Adding resource principal and instance principal auth methods for OCI Database MCP server#323
Adding resource principal and instance principal auth methods for OCI Database MCP server#323shyam2511 wants to merge 1 commit into
Conversation
|
Automated review result: needs security/manual review. Reason:
Manual review should verify:
No automated approval or merge was performed. |
|
A few review items to address:
Key things are adding the timeouts and expanding test coverage for the new auth paths. The PR should also be updated to include the two new dependencies. This is also a good opportunity to add a CHANGELOG.md for oci-database-mcp-server, doesn't look like there is one yet. |
dustin-sale
left a comment
There was a problem hiding this comment.
Items have been addressed from my prior comment. PR approved.
Database MCP server
Description
This change adds multiple authentication methods to the OCI Database MCP server:
--auth-method instance_principal)--auth-method resource_principal) using the RPST flowIt adds CLI arguments for auth selection and resource-principal values, branches OCI client initialization by auth method, and documents local and SSH-remote configuration patterns.
Resource-principal token and RPST exchange HTTP calls now use explicit connect/read timeouts to prevent startup from hanging indefinitely.
Version is bumped from
1.0.7to1.1.0.Motivation and context
Previously, the server relied on security-token config-file authentication. This limited OCI-native deployments where instance principal or resource principal authentication is preferable for automated workloads.
This update supports those deployment patterns while retaining token authentication as the default.
Dependencies required for this change
cryptography— required for RPST request signing and session-key generation.requests— required for resource-principal token retrieval and RPST exchange HTTP calls.Validation
make test project=oci-database-mcp-serverpasses: 160 tests, 92.94% coverage.make lintpasses.Fixes #
Type of change