SNOW-1493353: Connector does not work inside of Snowpark Containers #978
Assignees
Labels
question
Issue is a usage/other question rather than a bug
status-triage_done
Initial triage done, will be further handled by the driver team
Comments
github-actions
bot
changed the title
|
Sorry, that stack trace only happens once I finally cancel the request (hence the TaskCanceledException). If I don't manually intervene then it'll keep trying to connect for a very long time (10+min as of last count). I've noticed though that whenever I cancel the stack trace is the same and we are always in the OAuthAuthenticator.Authenticate() call so I suspect the issue is there. |
|
hi - thanks for raising this. right now checking if there's any difference when same app is run from the container outside of SPCS and inside it. thank you for bearing with me while troubleshooting! |
|
looks to be working for me. Steps I followed:
using System;
using System.Data;
using System.Data.Common;
using System.IO;
using Snowflake.Data.Core;
using Snowflake.Data.Client;
class App
{
const string TOKENPATH = "/snowflake/session/token";
static string getConnectionString(){
string? account = Environment.GetEnvironmentVariable("SNOWFLAKE_ACCOUNT");
string? database = Environment.GetEnvironmentVariable("SNOWFLAKE_DATABASE");
string? schema = Environment.GetEnvironmentVariable("SNOWFLAKE_SCHEMA");
string? host = Environment.GetEnvironmentVariable("SNOWFLAKE_HOST");
Console.WriteLine("Variables auto-populated from environment. account: " + account + ", host: " + host + ", database: " + database + ", schema: " + schema + ".");
if (File.Exists(TOKENPATH)) {
// automatically set by env
string token = File.ReadAllText(TOKENPATH);
Console.WriteLine("/snowflake/session/token mounted, reading token: " + token);
Console.WriteLine("Attempting authenticating with this oauth token");
return $"account={account};authenticator=oauth;token={token};db={database};schema={schema};host={host};insecuremode=true";
} else {
// basic auth, variables must be set by user
Console.WriteLine("Uhh, we dont seem to have a OAuth token from the environment here! Attempting authenticating with user/pass.");
string? user = Environment.GetEnvironmentVariable("SNOWFLAKE_USER");
string? password = Environment.GetEnvironmentVariable("SNOWFLAKE_PASSWORD");
return $"account={account};user={user};password={password};db={database};schema={schema};host={host};insecuremode=true";
}
}
static int Main()
{
try
{
using (IDbConnection conn = new SnowflakeDbConnection())
{
conn.ConnectionString = getConnectionString();
conn.Open();
using (IDbCommand cmd = conn.CreateCommand())
{
cmd.CommandText = "SELECT current_user() AS user";
IDataReader reader = cmd.ExecuteReader();
while (reader.Read())
{
Console.WriteLine(reader.GetString(0));
}
Console.WriteLine("SUCCESS");
}
conn.Close();
return 0;
}
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
return 1;
}
}c., modified the csproj to include driver version 3.1.0 instead of default 2.1.4 DROP SERVICE IF EXISTS dotnet_in_spcs_test;
EXECUTE JOB SERVICE
IN COMPUTE POOL tutorial_compute_pool
NAME='dotnet_in_spcs_test'
FROM SPECIFICATION $$
spec:
containers:
- name: main
image: /net978/public/imagerepo/sf-example-connect-dotnet:3.1.0
$$ --did not populate containers.[0].env with SNOWFLAKE_USER and SNOWFLAKE_PASSWORD as it is not required for oauth
;
Works. Can you please check and see if it works for you too and what might be the differences in the working and non-working setup ? First i would recommend adding |
sfc-gh-dszmolka
added
status-triage_done
|
The issue seems to be insecuremode=true. When that is added to the connection string things work fine, otherwise the error continues. Do you have an idea as to why that would happen? |
|
okay, this is good news, now you should be unblocked. thank you for testing. |
sfc-gh-dszmolka
added
status-triage
|
yes it was the CRL .NET driver is different from all the other Snowflake drivers in terms of how it validates the certificates it encounters while setting up the TLS channel. Still using CRL, while all the others are using OCSP. edited for posterity to include error pattern too to help future readers. Per Microsoft documentation for certificate status flags:
so CRL is unavailable, thus fails verification, and this is very likely the issue. So did the following to make it work:
the connection is now successful even with Makes sorta-kinda sense, since as we document, external network access (== access to the CRL servers) is forbidden by default unless explicitly allowed by EAI attached to Service. Same issue happens even outside of SPCS if your network policies / firewall block access to the above CRL endpoints. I don't think this is a driver issue or bug per se; just a matter of configuration. For the future, we do have plans to implement the other kind of certificate validation (OCSP) in the .NET driver too, making it on par with the other drivers. |
sfc-gh-dszmolka
added
question
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!
What version of .NET driver are you using?
3.1.0
What operating system and processor architecture are you using?
Ubuntu
What version of .NET framework are you using?
net8
What did you do?
The snowflake data connector does not work inside a dotnet container running in SPCS. We are unable to connect to snowflake from the container. Using analogous code from Python works perfectly fine.
Here is a quick repo:
We hang on the Open() call. The stack trace is:
Let me re-iterate that the same code, using the identical connection string works fine in a Python container constructed in SPCS in an identical way.
The text was updated successfully, but these errors were encountered: