Fixes #27443: add OCI Autonomous Database support for Oracle connector

[hassaansaleem28]

Describe your changes:

Fixes #27443

I worked on OCI Autonomous Oracle connector support because the existing Oracle flow required manual host-level wallet and TNS setup, which prevented a complete UI-driven configuration experience.

Why migration scripts are not needed:

This change updates connector configuration schema and ingestion runtime behavior only.
It does not introduce database table/entity schema changes in OpenMetadata persistence layers.

Type of change:

• New feature

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes #27443: add OCI Autonomous Database support for Oracle connector
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

• The issue properly describes why the new feature is needed, what's the goal, and how we are building it. Any discussion
  or decision-making process is reflected in the issue.
• I have updated the documentation.
• I have added tests around the new logic.

---

Summary by Gitar

• Oracle connector reliability:
  • Implemented automatic cleanup of the temporary wallet directory if a connection attempt fails when using inline walletContent.
• New tests:
  • Added unit test case in test_source_connection.py to verify that temporary wallet directories are correctly removed upon connection failure.

_{This will update automatically on new commits.}

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[Copilot]

Pull request overview

Adds Oracle Autonomous Database (OCI) support to the Oracle connector to enable a wallet-based, UI-driven configuration path (no host-level TNS/WALLET provisioning required), spanning UI docs, connector schema, ingestion runtime, and unit tests.

Changes:

• Extend Oracle connection JSON schema with an OracleAutonomousConnection option (tnsAlias + walletPath/walletContent + optional walletPassword).
• Update Oracle ingestion connection logic to accept wallet-based Autonomous config, including safe zip extraction and temp-dir lifecycle handling.
• Add unit tests for Autonomous URL building, connection-argument setup, walletContent extraction reuse, and Zip Slip rejection.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
openmetadata-ui/src/main/resources/ui/public/locales/en-US/Database/Oracle.md	Documents the new Autonomous connection mode and wallet fields.
openmetadata-spec/src/main/resources/json/schema/entity/services/connections/database/oracleConnection.json	Adds OracleAutonomousConnection to the connector config schema and updates the connection type description.
ingestion/src/metadata/ingestion/source/database/oracle/connection.py	Implements wallet-based Autonomous connection handling (args wiring + wallet extraction + reuse/cleanup).
ingestion/tests/unit/test_source_connection.py	Adds unit tests covering Autonomous URL/args behavior and wallet zip safety checks.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

ingestion/src/metadata/ingestion/source/database/oracle/connection.py:238

• When walletContent is used, _configure_autonomous_connection_arguments() extracts the wallet into a temp directory before calling create_generic_db_connection(). If engine creation raises (e.g., invalid credentials / DSN), the extracted wallet directory is left on disk until GC finalization, potentially leaking sensitive wallet material and piling up temp dirs. Consider wrapping engine creation in a try/except/finally and calling _cleanup_wallet_temp_dir() on failure (only for walletContent-based autonomous connections).

        return create_generic_db_connection(
            connection=self.service_connection,
            get_connection_url_fn=self.get_connection_url,
            get_connection_args_fn=get_connection_args_common,
        )

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[gitar-bot]

Code Review ✅ Approved 4 resolved / 4 findings

Adds OCI Autonomous Database support for the Oracle connector, resolving vulnerabilities related to zip-slip traversal, unreliable cleanup, and missing field parameters.

✅ 4 resolved

✅ Security: Zip extraction vulnerable to zip-slip path traversal

📄 ingestion/src/metadata/ingestion/source/database/oracle/connection.py:109-118
The _extract_wallet_content method calls zip_ref.extractall(self._wallet_temp_dir) without validating that extracted file paths stay within the target directory. A malicious base64-encoded wallet zip could contain entries like ../../etc/crontab that write outside the temp directory (zip-slip attack). Since walletContent is user-supplied input from the UI, this is a realistic attack vector.

Additionally, there is no size limit on the decoded content, so a zip bomb could exhaust disk space.

✅ Edge Case: Temp directory cleanup relies on __del__, which is unreliable

📄 ingestion/src/metadata/ingestion/source/database/oracle/connection.py:79-80 📄 ingestion/src/metadata/ingestion/source/database/oracle/connection.py:106-118
__del__ is not guaranteed to be called promptly (or at all) by CPython's garbage collector, especially in the presence of reference cycles or interpreter shutdown. If _get_client raises an exception after the wallet is extracted, the temp directory may linger on disk indefinitely.

Since BaseConnection doesn't use a context-manager pattern, consider adding explicit cleanup in exception paths or using atexit.register as a safety net.

✅ Bug: Repeated _get_client calls duplicate wallet connection args

📄 ingestion/src/metadata/ingestion/source/database/oracle/connection.py:159
_configure_autonomous_connection_arguments is called at the start of every _get_client() invocation. If _get_client is called more than once (e.g., on reconnect), and walletContent is provided, a new temp directory is created each time while the old one is cleaned up—but the connectionArguments are mutated on service_connection every time. This is likely harmless but wasteful; more importantly, if walletPath (not walletContent) is used, the arguments are appended redundantly on each call.

✅ Bug: list_all_entities for Table missing fields=["columns"]

📄 ingestion/src/metadata/ingestion/source/database/trino/lineage.py:181-188 📄 ingestion/src/metadata/ingestion/source/database/trino/lineage.py:121-128
The new _get_case_insensitive_cross_database_table method (line 181) calls self.metadata.list_all_entities(entity=Table, params={...}) without specifying fields=["columns"]. The OpenMetadata API does not return columns by default, so table.columns will be None/empty.

This means check_same_table (lines 121-124) will always hit the not table1.columns and not table2.columns early return and match purely by table name, making the column comparison logic dead code. While schema-scoped name matching reduces false positives, the column validation was clearly intended as an extra safety check and won't function without requesting the columns field.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

[Copilot]

The JSON schema adds OracleAutonomousConnection, but the UI-generated TypeScript types don’t appear to have been regenerated (e.g., openmetadata-ui/src/main/resources/ui/src/generated/entity/services/connections/database/oracleConnection.ts currently has no OracleAutonomousConnection). Please re-run the schema→TS generation (openmetadata-ui/.../json2ts.sh or generate_ts.sh for this schema) and commit the updated generated types so the UI/client typings stay in sync with the spec change.

[ulixius9]

@hassaansaleem28 did you test this with a real oracle instance? can you paste screenshot of ingestion

[hassaansaleem28]

Hi @ulixius9
see:

[hassaansaleem28]

hi @ulixius9, here is the full screen recording of testing:
Screencast from 2026-04-20 20-20-59.webm

LET ME KNOW IF ANY CHANGES ARE REQUIRED

[hassaansaleem28]

Hello @ulixius9 @PubChimps could you plz add that safe to test label ??