Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions .github/workflows/release-lakebase.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: Release @databricks/lakebase

on:
workflow_dispatch:
inputs:
dry-run:
description: "Dry run (no actual release)"
required: false
type: boolean
default: false
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keeping the workflow dispatch as it won't be triggered automatically anyway for now 👍 Later we'll add on main push trigger


jobs:
release:
runs-on:
group: databricks-protected-runner-group
labels: linux-ubuntu-latest

environment: release

permissions:
contents: write
id-token: write

steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Git
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
- name: Setup pnpm
uses: pnpm/action-setup@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
registry-url: "https://registry.npmjs.org"
cache: "pnpm"

- name: Update npm
run: npm install -g npm@latest

- name: Install dependencies
run: pnpm install --frozen-lockfile

- name: Release
working-directory: packages/lakebase
run: |
if [ "${{ inputs.dry-run }}" == "true" ]; then
pnpm release:dry
else
pnpm release:ci
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
33 changes: 33 additions & 0 deletions CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,39 @@ The AnalyticsPlugin provides SQL query execution:
- Built-in caching with configurable TTL
- Databricks SQL Warehouse connector for execution

### Lakebase Autoscaling Connector

**Location:** `packages/appkit/src/connectors/lakebase/`

AppKit provides `createLakebasePool()` - a factory function that returns a standard `pg.Pool` configured with automatic OAuth token refresh for Databricks Lakebase (OLTP) databases.

**Key Features:**
- Returns standard `pg.Pool` (compatible with all ORMs)
- Automatic OAuth token refresh (1-hour tokens, 2-minute buffer)
- Token caching to minimize API calls
- Battle-tested pattern (same as AWS RDS IAM authentication)

**Quick Example:**
```typescript
import { createLakebasePool } from '@databricks/appkit';

// Reads from PGHOST, PGDATABASE, LAKEBASE_ENDPOINT env vars
const pool = createLakebasePool();

// Standard pg.Pool API
const result = await pool.query('SELECT * FROM users');
```

**ORM Integration:**
Works with Drizzle, Prisma, TypeORM - see [Lakebase Integration Docs](docs/docs/integrations/lakebase.md) for examples.

**Architecture:**
- Connector files: `packages/appkit/src/connectors/lakebase/`
- `pool.ts` - Pool factory with OAuth token refresh
- `types.ts` - TypeScript interfaces (`LakebasePoolConfig`)
- `utils.ts` - Helper functions (`generateDatabaseCredential`)
- `auth-types.ts` - Lakebase v2 API types

### Frontend-Backend Interaction

```
Expand Down
13 changes: 13 additions & 0 deletions docs/docs/api/appkit/Enumeration.RequestedClaimsPermissionSet.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Enumeration: RequestedClaimsPermissionSet

Permission set for Unity Catalog table access

## Enumeration Members

### READ\_ONLY

```ts
READ_ONLY: "READ_ONLY";
```

Read-only access to specified UC tables
20 changes: 20 additions & 0 deletions docs/docs/api/appkit/Function.createLakebasePool.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Function: createLakebasePool()

```ts
function createLakebasePool(config?: Partial<LakebasePoolConfig>): Pool;
```

Create a Lakebase pool with appkit's logger integration.
Telemetry automatically uses appkit's OpenTelemetry configuration via global registry.

## Parameters

| Parameter | Type | Description |
| ------ | ------ | ------ |
| `config?` | `Partial`\<[`LakebasePoolConfig`](Interface.LakebasePoolConfig.md)\> | Lakebase pool configuration |

## Returns

`Pool`

PostgreSQL pool with appkit integration
55 changes: 55 additions & 0 deletions docs/docs/api/appkit/Function.generateDatabaseCredential.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Function: generateDatabaseCredential()

```ts
function generateDatabaseCredential(workspaceClient: WorkspaceClient, request: GenerateDatabaseCredentialRequest): Promise<DatabaseCredential>;
```

Generate OAuth credentials for Postgres database connection using the proper Postgres API.

This generates a time-limited OAuth token (expires after 1 hour) that can be used
as a password when connecting to Lakebase Postgres databases.

## Parameters

| Parameter | Type | Description |
| ------ | ------ | ------ |
| `workspaceClient` | `WorkspaceClient` | Databricks workspace client for authentication |
| `request` | [`GenerateDatabaseCredentialRequest`](Interface.GenerateDatabaseCredentialRequest.md) | Request parameters including endpoint path and optional UC claims |

## Returns

`Promise`\<[`DatabaseCredential`](Interface.DatabaseCredential.md)\>

Database credentials with OAuth token and expiration time

## See

https://docs.databricks.com/aws/en/oltp/projects/authentication

## Examples

```typescript
// Format: projects/{project-id}/branches/{branch-id}/endpoints/{endpoint-id}
// Note: Use actual IDs from Databricks (project-id is a UUID)
const credential = await generateDatabaseCredential(workspaceClient, {
endpoint: "projects/6bef4151-4b5d-4147-b4d0-c2f4fd5b40db/branches/br-sparkling-tree-y17uj7fn/endpoints/ep-restless-pine-y1ldaht0"
});

