✨ Feat: passtrough entra token from grafana

Author: mullerpeter

.config/Dockerfile

@@ -1,5 +1,5 @@
 ARG grafana_version=latest
-ARG grafana_image=grafana-enterprise
+ARG grafana_image=grafana
 
 FROM grafana/${grafana_image}:${grafana_version}
 
@@ -18,6 +18,7 @@ ENV GF_AUTH_ANONYMOUS_ENABLED "true"
 ENV GF_AUTH_BASIC_ENABLED "false"
 # Set development mode so plugins can be loaded without the need to sign
 ENV GF_DEFAULT_APP_MODE "development"
+ENV GF_AZURE_FORWARD_SETTINGS_TO_PLUGINS "mullerpeter-databricks-datasource"
 
 
 LABEL maintainer="Grafana Labs <hello@grafana.com>"

go.mod

@@ -6,7 +6,6 @@ toolchain go1.24.2
 
 require (
 	github.com/databricks/databricks-sql-go v1.7.0
-	github.com/grafana/grafana-azure-sdk-go v1.13.1
 	github.com/grafana/grafana-plugin-sdk-go v0.277.0
 	golang.org/x/oauth2 v0.29.0
 )

go.sum

@@ -94,7 +94,6 @@ github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e h1:JKmoR8x90Iww1
 github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/grafana/grafana-azure-sdk-go v1.13.1/go.mod h1:SAlwLdEuox4vw8ZaeQwnepYXnhznnQQdstJbcw8LH68=
 github.com/grafana/grafana-plugin-sdk-go v0.277.0 h1:VDU2F4Y5NeRS//ejctdZtsAshrGaEdbtW33FsK0EQss=
 github.com/grafana/grafana-plugin-sdk-go v0.277.0/go.mod h1:mAUWg68w5+1f5TLDqagIr8sWr1RT9h7ufJl5NMcWJAU=
 github.com/grafana/otel-profiling-go v0.5.1 h1:stVPKAFZSa7eGiqbYuG25VcqYksR6iWvF3YH66t4qL8=
@@ -189,8 +188,7 @@ github.com/perimeterx/marshmallow v1.1.5 h1:a2LALqQ1BlHM8PZblsDdidgv1mWi1DgC2UmX
 github.com/perimeterx/marshmallow v1.1.5/go.mod h1:dsXbUu8CRzfYP5a87xpp0xq9S3u0Vchtcl8we9tYaXw=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
 github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
-github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -343,7 +341,6 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

package.json

@@ -1,7 +1,7 @@
 {
   "name": "mullerpeter-databricks-datasource",
   "private": true,
-  "version": "1.3.5",
+  "version": "1.3.6-rc.0",
   "description": "Databricks SQL Connector",
   "scripts": {
     "build": "webpack -c ./.config/webpack/webpack.config.ts --env production",

pkg/integrations/azure_ad.go

@@ -9,7 +9,6 @@ import (
 	dbsql "github.com/databricks/databricks-sql-go"
 	"github.com/databricks/databricks-sql-go/auth"
 	"github.com/databricks/databricks-sql-go/auth/oauth/m2m"
-	"github.com/grafana/grafana-azure-sdk-go/azsettings"
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"github.com/grafana/grafana-plugin-sdk-go/backend/instancemgmt"
 	"github.com/grafana/grafana-plugin-sdk-go/backend/log"
@@ -70,7 +69,6 @@ type ConnectionSettings struct {
 	MaxRetryDuration time.Duration
 	Timeout          time.Duration
 	MaxRows          int
-	idToken          string
 }
 
 // NewSampleDatasource creates a new datasource instance.
@@ -93,7 +91,7 @@ func NewSampleDatasource(ctx context.Context, settings backend.DataSourceInstanc
 		port = portInt
 	}
 
