Skip to content

Add host disambiguation and positional profile support to auth token#4574

Merged
simonfaltum merged 3 commits intomainfrom
simonfaltum/host-ambiguity-auth-token
Feb 23, 2026
Merged

Add host disambiguation and positional profile support to auth token#4574
simonfaltum merged 3 commits intomainfrom
simonfaltum/host-ambiguity-auth-token

Conversation

@simonfaltum
Copy link
Member

@simonfaltum simonfaltum commented Feb 23, 2026
edited
Loading

Why

Profile-based cache keys landed on main (PR #4562). Now auth token --profile X uses the profile name as the token cache key. However, when using --host H or a positional host arg, there's no profile resolution — the command goes straight to host-based cache lookup. If two profiles share the same host, whoever logged in last wins. There's also no way to pass a profile name as a positional arg (databricks auth token myprofile gets treated as a host and fails).

Changes

  • Positional profile name detection: databricks auth token myprofile resolves positional args as profile names first, falling through to host treatment only if no profile matches. This works for dotted profile names like default.dev too.
  • Host ambiguity detection: databricks auth token --host H with multiple matching profiles errors with a suggestion (or prompts interactively)
  • Profile matching predicates: WithHost() and WithHostAndAccountID() in the profile package, using the SDK's canonical host normalization
  • Account/unified hosts are matched by host + account ID (not host alone) to avoid false ambiguity when profiles share a host but differ by account
  • Host is canonicalized before HostType() classification so scheme-less hosts (e.g. accounts.cloud.databricks.com) are correctly identified as account hosts

New test cases

  1. Positional arg resolved as profile name: args: []string{"workspace-a"}, no profileName. Expects success — token returned via profile-based cache key.
  2. Positional arg with dot treated as host when no profile matches: args: []string{"workspace-a.cloud.databricks.com"}. No profile matches, falls through to host path.
  3. Dotted profile name resolved as profile not host: args: []string{"default.dev"}. Profile lookup matches first, no host heuristic needed.
  4. Positional arg not a profile, falls through to host: args: []string{"nonexistent"}, no profileName. Falls through to host treatment, gets cache miss error (backward compat).
  5. Scheme-less account host ambiguity detected correctly: Host: "accounts.cloud.databricks.com" (no scheme), AccountID: "same-account". Verifies canonicalization before HostType() classification.
  6. Workspace host ambiguity — multiple profiles, non-interactive: Use cmdio.MockDiscard(ctx). Host: "https://shared.cloud.databricks.com". Expected error contains "dup1 and dup2 match" and "Use --profile" and config file path.
  7. Account host — same host, different account IDs → no ambiguity: Host: "https://accounts.cloud.databricks.com", AccountID: "active". Both expired and active share the host but have different account IDs → only one matches → no ambiguity. Validates the over-triggering fix.
  8. Account host — same host AND same account ID → ambiguity: Use cmdio.MockDiscard(ctx). Host: "https://accounts.cloud.databricks.com", AccountID: "same-account". Both acct-dup1 and acct-dup2 match → ambiguity error.
  9. Profile flag + positional non-host arg still errors: profileName: "active", args: []string{"workspace-a"}. Expected error: "providing both a profile and host is not supported".

Verification

  1. go test ./cmd/auth/ -run TestToken_loadToken -v — all 16 test cases pass
  2. go test ./libs/databrickscfg/profile/ -v — WithHost predicate tests pass
  3. go test ./acceptance -run TestAccept/cmd/auth/token -v — acceptance test still passes (existing error message preserved)
  4. make checks — whitespace and formatting pass

