support oidc connection

Author: douenergy

wren-ui/src/apollo/client/graphql/__types__.ts

@@ -1246,6 +1246,12 @@ export enum RedshiftConnectionType {
   redshift_iam = 'redshift_iam'
 }
 
+export enum ATHENA_AUTH_METHOD {
+  classic = 'classic',
+  oidc = 'oidc',
+}
+
+
 export type Relation = {
   __typename?: 'Relation';
   fromColumnId: Scalars['Int'];

wren-ui/src/apollo/server/adaptors/ibisAdaptor.ts

@@ -69,8 +69,15 @@ export interface IbisSnowflakeConnectionInfo {
 }
 
 export interface IbisAthenaConnectionInfo {
-  aws_access_key_id: string;
-  aws_secret_access_key: string;
+  // AWS access key auth (optional if using OIDC)
+  aws_access_key_id?: string;
+  aws_secret_access_key?: string;
+
+  // OIDC auth (optional if using access keys)
+  web_identity_token?: string;
+  role_arn?: string;
+  role_session_name?: string;
+
   region_name: string;
   s3_staging_dir: string;
   schema_name: string;

wren-ui/src/components/pages/setup/dataSources/AthenaProperties.tsx

@@ -1,14 +1,136 @@
-import { Form, Input } from 'antd';
+import { useEffect, useRef } from 'react';
+import { Form, Input, Radio } from 'antd';
 import { FORM_MODE } from '@/utils/enum';
 import { ERROR_TEXTS } from '@/utils/error';
 
+export enum ATHENA_AUTH_METHOD {
+  classic = 'classic',
+  oidc = 'oidc',
+}
+
 interface Props {
   mode?: FORM_MODE;
 }
 
