Add a config for instance wide oauth parameters

[ChristopheDuong]

What

Closes #5637
Closes #5638

How

Describe the solution

• Introduce new airbyte configs in the ConfigSchema enum: SourceOAuthParameter & DestinationOAuthParameter to be persisted in the ConfigRepository
• These configs are retrieved by the Scheduler through the DefaultSyncJobFactory that reconstructs all the configuration data necessary for a sync. When OAuth parameters are necessary for certain connectors, they are injected into the connector configurations before being scheduled/submitted to workers.
• Additionally, this PR also cleans up web backend endpoints that are now unused (source & destination recreate)

Recommended reading order

1. airbyte-scheduler/persistence/src/main/java/io/airbyte/scheduler/persistence/job_factory/DefaultSyncJobFactory.java
2. airbyte-scheduler/persistence/src/main/java/io/airbyte/scheduler/persistence/job_factory/OAuthConfigSupplier.java
3. the rest

Pre-merge Checklist

Expand the relevant checklist and delete the others.

New Connector

Community member or Airbyter

• Community member? Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • docs/SUMMARY.md
  • docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
  • docs/integrations/README.md
  • airbyte-integrations/builds.md
• PR name follows PR naming conventions
• Connector added to connector index like described here

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• Credentials added to Github CI. Instructions.
• /test connector=connectors/<name> command is passing.
• New Connector version released on Dockerhub by running the /publish command described here

Updating a connector

Community member or Airbyter

• Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • Changelog updated in docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
• PR name follows PR naming conventions
• Connector version bumped like described here

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• Credentials added to Github CI. Instructions.
• /test connector=connectors/<name> command is passing.
• New Connector version released on Dockerhub by running the /publish command described here

Connector Generator

• Issue acceptance criteria met
• PR name follows PR naming conventions
• If adding a new generator, add it to the list of scaffold modules being tested
• The generator test modules (all connectors with -scaffold in their name) have been updated with the latest scaffold by running ./gradlew :airbyte-integrations:connector-templates:generator:testScaffoldTemplates then checking in your changes
• Documentation which references the generator is updated as needed.

[ChristopheDuong]

If the OAuth parameter was already part of the connector config, should we still inject and overwrite it with the one from the instance-wide values?

or should there be a special behavior here? (adding only if does not exists yet)

[sherifnada]

hmm. Good question. I think if any of the parameters is present in the config we shouldn't add it. It may end up being integration specific. For now I think the right way to handle it is don't set anything if any of the oauth config keys are present in the config

[jrhizor]

Will similar injection to what is happening in DefaultSyncJobFactory be added to check/discover in this PR or a separate one?

[sherifnada]

same question as jared about discover/check

Also, I think having seen the impl here I think it's better if we maintain the invariant that configs are always fully formed but instead of having the full secrets they would have coordinates to the secrets in a secret store.

Also, we should either disable custom DBT transformations on cloud or just not support oauth for destinations until we do

[sherifnada]

what's this param for? could you add a description field? if this is just a surrogate key maybe id is a better name?

[ChristopheDuong]

Yes, it's the primary key for the OAuth parameter object.

I don't think we have any objects that define id as their primary key column though?

• SourceConnection is sourceId
• DestinationConnection is destinationId
• StandardSync is connectionId

That's why I named it that way

[sherifnada]

sgtm let's stick with the convention 👍🏼

[sherifnada]

hmm. Good question. I think if any of the parameters is present in the config we shouldn't add it. It may end up being integration specific. For now I think the right way to handle it is don't set anything if any of the oauth config keys are present in the config

[sherifnada]

this is dangerous because the secrets could leak into custom dbt images. We should not pass this.

[ChristopheDuong]

We're thinking about reworking how to pass the config files to custom dbt transformation containers.

So the destination_config.json (used by destination connectors) should not be forwarded to the custom dbt image (only a translated profiles.yml should, thus this file should therefore omit OAuth params)

#5091

[ChristopheDuong]

See https://github.com/airbytehq/airbyte/pull/5761/files#r702960794

[ChristopheDuong]

Normalization image is used by custom operations to translate a destination_config.json into a profiles.yml file.

We could make sure to remove the config file once we're done translating it

[sherifnada]

I think I'm not totally clear on why this is needed since it's running a trusted image? or is this re-used for custom operations?

[ChristopheDuong]

I think I'm not totally clear on why this is needed since it's running a trusted image? or is this re-used for custom operations?

Yes,the normalization image is trusted to generate dbt's profiles.yml (from a destination_config.json file).
The resulting profiles.yml file is then transferred to run custom DBT operations in the user's specified docker image (so the latter one never needs to read/parse a destination_config.json)

[sherifnada]

SGTM - could you add a source code comment explaining why that file containing sensitive credentials is a bad thing and therefore it should be removed?

[sherifnada]

I think this LGTM but would like @jrhizor 's input on whether to put the oauth secrets in the jobs DB directly vs. reading them at the moment we're about to run a connector

[sherifnada]

sgtm let's stick with the convention 👍🏼

[sherifnada]

I think I'm not totally clear on why this is needed since it's running a trusted image? or is this re-used for custom operations?

[sherifnada]

@jrhizor is this the right place to be injecting the oauth secrets i.e: enqueue them directly in the jobs DB?

[jrhizor]

It's probably fine for now but it will change in the near future. This is what I'm working on eliminating this week, still working out the details of what it will look like.

Most likely we will push the combined version to config sent to Temporal.

[sherifnada]

what do you think is the best way to prevent this from leaking into DBT images? I created this PR but should we also add something in the worker? ignore if it's not answered by the other question i asked about reusing normalization entrypoint

[jrhizor]

The combining for get spec / check / discover can't happen in the JobCreator since the jobs are created directly in the DefaultSynchronousSchedulerClient. We're removing these misleading and unused functions in #5896

[ChristopheDuong]

Oh ok, so I am reverting back to injecting OAuth parameters in the DefaultSyncJobFactory as well as handling it in DefaultSynchronousSchedulerClient for check/discover. (probably not needed for get spec)

[jrhizor]

It's probably fine for now but it will change in the near future. This is what I'm working on eliminating this week, still working out the details of what it will look like.

Most likely we will push the combined version to config sent to Temporal.

[jrhizor]

We're going to need to overwrite these calls to use the secrets persistence @airbyte-jenny

[jrhizor]

When are we inserting that the secrets mask is necessary to be overwritten?

[ChristopheDuong]

I'm proposing to persist in the connector's configuration with injected and masked OAuth parameters in this PR: #5865

This would be done by web backend endpoints of the API when creating a connector.

The motivation is to have a full connector configuration saved by the UI, so JSON/spec validation can verify that the connector's configuration (optionally in combination with injected OAuth params) is valid.

[sherifnada]

SGTM - could you add a source code comment explaining why that file containing sensitive credentials is a bad thing and therefore it should be removed?