Fix auth profiles misclassifying SPOG hosts as workspace configs#4929
Open
mihaimitrea-db wants to merge 3 commits intomainfrom
Open
Fix auth profiles misclassifying SPOG hosts as workspace configs#4929mihaimitrea-db wants to merge 3 commits intomainfrom
auth profiles misclassifying SPOG hosts as workspace configs#4929mihaimitrea-db wants to merge 3 commits intomainfrom
Conversation
SPOG hosts (e.g. db-deco-test.gcp.databricks.com) don't match the accounts.* URL prefix, so ConfigType() classifies them as WorkspaceConfig. This causes `auth profiles` to validate with CurrentUser.Me instead of Workspaces.List, which fails for account-scoped SPOG profiles. Use the resolved DiscoveryURL from .well-known/databricks-config to detect SPOG hosts with account-scoped OIDC, matching the routing logic in auth.AuthArguments.ToOAuthArgument(). Also add a fallback for legacy profiles with Experimental_IsUnifiedHost where .well-known is unreachable.
mihaimitrea-db
requested review from
andrewnester,
anton-107,
denik,
pietern,
shreyas-goenka and
simonfaltum
as code owners
Waiting for approvalBased on git history, these people are best suited to review:
Eligible reviewers: @andrewnester, @anton-107, @denik, @shreyas-goenka Suggestions based on git history. See OWNERS for ownership rules. |
simonfaltum
removed request for
andrewnester,
anton-107,
denik,
pietern and
shreyas-goenka
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ConfigType()classifies hosts by URL prefix (accounts.*→ account, everything else → workspace). SPOG hosts don't match theaccounts.*prefix, so they were misclassified asWorkspaceConfigand validated withCurrentUser.Me, which fails on account-scoped SPOG hosts.DiscoveryURLfrom/.well-known/databricks-configto detect SPOG hosts with account-scoped OIDC (contains/oidc/accounts/), matching the routing logic inauth.AuthArguments.ToOAuthArgument()and the approach from Fix auth logout failing to clear token for workspace profiles with account ID #4853.experimental_is_unified_hostwhere.well-knownis unreachable.Why not just check
account_id?Since #4809,
runHostDiscoverypopulatesaccount_idon every workspace profile from the.well-knownendpoint. A regular workspace profile now routinely carriesaccount_id. The only reliable discriminator is theoidc_endpointshape from.well-known, resolved at runtime (as established in #4853).Test plan
TestProfileLoadSPOGConfigType— table-driven with mock HTTP servers covering SPOG account, SPOG workspace, SPOG withworkspace_id=none, and classic workspace with discovery-populatedaccount_id.TestProfileLoadUnifiedHostFallback—experimental_is_unified_hostprofile with unreachable.well-knownfalls back to account validation.TestProfileLoadClassicAccountHost— classic account-scoped OIDC host.cmd/auth/profiles/spog-account— end-to-end: SPOG profile withworkspace_id=noneshowsvalid:true.go test ./cmd/authandgo test ./acceptance -run TestAccept/cmd/auth/profilespass.