+function AthenaClassicFields() {
+  return (
+    <>
+      <Form.Item
+        label="AWS access key ID"
+        name="awsAccessKey"
+        required
+        rules={[
+          {
+            required: true,
+            message: ERROR_TEXTS.CONNECTION.AWS_ACCESS_KEY.REQUIRED,
+          },
+        ]}
+      >
+        <Input />
+      </Form.Item>
+
+      <Form.Item
+        label="AWS secret access key"
+        name="awsSecretKey"
+        required
+        rules={[
+          {
+            required: true,
+            message: ERROR_TEXTS.CONNECTION.AWS_SECRET_KEY.REQUIRED,
+          },
+        ]}
+      >
+        <Input.Password />
+      </Form.Item>
+    </>
+  );
+}
+
+function AthenaOIDCFields(props: { isEditMode: boolean }) {
+  const { isEditMode } = props;
+
+  return (
+    <>
+      <Form.Item
+        label="Web identity token"
+        name="webIdentityToken"
+        required
+        rules={[
+          {
+            required: true,
+            message: ERROR_TEXTS.CONNECTION.WEB_IDENTITY_TOKEN.REQUIRED,
+          },
+        ]}
+      >
+        <Input.TextArea
+          rows={3}
+          placeholder="Paste Google OIDC token here"
+        />
+      </Form.Item>
+
+      <Form.Item
+        label="AWS role ARN"
+        name="roleArn"
+        required
+        rules={[
+          {
+            required: true,
+            message: ERROR_TEXTS.CONNECTION.AWS_ROLE_ARN.REQUIRED,
+          },
+        ]}
+      >
+        <Input
+          placeholder="arn:aws:iam::<account-id>:role/<role-name>"
+          disabled={isEditMode}
+        />
+      </Form.Item>
+
+      <Form.Item
+        label="Role session name"
+        name="roleSessionName"
+        extra="Optional session name used in STS AssumeRoleWithWebIdentity"
+      >
+        <Input placeholder="Optional session name" />
+      </Form.Item>
+    </>
+  );
+}
+
 export default function AthenaProperties(props: Props) {
   const { mode } = props;
   const isEditMode = mode === FORM_MODE.EDIT;
+
+  const form = Form.useFormInstance();
+
+  const initialTypeRef = useRef<ATHENA_AUTH_METHOD | null>(null);
+
+  const authType = Form.useWatch(
+    'athenaAuthType',
+    form,
+  ) as ATHENA_AUTH_METHOD;
+
+  // Set default auth type when creating
+  useEffect(() => {
+    if (!isEditMode) {
+      form.setFieldsValue({
+        athenaAuthType: ATHENA_AUTH_METHOD.classic,
+      });
+    }
+  }, [isEditMode, form]);
+
+  // Preserve initial type on edit mode
+  useEffect(() => {
+    if (isEditMode && authType && initialTypeRef.current === null) {
+      initialTypeRef.current = authType;
+    }
+  }, [isEditMode, authType]);
+
+  const getIsEditModeForComponent = (component: ATHENA_AUTH_METHOD) => {
+    if (!isEditMode) return false;
+    const initial = initialTypeRef.current || authType;
+    return initial === component;
+  };
+
   return (
     <>
       <Form.Item
@@ -24,10 +146,12 @@ export default function AthenaProperties(props: Props) {
       >
         <Input />
       </Form.Item>
+
+      {/* Common fields */}
       <Form.Item
         label="Database (schema)"
         name="schema"
-        extra="The Athena database (also called schema) that contains the tables you want to query."
+        extra="The Athena database (schema) that contains your tables."
         required
         rules={[
           {
@@ -38,6 +162,7 @@ export default function AthenaProperties(props: Props) {
       >
         <Input disabled={isEditMode} />
       </Form.Item>
+
       <Form.Item
         label="S3 staging directory"
         name="s3StagingDir"
@@ -46,8 +171,8 @@ export default function AthenaProperties(props: Props) {
           <>
             The S3 path where Athena stores query results and metadata.
             <br />
-            You can find this in the Athena console under{' '}
-            <b>Settings {'>'} Query result location</b>.
+            Find this in Athena console under{' '}
+            <b>Settings → Query result location</b>.
           </>
         }
         rules={[
@@ -59,6 +184,7 @@ export default function AthenaProperties(props: Props) {
       >
         <Input placeholder="s3://bucket/path" />
       </Form.Item>
+
       <Form.Item
         label="AWS region"
         name="awsRegion"
@@ -72,32 +198,29 @@ export default function AthenaProperties(props: Props) {
       >
         <Input placeholder="us-east-1" disabled={isEditMode} />
       </Form.Item>
-      <Form.Item
-        label="AWS access key ID"
-        name="awsAccessKey"
-        required
-        rules={[
-          {
-            required: true,
-            message: ERROR_TEXTS.CONNECTION.AWS_ACCESS_KEY.REQUIRED,
-          },
-        ]}
-      >
-        <Input />
-      </Form.Item>
-      <Form.Item
-        label="AWS secret access key"
-        name="awsSecretKey"
-        required
-        rules={[
-          {
-            required: true,
-            message: ERROR_TEXTS.CONNECTION.AWS_SECRET_KEY.REQUIRED,
-          },
-        ]}
-      >
-        <Input.Password />
+      
+      {/* Authentication method switch */}
+      <Form.Item label="Authentication method" name="athenaAuthType">
+        <Radio.Group buttonStyle="solid">
+          <Radio.Button value={ATHENA_AUTH_METHOD.classic}>
+            AWS credentials
+          </Radio.Button>
+          <Radio.Button value={ATHENA_AUTH_METHOD.oidc}>
+            OIDC (web identity)
+          </Radio.Button>
+        </Radio.Group>
       </Form.Item>
+
+      {/* Conditional auth fields */}
+      {authType === ATHENA_AUTH_METHOD.classic && <AthenaClassicFields />}
+
+      {authType === ATHENA_AUTH_METHOD.oidc && (
+        <AthenaOIDCFields
+          isEditMode={getIsEditModeForComponent(
+            ATHENA_AUTH_METHOD.oidc,
+          )}
+        />
+      )}
     </>
   );
 }

wren-ui/src/utils/error/dictionary.ts

@@ -64,6 +64,12 @@ export const ERROR_TEXTS = {
     AWS_SECRET_KEY: {
       REQUIRED: 'Please input AWS secret access key.',
     },
+    AWS_ROLE_ARN: {
+      REQUIRED: 'Please input AWS role ARN.',
+    },
+    WEB_IDENTITY_TOKEN: {
+      REQUIRED: 'Please input web identity token.',
+    },
     CLUSTER_IDENTIFIER: {
       REQUIRED: 'Please input cluster identifier.',
     },