suppliers discourage the usage of PATs: GitHub and Azure DevOps don’t suggest utilizing PAT for long-lasting integrations. Bitbucket recommends Bitbucket Cloud integration or app builders use OAuth for consumer authentication as an alternative of entry tokens.
Databricks has supported OAuth 2.0-based consumer authentication with GitHub and Azure DevOps for a number of years, however this help was beforehand restricted to interactive consumer periods.
Now that Service Principal help is mostly obtainable, our suggestion is to make use of OAuth as an alternative of PATs when integrating with these Git suppliers for each interactive and automatic workflows. What are the advantages? Take our GitHub App integration for example:
- OAuth tokens are robotically refreshed by default. Customers now not encounter errors when their PAT token expires.
- OAuth presents enhanced administrative management, particularly concerning the viewing and entry of built-in repos.
- OAuth lets you configure entry to particular GitHub repos.
- Entry tokens have a brief lifespan (on this case, 8 hours), which reduces the danger of credential publicity.
Some clients have requested SSH authentication and GPG commit signing. Nonetheless, we selected to spend money on OAuth help as an alternative, as SSH and GPG would require customers to add personal keys to Databricks, much like storing a PAT, resulting in the identical drawbacks: long-lived credentials and guide rotation. Furthermore, if an improperly scoped SSH key had been compromised, it might grant an attacker direct entry to the Git server host, considerably rising the danger of exploitation.
Getting Began
For GitHub, you possibly can configure the Service Principal GitHub App connection on the Service Principal’s settings web page, following an analogous course of as a consumer’s configuration. For Azure DevOps, we now help OAuth connections for service principals utilizing federated credentials primarily based on OpenID Join (OIDC). OIDC is an authentication protocol constructed on prime of OAuth 2.0 that gives login and profile details about the logged-in consumer. OIDC permits safe and user-friendly login experiences by permitting customers to authenticate as soon as with a trusted identification supplier (IdP, on this case, Microsoft EntraID) and be remembered without having to re-enter credentials. This new function replaces the sooner scripting-based method described on this weblog, considerably simplifying and shortening this essential consumer journey from hours to just some minutes.