🤖 Generated with Claude Code

@eng-dev-ecosystem-bot
Copy link
Collaborator

eng-dev-ecosystem-bot commented Feb 23, 2026
edited
Loading

Commit: 287e1b2

Run: 22308391421

Env 🟨​KNOWN 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 1 7 268 763 7:02
🟨​ aws windows 7 1 7 270 761 5:38
💚​ aws-ucws linux 8 7 364 679 6:14
💚​ aws-ucws windows 8 7 366 677 4:59
🔄​ azure linux 2 9 271 761 5:35
🔄​ azure windows 2 9 273 759 5:43
💚​ azure-ucws linux 2 9 369 675 8:35
💚​ azure-ucws windows 2 9 371 673 5:57
💚​ gcp linux 2 9 267 764 5:56
💚​ gcp windows 2 9 269 762 6:25
15 interesting tests: 7 KNOWN, 7 SKIP, 1 flaky
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 🟨​K 💚​R 💚​R 🔄​f 🔄​f 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🔄​ TestAccept/ssh/connection 💚​R 💚​R 💚​R 💚​R 🔄​f 🔄​f 💚​R 💚​R 💚​R 💚​R
Top 20 slowest tests (at least 2 minutes):
duration env testname
3:50 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:41 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:37 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:22 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:20 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:20 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:16 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:57 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:53 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:51 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:47 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:46 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:43 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:42 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:42 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:38 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:31 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:08 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:06 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:04 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

@simonfaltum simonfaltum force-pushed the simonfaltum/host-ambiguity-auth-token branch from d64fd28 to 7dd4e48 Compare February 23, 2026 11:49
@simonfaltum simonfaltum force-pushed the simonfaltum/host-ambiguity-auth-token branch from 7dd4e48 to 391666c Compare February 23, 2026 11:50
@simonfaltum simonfaltum marked this pull request as ready for review February 23, 2026 12:14
andrewnester
andrewnester reviewed Feb 23, 2026
View reviewed changes
Copy link
Contributor

@andrewnester andrewnester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might worth to add an acceptance test here as well, see for example

https://github.com/databricks/cli/tree/main/acceptance/cmd/auth/token

andrewnester
andrewnester reviewed Feb 23, 2026
View reviewed changes
@simonfaltum @claude
Add host disambiguation and positional profile support to auth token
12bd47f 
When using `auth token --host H` with multiple profiles sharing the same
host, the command now detects the ambiguity and either prompts
interactively or errors with a helpful message suggesting --profile.
Additionally, `databricks auth token myprofile` now detects non-URL
positional args as profile names instead of failing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@simonfaltum simonfaltum force-pushed the simonfaltum/host-ambiguity-auth-token branch from 391666c to 12bd47f Compare February 23, 2026 12:31
tanmay-db
tanmay-db reviewed Feb 23, 2026
View reviewed changes
@simonfaltum @claude
Panic on empty configPath instead of silent fallback
285218d 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
shreyas-goenka
shreyas-goenka approved these changes Feb 23, 2026
View reviewed changes
@simonfaltum simonfaltum added this pull request to the merge queue Feb 23, 2026
Merged via the queue into main with commit ad00e25 Feb 23, 2026
18 checks passed
@simonfaltum simonfaltum deleted the simonfaltum/host-ambiguity-auth-token branch February 23, 2026 14:26
deco-sdk-tagging bot added a commit that referenced this pull request Feb 26, 2026
@deco-sdk-tagging
[Release] Release v0.290.0
79d8237 
## Release v0.290.0

### CLI
* Add `completion install`, `uninstall`, and `status` subcommands ([#4581](#4581))
* Wire profile name through CLI ToOAuthArgument for profile-based cache keys ([#4562](#4562))
* Add host disambiguation and positional profile support to auth token ([#4574](#4574))
* Update error messages to suggest 'databricks auth login' ([#4587](#4587))
* Resolve --host to matching profile for token cache lookup ([#4591](#4591))
* Improve auth token UX: profile selection and better empty-state handling ([#4584(#4584)

### Bundles
* Added support for git_source and git_repository for Apps ([#4538](#4538))

### Dependency updates
* Upgrade TF provider to 1.109.0 ([#4561](#4561))
* Upgrade Go SDK to v0.110.0 ([#4552](#4552))

### API Changes
* Bump databricks-sdk-go from v0.111.0 to v0.112.0.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewnester andrewnester andrewnester left review comments

@shreyas-goenka shreyas-goenka shreyas-goenka approved these changes

@tanmay-db tanmay-db tanmay-db approved these changes

@anton-107 anton-107 Awaiting requested review from anton-107 anton-107 is a code owner

@denik denik Awaiting requested review from denik denik is a code owner

@pietern pietern Awaiting requested review from pietern pietern is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@simonfaltum @eng-dev-ecosystem-bot @andrewnester @shreyas-goenka @tanmay-db