auth: stop writing workspace_id = none on --skip-workspace#5338
Merged
Conversation
When `databricks auth login --skip-workspace` ran on a host with no discoverable workspace, the in-memory WorkspaceIDNone sentinel was persisted to .databrickscfg as the literal string `workspace_id = none`. The sentinel was only needed in-memory to gate the workspace prompt; it never had a reason to land on disk. SaveToProfile already omits empty fields, so just leaving WorkspaceID empty produces a clean account-only profile, and MatchAccountProfiles still recognizes existing legacy profiles that have `workspace_id = none` for backwards compat. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Collaborator
|
Commit: 34a62d2 |
simonfaltum
added a commit
that referenced
this pull request
May 27, 2026
PR #5338 stops writing workspace_id = none on --skip-workspace. After it lands, new account-only profiles have no workspace_id key at all, so the "= none" check here misses them. Broaden the detection to fire when cfg.Profile is set, cfg.AccountID is non-empty, and cfg.WorkspaceID is either empty or the legacy "none" sentinel. Reword the error to talk about "no workspace_id set" instead of the literal sentinel. The cfg.Profile guard keeps env-var-only configs targeting a unified host out of the rejection path (their workspace APIs are served from the account host and auth resolves end-to-end). Co-authored-by: Isaac
5 tasks
… profile Without writing the "none" sentinel anymore, an account-only profile loads back with WorkspaceID == "" — the same shape as a fresh login that still needs a workspace pick. The next `databricks auth login --profile foo` would prompt again on every run. Extract shouldPromptWorkspace and treat "existing profile is account-only" (account_id set, workspace_id empty or the legacy "none" sentinel) as honoring the user's prior skip choice. Covers both shapes so legacy profiles keep working alongside new ones. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
GPT review caught that `shouldPromptWorkspace` honored an existing account-only profile without checking the account ID matched. Reusing a profile name against a different account would suppress the workspace prompt on the new account too. Tighten the check to require `existingProfile.AccountID == authArguments.AccountID`. Co-authored-by: Isaac
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
simonfaltum
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
databricks auth login --skip-workspacewrites a literalworkspace_id = noneinto.databrickscfgwhen no workspace can be discovered. That string is a CLI-internal sentinel.Changes
--skip-workspace(and "Skip" picked in the interactive workspace prompt) set the in-memoryWorkspaceIDNonesentinel, which was then saved to disk asworkspace_id = none.WorkspaceIDempty.SaveToProfilealready omits empty fields, so account-only profiles land with noworkspace_idkey at all.MatchAccountProfilesalready treats absent andnoneidentically, so legacy profiles that still haveworkspace_id = nonekeep working.auth.WorkspaceIDNonestays defined for backwards-compatible parsing.Re-login regression fix: without the sentinel, an account-only profile loads back with
WorkspaceID == "", which has the same shape as a fresh login that still needs a workspace pick. Without further changes,databricks auth login --profile foo(no--skip-workspace) would prompt again on every run. ExtractshouldPromptWorkspaceand treat "existing profile is already account-only" as honoring the user's prior skip choice. Covers both the new (absentworkspace_id) and legacy (workspace_id = none) shapes.Test plan
go test ./cmd/auth/...(existing tests, includingTestSetHostAndAccountId_WorkspaceIDNoneSentinelInherited)TestShouldPromptWorkspacetable-driven test exercises re-login into legacy and new-shape account-only profiles, a workspace profile,--skip-workspace, and the no-account-id / known-workspace-id short-circuits.go test ./acceptance -run TestAccept/cmd/auth/profiles/spog-account(legacyworkspace_id = noneprofile still parses as account)./task checks./task lint-q