feat(credentials): DISTR-370 add objectstore:// branch in resolve_credential_file (v2) for **Non-sensitive files**#1639
Draft
Lalit3716-atlan wants to merge 3 commits into
Conversation
…ential files (v2)
Customers configuring SDR already wire up a DEPLOYMENT Dapr object store
binding to receive extracted metadata. Reuse that same binding to fetch
sensitive credential files (keytab, krb5.conf, certs) that are too large
for secret-manager base64 storage.
resolve_credential_file now dispatches three input formats:
1. JSON {key,fileKey} -> Atlan upload object store (existing UI)
2. objectstore://<key> -> customer's DEPLOYMENT binding (NEW)
3. raw base64 string -> decode and write (existing SDR flow)
Object-store path delegates to ObjectStore.download_file() which uses
the Dapr binding-invoke RPC. Path validation rejects empty keys,
absolute paths, and ../ traversal segments.
Backward compatible — existing customers on the JSON or base64 paths
see no change in behavior. Cherry-picked from v3 PR
feat/DISTR-370-objectstore-credential-file (commit 0b2d8d8) onto
release/v2 to support v2-based connector apps (atlan-hive-app etc).
Lalit3716-atlan
requested review from
OnkarVO7,
cmgrote and
louisnow
as code owners
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Contributor
📜 Docstring Coverage ReportRESULT: PASSED (minimum: 30.0%, actual: 80.2%) Detailed Coverage Report |
Contributor
📦 Trivy Vulnerability Scan Results
Report SummaryCould not generate summary table (data length mismatch: 9 vs 8). Scan Result Detailsrequirements.txtVulnerabilities
uv.lockVulnerabilities
|
Contributor
📦 Trivy Secret Scan Results
Report SummaryCould not generate summary table (data length mismatch: 9 vs 8). Scan Result Detailsrequirements.txtuv.lock |
Collaborator
☂️ Python Coverage
Overall Coverage
New FilesNo new covered files... Modified FilesNo covered modified files...
|
Contributor
|
🛠 Full Test Coverage Report: https://k.atlan.dev/coverage/application-sdk/pr/1639 |
Lalit3716-atlan
changed the title
… files (v2) Same docstring rewrite as #1638 — reframe the three input branches around what they're meant to carry, not just the format of the value: • Atlan upload (JSON ref) -> any file pushed through the UI • objectstore:// prefix -> NON-SECRET companion files bundled with the credential (krb5.conf, public CA certs, kerberos realm config). Customers with secret-manager size caps may also use it as a fallback for sensitive files with bucket-level IAM as the envelope. • raw base64 -> TRUE SECRETS resolved via the customer's secret manager + Dapr at activity time. No behaviour change — docstring + module comment + inline comment only.
2 tasks
…n files only (v2) Same intent fix as the v3 PR (#1638) — strip the soft-fallback paragraph that condoned using objectstore:// for sensitive files when the customer's secret manager has size limits, and replace it with an explicit 'NOT intended for true secrets' callout. True secrets belong in the secret store regardless of provider quirks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v2-rebased counterpart to #1638. Same dispatch logic, ported onto v2 module paths so atlan-hive-app (still on v2) can use it without a v3 migration.
A credential payload in Atlan can carry both true secrets (passwords, keytabs, private keys) and non-secret companion files (krb5.conf, public CA certificates, kerberos realm configuration) that the connector also needs at runtime. This PR adds a third dispatch path in
resolve_credential_fileso customers can deliver those non-secret companion files through the object store binding they already configured during SDR setup, instead of forcing them through the secret manager.{key,fileKey,...}objectstore://<key>Why two PRs?
atlan-hive-app's main is still on v2 (uses
application_sdk.applicationmodule path). v3 renamed this toapplication_sdk.app— so a v3-based SDK pin causesModuleNotFoundErrorin v2-based apps. We need this on release/v2 to unblock the hive-app PR. v2 implementation usesapplication_sdk.services.objectstore.ObjectStore.download_file(Dapr binding-invoke) instead of v3's obstore streaming, but the customer-facing behavior is identical.Why a third branch?
Some customers' secret managers have small per-value caps (e.g. 1 KB on certain on-prem AWS Secrets Manager configurations). A Kerberos
krb5.confis non-secret — it's just config — but it routinely exceeds those caps. Today such customers can't onboard SDR Hive at all because they have no path to deliver that file.Reusing the binding the customer already wired up for SDR object store gives us a same-environment delivery path with no new credentials and no new infrastructure. Customers facing the same secret-manager cap on their actual sensitive files (e.g. larger keytabs) can also point this branch at those files, falling back on bucket-level IAM as the security envelope.
Related PRs (DISTR-370 stack)
credentialFileInputwidgetTest plan
TestResolveCredentialFile; all 15 tests pass🤖 Generated with Claude Code