-	if datasourceSettings.AuthenticationMethod == "m2m" || datasourceSettings.AuthenticationMethod == "oauth2_client_credentials" || datasourceSettings.AuthenticationMethod == "azure_ad_forward" {
+	if datasourceSettings.AuthenticationMethod == "m2m" || datasourceSettings.AuthenticationMethod == "oauth2_client_credentials" {
 		var authenticator auth.Authenticator
 
 		if datasourceSettings.AuthenticationMethod == "oauth2_client_credentials" {
@@ -114,15 +112,6 @@ func NewSampleDatasource(ctx context.Context, settings backend.DataSourceInstanc
 				datasourceSettings.Hostname,
 				[]string{},
 			)
-		} else if datasourceSettings.AuthenticationMethod == "azure_ad_forward" {
-			azureSettings, err := azsettings.ReadSettings(ctx)
-			if err != nil {
-				log.DefaultLogger.Info("Failed to get Azure Setting", "err", err)
-				return nil, err
-			}
-			authenticator = integrations.NewAzureADCredentials(
-				azureSettings,
-			)
 		} else {
 			log.DefaultLogger.Info("Authentication Method Parse Error", "err", nil)
 			return nil, fmt.Errorf("authentication Method Parse Error")
@@ -142,12 +131,20 @@ func NewSampleDatasource(ctx context.Context, settings backend.DataSourceInstanc
 			return nil, err
 		} else {
 			log.DefaultLogger.Info("Init Databricks SQL DB")
+			databricksDB := sql.OpenDB(connector)
+
+			if err := databricksDB.Ping(); err != nil {
+				log.DefaultLogger.Info("Ping Error (Could not ping Databricks)", "err", err)
+				return nil, err
+			}
 
+			SetDatasourceSettings(databricksDB, connectionSettings)
 			log.DefaultLogger.Info("Store Databricks SQL DB Connection")
 			return &Datasource{
 				connector:          connector,
-				databricksDB:       nil,
+				databricksDB:       databricksDB,
 				connectionSettings: connectionSettings,
+				datasourceSettings: *datasourceSettings,
 			}, nil
 		}
 	} else if datasourceSettings.AuthenticationMethod == "dsn" || datasourceSettings.AuthenticationMethod == "" {
@@ -179,8 +176,17 @@ func NewSampleDatasource(ctx context.Context, settings backend.DataSourceInstanc
 			connector:          connector,
 			databricksDB:       databricksDB,
 			connectionSettings: connectionSettings,
+			datasourceSettings: *datasourceSettings,
 		}, nil
 
+	} else if datasourceSettings.AuthenticationMethod == "azure_entra_pass_thru" {
+
+		return &Datasource{
+			connector:          nil,
+			databricksDB:       nil,
+			connectionSettings: connectionSettings,
+			datasourceSettings: *datasourceSettings,
+		}, nil
 	}
 
 	return nil, fmt.Errorf("Invalid Connection Method")
@@ -302,6 +308,8 @@ type Datasource struct {
 	connector          driver.Connector
 	databricksDB       *sql.DB
 	connectionSettings ConnectionSettings
+	datasourceSettings DatasourceSettings
+	token              string
 }
 
 func (d *Datasource) CallResource(ctx context.Context, req *backend.CallResourceRequest, sender backend.CallResourceResponseSender) error {
@@ -322,6 +330,15 @@ func (d *Datasource) Dispose() {
 func (d *Datasource) QueryData(ctx context.Context, req *backend.QueryDataRequest) (*backend.QueryDataResponse, error) {
 	log.DefaultLogger.Info("QueryData called", "request", req)
 
+	if d.datasourceSettings.AuthenticationMethod == "azure_entra_pass_thru" {
+		token := req.GetHTTPHeader(backend.OAuthIdentityTokenHeaderName)
+		err := d.CheckAzureEntraPassThru(token)
+		if err != nil {
+			log.DefaultLogger.Error("Azure Entra Connection Failed", "err", err)
+			return nil, err
+		}
+	}
+
 	// create response struct
 	response := backend.NewQueryDataResponse()
 
@@ -446,28 +463,74 @@ func (d *Datasource) query(ctx context.Context, pCtx backend.PluginContext, quer
 	return response
 }
 
