Make --profile take precedence over auth environment variables#5702
Draft
radakam wants to merge 5 commits into
Draft
Make --profile take precedence over auth environment variables#5702radakam wants to merge 5 commits into
radakam wants to merge 5 commits into
Conversation
When --profile is set explicitly, host and auth credentials from the profile now win over DATABRICKS_HOST/DATABRICKS_TOKEN and other auth env vars. Previously the SDK's env-first loader order silently shadowed the selected profile (#5096).
Collaborator
Integration test reportCommit: a673c11
23 interesting tests: 13 SKIP, 7 KNOWN, 2 FAIL, 1 flaky
Top 5 slowest tests (at least 2 minutes):
|
Extend the --profile precedence fix (#5096): - ResolveNonAuthFromEnv now also skips auth_type and discovery_url, which are tagged auth:"-" in the SDK and so are invisible to HasAuthAttribute, letting DATABRICKS_AUTH_TYPE/DATABRICKS_DISCOVERY_URL shadow the profile. It also records the env source so `auth describe` and debug output match the SDK loader. - Workspace.Client uses ResolveNonAuthFromEnv when a profile is set (from --profile or workspace.profile) so env auth vars no longer shadow the profile for bundle commands. - Use the reserved .test TLD for new test fixture hosts so the SDK's well-known host metadata resolver fast-fails instead of stalling on a live network lookup.
A host-only profile combined with DATABRICKS_TOKEN previously failed because the profile loader chain stopped at the config file. Append config.ConfigAttributes after the profile so the environment can fill auth fields the profile does not provide, while the profile still wins for any field it sets (#5096).
- Centralize the explicit-profile loader chain in databrickscfg.ProfileAuthLoaders and extract applyProfileAuthPrecedence so all call sites share one rule. - Skip host, routing IDs (workspace_id/account_id) and SDK-internal auth-steering env attrs; guard the classification with a test that fails on SDK drift. - Apply profile precedence to `databricks api --profile`. - Let env gap-fill auth fields a host-only profile leaves empty. - Add bundle host+profile coverage and acceptance tests; clarify rationale comments.
radakam
force-pushed
the
cli-5096-fix-profile-not-respected
branch
from
fe17837 to
ae05b0e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
With an explicit profile (
--profileor a bundle'sworkspace.profile), auth env vars (DATABRICKS_HOST,DATABRICKS_TOKEN, ...) silently shadowed it: the SDK reads env before the config file and never overwrites a set field.Changes
Fixes #5096
When a profile is selected explicitly, use a shared loader chain (
databrickscfg.ProfileAuthLoaders) so the profile wins for host and auth, while env still gap-fills only the auth fields the profile leaves empty (e.g. host-only profile +DATABRICKS_TOKEN). Wired intoMustWorkspaceClient,MustAccountClient,Workspace.Client, anddatabricks api.Explicit design choices:
DATABRICKS_CONFIG_PROFILEkeeps the SDK's env-first precedence (reordering two env signals is the SDK's domain).NormalizeDatabricksConfigFromEnv, so a host-less profile + SPOG-styleDATABRICKS_HOST(?o=/?a=) no longer extractsworkspace_id/account_idfrom the query. The profile's host is authoritative instead.Tests
--profile/workspace.profilewins over auth env;DATABRICKS_CONFIG_PROFILEstays env-first; host-only profile fills its token from env; conflicting-method error; SDK-bump guard for newly added internal env attributes.