feat(connector): support key-pair authentication for Snowflake sink

[yuhao-su]

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

This PR adds support for key-pair authentication (using RSA private keys) for the Snowflake sink connector, in addition to the existing password-based authentication.

Context: https://docs.snowflake.com/en/user-guide/security-mfa-rollout

Summary

• Added three authentication methods for Snowflake sinks:
  • password (default): Standard username/password authentication
  • key_pair_file: Uses a private key file path for authentication
  • key_pair_object: Uses PEM-formatted private key content for authentication

How it works

Java connector changes:

• Created new SnowflakeJDBCSinkConfig class that extends JDBCSinkConfig with Snowflake-specific authentication fields
• Implemented handleSnowflakeAuth() method to process different authentication methods
• Added support for parsing encrypted and unencrypted PEM-formatted private keys using BouncyCastle library
• The key_pair_object method converts PEM content to a Java PrivateKey object that Snowflake JDBC driver can use

Rust connector changes:

• Updated sink configuration to pass authentication parameters to the Java connector via JNI
• Added new configuration options: auth.method, private_key_file, private_key_file_pwd, and private_key_pem

Configuration options:

-- Password authentication (default)
CREATE SINK snowflake_sink FROM mv_name WITH (
  connector = 'snowflake',
  type = 'upsert',
  jdbc.url = 'jdbc:snowflake://account.snowflakecomputing.com/',
  username = 'user',
  password = 'pass',
  ...
);

-- Key-pair authentication with file
CREATE SINK snowflake_sink FROM mv_name WITH (
  connector = 'snowflake',
  type = 'upsert',
  jdbc.url = 'jdbc:snowflake://account.snowflakecomputing.com/',
  username = 'user',
  auth.method = 'key_pair_file',
  private_key_file = '/path/to/key.pem',
  private_key_file_pwd = 'optional_passphrase',
  ...
);

-- Key-pair authentication with PEM content (recommended for secret management)
CREATE SINK snowflake_sink FROM mv_name WITH (
  connector = 'snowflake',
  type = 'upsert',
  jdbc.url = 'jdbc:snowflake://account.snowflakecomputing.com/',
  username = 'user',
  auth.method = 'key_pair_object',
  private_key_pem = '-----BEGIN PRIVATE KEY-----...',
  ...
);

Checklist

• I have written necessary rustdoc comments.
• I have added necessary unit tests and integration tests.
• I have added test labels as necessary.
• I have added fuzzing tests or opened an issue to track them.
• My PR contains breaking changes.
• My PR changes performance-critical code, so I will run (micro) benchmarks and present the results.
• I have checked the Release Timeline and Currently Supported Versions to determine which release branches I need to cherry-pick this PR into.

Documentation

• My PR needs documentation updates.

Release note

The Snowflake sink connector now supports key-pair authentication using RSA private keys, providing a more secure alternative to password-based authentication. Users can specify private keys either via file paths or by providing PEM-formatted key content directly, making it easier to integrate with secret management systems.

To use key-pair authentication, set auth.method to either key_pair_file or key_pair_object and provide the necessary private key configuration.

🤖 Generated with Claude Code

[github-actions]

license-eye has checked 6003 files.

Valid	Invalid	Ignored	Fixed
2534	1	3468	0

Click to see the invalid file list

• java/connector-node/risingwave-jdbc-runner/src/test/java/com/risingwave/runner/JDBCSqlRunnerTest.java

Use this command to fix any missing license headers

```bash

docker run -it --rm -v $(pwd):/github/workspace apache/skywalking-eyes header fix

</details>

[Copilot]

Pull Request Overview

This PR adds key-pair authentication support for the Snowflake sink connector, providing a more secure alternative to password-based authentication. Users can authenticate using RSA private keys via either file paths or direct PEM content.

Key changes:

• Added three authentication methods: password (default), key_pair_file, and key_pair_object
• Implemented PEM parsing and private key conversion in Java using BouncyCastle
• Extended JDBC connection handling to pass authentication properties through JNI

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
with_options_sink.yaml	Added new auth configuration fields for Snowflake sink
snowflake.rs	Implemented auth method validation and JDBC property building logic
jdbc_jni_client.rs	Extended JNI client to pass driver properties alongside JDBC URL
SnowflakeJDBCSinkConfig.java	New Snowflake-specific config class with key-pair auth support
JdbcUtils.java	Refactored connection creation to support specialized auth methods
JDBCSinkFactory.java	Added factory logic to instantiate SnowflakeJDBCSinkConfig
JDBCSinkConfig.java	Added overridable getConnection() method
JDBCSink.java	Migrated to use config.getConnection() pattern
BatchAppendOnlyJDBCSink.java	Migrated to use config.getConnection() pattern
pom.xml (sink-jdbc)	Added BouncyCastle dependencies for cryptography
test-private-key.pem	Test fixture for private key validation
JDBCSqlRunnerTest.java	Unit test for PEM loading functionality
JDBCSqlRunner.java	Updated to handle authentication properties via JNI
pom.xml (jdbc-runner)	Added test dependencies and sink-jdbc reference

[hzxa21]

QQ: do we support using file secret to pass the private key to snowflake jdbc?

[yuhao-su]

QQ: do we support using file secret to pass the private key to snowflake jdbc?

yes and tested mannually