+func (d *Datasource) CheckAzureEntraPassThru(token string) error {
+	if token == "" {
+		log.DefaultLogger.Info("Token is empty")
+		return fmt.Errorf("no Azure Entra Token provided")
+	}
+	if d.databricksDB != nil && token == d.token {
+		return nil
+	}
+	if token != d.token {
+		log.DefaultLogger.Info("Token is different")
+		d.token = strings.TrimPrefix(token, "Bearer ")
+	}
+	port := 443
+	if d.datasourceSettings.Port != "" {
+		portInt, err := strconv.Atoi(d.datasourceSettings.Port)
+		if err != nil {
+			log.DefaultLogger.Info("Port Parse Error", "err", err)
+			return err
+		}
+		port = portInt
+	}
+
+	connector, err := dbsql.NewConnector(
+		dbsql.WithAccessToken(d.token),
+		dbsql.WithServerHostname(d.datasourceSettings.Hostname),
+		dbsql.WithHTTPPath(d.datasourceSettings.Path),
+		dbsql.WithPort(port),
+		dbsql.WithTimeout(d.connectionSettings.Timeout),
+		dbsql.WithMaxRows(d.connectionSettings.MaxRows),
+		dbsql.WithRetries(d.connectionSettings.Retries, d.connectionSettings.RetryBackoff, d.connectionSettings.MaxRetryDuration),
+	)
+	if err != nil {
+		log.DefaultLogger.Info("Connector Error", "err", err)
+		return err
+	} else {
+		log.DefaultLogger.Info("Init Databricks SQL DB")
+		databricksDB := sql.OpenDB(connector)
+
+		if err := databricksDB.Ping(); err != nil {
+			log.DefaultLogger.Info("Ping Error (Could not ping Databricks)", "err", err)
+			return err
+		}
+
+		SetDatasourceSettings(databricksDB, d.connectionSettings)
+		log.DefaultLogger.Info("Store Databricks SQL DB Connection")
+		d.connector = connector
+		d.databricksDB = databricksDB
+	}
+	return nil
+}
+
 // CheckHealth handles health checks sent from Grafana to the plugin.
 // The main use case for these health checks is the test button on the
 // datasource configuration page which allows users to verify that
 // a datasource is working as expected.
 func (d *Datasource) CheckHealth(ctx context.Context, req *backend.CheckHealthRequest) (*backend.CheckHealthResult, error) {
-	log.DefaultLogger.Info("CheckHealth called", "request", req)
+	if d.datasourceSettings.AuthenticationMethod == "azure_entra_pass_thru" {
 
-	token := strings.Fields(req.GetHTTPHeader(backend.OAuthIdentityTokenHeaderName))
-	idToken := req.GetHTTPHeader(backend.OAuthIdentityIDTokenHeaderName)
-	log.DefaultLogger.Info("Token", "token", token)
-	log.DefaultLogger.Info("ID Token", "idToken", idToken)
-
-	ctx = context.WithValue(ctx, backend.OAuthIdentityTokenHeaderName, token)
-	ctx = context.WithValue(ctx, backend.OAuthIdentityIDTokenHeaderName, idToken)
-
-	if d.databricksDB == nil {
-		err := d.RefreshDBConnection()
+		token := req.GetHTTPHeader(backend.OAuthIdentityTokenHeaderName)
+		err := d.CheckAzureEntraPassThru(token)
 		if err != nil {
-			log.DefaultLogger.Info("RefreshDBConnection Error", "err", err)
-			return nil, err
+			return &backend.CheckHealthResult{
+				Status:  backend.HealthStatusError,
+				Message: fmt.Sprintf("Azure Entra Connection Failed: %s", err),
+			}, nil
 		}
 	}
+	log.DefaultLogger.Info("CheckHealth called", "request", req)
 
 	rows, err := d.QueryContext(ctx, "SELECT 1")
 

pkg/plugin/plugin.go

@@ -35,7 +35,7 @@ export class ConfigEditor extends PureComponent<Props, State> {
             ...jsonData,
             [key]: value
         }
-        if (key == 'authenticationMethod') {
+        if (key == 'authenticationMethod' && value == 'azure_entra_pass_thru') {
             jsonData = {
                 ...jsonData,
                 oauthPassThru: true,
@@ -127,8 +127,8 @@ export class ConfigEditor extends PureComponent<Props, State> {
                                     label: 'OAuth2 Client Credentials',
                                 },
                                 {
-                                    value: 'azure_ad_forward',
-                                    label: 'Forward Azure AD Auth',
+                                    value: 'azure_entra_pass_thru',
+                                    label: 'Pass Thru Azure Entra Auth',
                                 },
                             ]}
                             value={jsonData.authenticationMethod || 'dsn'}
@@ -178,7 +178,7 @@ export class ConfigEditor extends PureComponent<Props, State> {
                                 />
                             </InlineField>
                         </>
-                    ) : (
+                    ) : jsonData.authenticationMethod != 'azure_entra_pass_thru' && (
                         <InlineField label="Access Token" labelWidth={30} tooltip="Databricks Personal Access Token">
                             <SecretInput
                                 isConfigured={(secureJsonFields && secureJsonFields.token) as boolean}