Using secret tokens in Python transformations
When creating a UDF code using Datacoral’s Batchcompute feature and using secret tokens (such as API keys) that you'd prefer to not have bundled in the code, we recommend saving these secret tokens in AWS Secrets Manager. These can then be fetched during the runtime of the code (during Batchcompute MV execution).
There are three steps, as seen below.
Step 1: Add secret to Secrets Manager
First, add the secret token to AWS Secrets Manager using the AWS CLI:
Step 2: Write Python code to fetch secret from Secrets Manager
Next, write the Python code inside your UDF to fetch the secret token from Secrets Manager:
Step 3: Update permissions for AWS Batch to read from Secrets Manager
Finally, update the BatchRole in your Datacoral installation. As we discuss in our security architecture document, we assume privileges based on the Principle of Least Privilege. This means that for the successful execution of the AWS Secrets Manager code in AWS Batch, we will need to provide the correct permissions to the role that is assumed by AWS Batch. This means that we will have to update the CloudFormation stack that created the Batch Role.
Go to the CloudFormation AWS console, and search for stacks that contain the string "BatchRole". When you find the appropriate stack, click on "Update".
Now, click on "Update Nested Stack".
Click on "Edit template in Designer" and then click on "View in Designer" to open up the CoundFormation designer.
Now, find the
BatchJobRole resource in the CF Template, and add the following object to the list of existing Policy Statements:
Using a Dummy Table to Send Triggers to Batchcompute MVs
Typically, Datacoral MVs get triggered when something upstream to them finishes successfully. For Batchcompute MVs, however, one might want to run them on a schedule (say, every 5 minutes), where this is nothing upstream to them. In this case, we recommend setting up a non-datacoral connector with a dummy loadunit that is configured for the desired schedule. The table representing the dummy loadunit does need to exist in the input warehouse, however (the table can be empty though).
This means that on the schedule specified, the nondatacoral connector will emit a
SUCCESS event, which will trigger the downstream Batchcompute MV, and voila, we now have a Batchcompute MV running on our desired schedule.
Here are the steps to accomplishing this:
Step 1: Create dummy table in input warehouse (say, Redshift)
We would need to run the following SQL commands to create the appropriate tables in Redshift.
This would create an empty table with a solitary column in a new schema called
Step 2: Setup a nondatacoral slice
Follow the instructions here to setup a non-datacoral connector. If you want the dummy loadunit (and therefore the downstream Batchcompute MV) to run every 5 minutes, you can use the the following input params when creating the connector from the CLI:
This will setup the non-datacoral connector appropriately.
Step 3: Use the dummy table in the input query to the Batchcompute MV
When creating a Batchcompute MV, you need to specify an inout query that reads data from the input warehouse. This is used by us to infer upstream dependencies. In the example above, you can now use a query such as the following:
This will ensure that the Batchcompute MV runs every five minutes.
You can always add more loadunits (and correspondingly, more dummy tables in the warehouse) to specify triggers at other schedules. For example, adding a new dummy loadunit that sends a trigger every 10 minutes involves running the SQLs as in Step 1, followed by updating the connector with the following deploy parameters:
Installing Java inside the UDF
This section describes how to have Java available inside the Docker container when the User Defined Function gets created. This is needed when communicating with a database over JDBC (using the JayDeBeApi library), for example. The version of Java installed is OpenJDK 8. This can be done by adding one additional option when calling the
udf-create CLI command. This is the
--base-image option, which has to be set to
datacoral/python-base-java, as can be seen in the example below:
All Python dependencies that are specified in
requirements.txt will be installed as usual.
Reach out to us at firstname.lastname@example.org if you have any questions!