Infer Azure tenant ID if not set #910
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 tasks
tanmay-db
approved these changes
May 8, 2024
|
|
||
| // Run a command and return the output. | ||
| func runCommand(ctx context.Context, cmd string, args []string) ([]byte, error) { | ||
| logger.Debugf(ctx, "Running command: %s %v", cmd, strings.Join(args, " ")) |
There was a problem hiding this comment.
Might be good to allow passing debug level defaulting to DEBUG.
logMessage := fmt.Sprintf("Running command: %s %v", cmd, strings.Join(args, " "))
// logLevel is enum for log levels, default to debug if not provided.
switch logLevel {
case LogLevelDebug:
logger.Debugf(ctx, logMessage)
case LogLevelInfo:
logger.Infof(ctx, logMessage)
case LogLevelWarn:
logger.Warnf(ctx, logMessage)
case LogLevelError:
logger.Errorf(ctx, logMessage)
default:
logger.Infof(ctx, "Unspecified log level for: %s", logMessage)
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
In order to use Azure U2M or M2M authentication with the Databricks SDK, users must request a token from the correct Entra ID instance, specifically, the same tenant as the one that the underlying workspace or account belongs to. Otherwise, Databricks will reject a user's requests. However, with Azure CLI auth, it is possible that a user is logged into multiple tenants at the same time. Currently, the SDK uses the subscription ID from the configured Azure Resource ID for the workspace when issuing the
az account get-access-tokencommand. However, when users don't specify the resource ID, the SDK simply fetches a token for the active subscription for the user. If the active subscription is in a different tenant than the workspace, users will see an error such as:This PR modifies Azure CLI and Azure SP credential providers to attempt to load the tenant ID of the workspace if not provided before authenticating. Currently, there are no unauthenticated endpoints that the tenant ID can be directly fetched from. However, the tenant ID is indirectly exposed via the redirect URL used when logging into a workspace. In this PR, we fetch the tenant ID from this endpoint and configure it if not already set.
Here, we lazily fetch the tenant ID only in the auth methods that need it. This prevents us from making any unnecessary requests if these Azure credential providers are not needed.
Tests
make testpassingmake fmtapplied