Normally, Databricks recommends utilizing OAuth as a substitute of Private Entry Tokens (PATs) for authentication with Databricks to reinforce safety. We at the moment are extending this advice to Databricks Git credentials and encourage using OAuth over Git suppliers’ PATs when authenticating along with your Git suppliers.
Right now, we’re excited to announce the Normal Availability of OAuth Git credential help for Service Principals with GitHub and Azure DevOps, bettering Git connection safety for automated workloads.
Databricks Git integration initially supported solely PATs for authentication. Customers created private entry tokens with their Git supplier and saved the tokens in Databricks. This strategy is not beneficial for a couple of causes, together with:
- [Long lifetimes] PATs provide longer entry durations (weeks/months) than short-lived tokens (hours/days). Though directors can implement shorter PAT lifespans, this creates operational challenges as customers should continuously replace their Databricks Git credentials to keep away from workflow failures upon expiration.
- [Insecure storage and transfer] Customers typically manually copy PATs, which may go away traces in clipboards and paperwork.
- [Wide scopes] Some PATs, comparable to GitHub Traditional PATs, apply to each repo the person can entry. This behaviour can simply result in unintended privilege escalation and permit for lateral motion.
- [Missing service principal support] Some Git suppliers, comparable to Azure DevOps, don’t help producing PATs for service principals.
Our hottest Git suppliers discourage using PATs: GitHub and Azure DevOps don’t advocate utilizing PAT for long-lasting integrations. Bitbucket recommends Bitbucket Cloud integration or app builders use OAuth for person authentication as a substitute of entry tokens.
Databricks has supported OAuth 2.0-based person authentication with GitHub and Azure DevOps for a number of years, however this help was beforehand restricted to interactive person periods.
Now that Service Principal help is mostly obtainable, our advice is to make use of OAuth as a substitute of PATs when integrating with these Git suppliers for each interactive and automatic workflows. What are the advantages? Take our GitHub App integration for instance:
- OAuth tokens are routinely refreshed by default. Customers not encounter errors when their PAT token expires.
- OAuth provides enhanced administrative management, particularly concerning the viewing and entry of built-in repos.
- OAuth permits you to configure entry to particular GitHub repos.
- Entry tokens have a brief lifespan (on this case, 8 hours), which reduces the chance of credential publicity.
Some prospects have requested SSH authentication and GPG commit signing. Nonetheless, we selected to put money into OAuth help as a substitute, as SSH and GPG would require customers to add non-public keys to Databricks, much like storing a PAT, resulting in the identical drawbacks: long-lived credentials and handbook rotation. Furthermore, if an improperly scoped SSH key have been compromised, it may grant an attacker direct entry to the Git server host, considerably growing the chance of exploitation.
Getting Began
For GitHub, you’ll be able to configure the Service Principal GitHub App connection on the Service Principal’s settings web page, following the same course of as a person’s configuration. For Azure DevOps, we now help OAuth connections for service principals utilizing federated credentials based mostly on OpenID Join (OIDC). OIDC is an authentication protocol constructed on prime of OAuth 2.0 that gives login and profile details about the logged-in person. OIDC permits safe and user-friendly login experiences by permitting customers to authenticate as soon as with a trusted identification supplier (IdP, on this case, Microsoft EntraID) and be remembered with no need to re-enter credentials. This new function replaces the sooner scripting-based strategy described on this weblog, considerably simplifying and shortening this important person journey from hours to only a few minutes.