// Use credential.token as password
const conn = await pg.connect({
host: "ep-abc123.database.us-east-1.databricks.com",
user: "user@example.com",
password: credential.token
});
```

```typescript
// Format: projects/{project-id}/branches/{branch-id}/endpoints/{endpoint-id}
const credential = await generateDatabaseCredential(workspaceClient, {
endpoint: "projects/6bef4151-4b5d-4147-b4d0-c2f4fd5b40db/branches/br-sparkling-tree-y17uj7fn/endpoints/ep-restless-pine-y1ldaht0",
claims: [{
permission_set: RequestedClaimsPermissionSet.READ_ONLY,
resources: [{ table_name: "catalog.schema.users" }]
}]
});
```
84 changes: 84 additions & 0 deletions docs/docs/api/appkit/Function.getLakebaseOrmConfig.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# Function: getLakebaseOrmConfig()

```ts
function getLakebaseOrmConfig(config?: Partial<LakebasePoolConfig>): {
password: string | () => string | () => Promise<string> | undefined;
ssl: | boolean
| {
rejectUnauthorized: boolean | undefined;
};
username: string | undefined;
};
```

Get Lakebase connection configuration for ORMs that don't accept pg.Pool directly.

Designed for ORMs like TypeORM and Sequelize that need connection parameters
rather than a pre-configured pool instance.

Returns connection config with field names compatible with common ORMs:
- `username` instead of `user`
- Simplified SSL config
- Password callback support for OAuth token refresh

## Parameters

| Parameter | Type | Description |
| ------ | ------ | ------ |
| `config?` | `Partial`\<[`LakebasePoolConfig`](Interface.LakebasePoolConfig.md)\> | Optional configuration (reads from environment if not provided) |

## Returns

```ts
{
password: string | () => string | () => Promise<string> | undefined;
ssl: | boolean
| {
rejectUnauthorized: boolean | undefined;
};
username: string | undefined;
}
```

ORM-compatible connection configuration

### password

```ts
password: string | () => string | () => Promise<string> | undefined;
```

### ssl

```ts
ssl:
| boolean
| {
rejectUnauthorized: boolean | undefined;
};
```

### username

```ts
username: string | undefined = user;
```

## Example

```typescript
// TypeORM
const dataSource = new DataSource({
type: 'postgres',
...getLakebaseOrmConfig(),
entities: [User],
synchronize: true,
});

// Sequelize
const sequelize = new Sequelize({
dialect: 'postgres',
...getLakebaseOrmConfig(),
logging: false,
});
```
31 changes: 31 additions & 0 deletions docs/docs/api/appkit/Function.getLakebasePgConfig.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Function: getLakebasePgConfig()

```ts
function getLakebasePgConfig(
config?: Partial<LakebasePoolConfig>,
telemetry?: DriverTelemetry,
logger?: Logger): PoolConfig;
```

Get Lakebase connection configuration for PostgreSQL clients.

Returns pg.PoolConfig with OAuth token authentication configured.
Best used with pg.Pool directly or ORMs that accept pg.Pool instances (like Drizzle).

For ORMs that need connection parameters (TypeORM, Sequelize), use getLakebaseOrmConfig() instead.

Used internally by createLakebasePool().

## Parameters

| Parameter | Type | Description |
| ------ | ------ | ------ |
| `config?` | `Partial`\<[`LakebasePoolConfig`](Interface.LakebasePoolConfig.md)\> | Optional configuration (reads from environment if not provided) |
| `telemetry?` | `DriverTelemetry` | Optional pre-initialized telemetry (created internally if not provided) |
| `logger?` | `Logger` | Optional logger (silent if not provided) |

## Returns

`PoolConfig`

PostgreSQL pool configuration with OAuth token refresh
17 changes: 17 additions & 0 deletions docs/docs/api/appkit/Function.getWorkspaceClient.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Function: getWorkspaceClient()

```ts
function getWorkspaceClient(config: Partial<LakebasePoolConfig>): Promise<WorkspaceClient>;
```

Get workspace client from config or SDK default auth chain

## Parameters

| Parameter | Type |
| ------ | ------ |
| `config` | `Partial`\<[`LakebasePoolConfig`](Interface.LakebasePoolConfig.md)\> |

## Returns

`Promise`\<`WorkspaceClient`\>
30 changes: 30 additions & 0 deletions docs/docs/api/appkit/Interface.DatabaseCredential.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Interface: DatabaseCredential

Database credentials with OAuth token for Postgres connection

## Properties

### expire\_time

```ts
expire_time: string;
```

Token expiration time in UTC (ISO 8601 format)
Tokens expire after 1 hour from generation

#### Example

```ts
"2026-02-06T17:07:00Z"
```

***

### token

```ts
token: string;
```

OAuth token to use as the password when connecting to Postgres
Loading