Add auth_protocol support to SambaHook for Kerberos authentication #29590#64643
Add auth_protocol support to SambaHook for Kerberos authentication #29590#64643haseebmalik18 wants to merge 10 commits into
Conversation
ddc0ba7 to
39ab77c
Compare
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds configurable auth_protocol support to SambaHook to enable Kerberos / NTLM / negotiate auth selection and fixes prior behavior where Kerberos-configured connections were ignored.
Changes:
- Introduces
auth_protocolhandling inSambaHook, including validation and an optional Kerberos dependency check. - Adds unit tests covering Kerberos (including legacy
extra={"auth": "kerberos"}), NTLM, invalid protocol handling, and missing dependency behavior. - Exposes
auth_protocolin the Airflow connection UI and adds akerberosextra dependency group for the provider.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| providers/samba/src/airflow/providers/samba/hooks/samba.py | Implements auth_protocol parsing/validation, Kerberos dependency guard, passes protocol through to smbclient, and adds UI widget. |
| providers/samba/tests/unit/samba/hooks/test_samba.py | Expands tests to cover new auth protocol behaviors and error cases. |
| providers/samba/pyproject.toml | Adds kerberos optional dependency group intended to support Kerberos auth. |
3fe70e0 to
43d0ca3
Compare
|
Sorry - we missed that there is an open question to us - > and the triage process closed it. Can you re-open and ping me again if you are still not completely put-off by that @haseebmalik18 ? |
|
Quickest fix: git fetch upstream main && git rebase upstream/main
rm uv.lock && uv lock
git add uv.lock && git rebase --continue
git push --force-with-leaseAutomated nudge — ignore if you're not ready to rebase. This comment is updated in place on future |
25269bb to
fd2ea1f
Compare
|
@potiuk ready for review, failing tests unrelated to PR |
potiuk
left a comment
There was a problem hiding this comment.
The code itself looks good and is ready on the merits: auth_protocol is
validated with a ValueError, the kerberos path guards its optional deps with
AirflowOptionalProviderFeatureException, and both error paths are covered by
tests — so the "unit tests are enough" point from my earlier pass is satisfied.
The only thing blocking is CI, and it's not your change: the failing
LowestDeps job errors on AttributeError: module 'spnego' has no attribute 'ContextProxy' while collecting providers/microsoft/winrm tests — i.e. the
microsoft/winrm provider's transitive pyspnego lower bound is too low, unrelated
to adding Samba auth_protocol. Please rebase onto latest main and re-run; if it
still fails, it needs a separate bump to the winrm pyspnego floor rather than
anything here. Once CI is green this is good to approve.
This review was drafted by an AI-assisted tool and confirmed by an Airflow
maintainer. The findings below are observations, not blockers; an Airflow
maintainer — a real person — will take the next look at the PR. If you think a
finding is mis-applied, please reply on the PR and a maintainer will weigh in.More on how Airflow handles maintainer review:
contributing-docs/05_pull_requests.rst.
|
Heads-up: the failing Drafted-by: Claude Code (Opus 4.8); reviewed by @potiuk before posting |
| default="posix", | ||
| ) | ||
| ), | ||
| "auth_protocol": SelectField( |
There was a problem hiding this comment.
You'll need to add the auth_protocol field in the provider.yaml file as well under the conn-fields section.
There was a problem hiding this comment.
I'll try to implement a static check for this so it's automatically reported
There was a problem hiding this comment.
So it's better to wait until the static check is merged.
Add
auth_protocolparameter to SambaHook to support Kerberos, NTLM, and negotiate authentication. Previously the hook always used username/password auth, ignoring the{"auth": "kerberos"}connection extra, which caused SpnegoError failures for Kerberos-configured connections.closes: #29590