PR Comments

Author: hectorcast-db

NEXT_CHANGELOG.md

@@ -3,8 +3,12 @@
 ## Release v0.61.0
 
 ### New Features and Improvements
-* Introduce support for Databricks Workload Identity Federation in GitHub workflows ([1177](https://github.com/databricks/databricks-sdk-go/pull/1177))
+* Introduce support for Databricks Workload Identity Federation in GitHub workflows ([1177](https://github.com/databricks/databricks-sdk-go/pull/1177)).
   See README.md for instructions.
+  [Breaking] Users running their worklows in GitHub Actions, which use Cloud native authentication and also have a `DATABRICKS_CLIENT_ID` and `DATABRICKS_HOST` 
+  environment variables set may see their authentication start failing due to the order in which the SDK tries different authentication methods.
+  In such case, the `DATABRICKS_AUTH_TYPE` environment variable must be set to match the previously used authentication method.
+  
 
 ### Bug Fixes
 

README.md

@@ -174,20 +174,17 @@ Depending on the Databricks authentication method, the SDK uses the following in
 
 ### Databricks native authentication
 
-By default, the Databricks SDK for Go initially tries Databricks token authentication (`AuthType: "pat"` in `*databricks.Config`). If the SDK is unsuccessful, it then tries Databricks basic (username/password) authentication (`AuthType: "basic"` in `*databricks.Config`). If unsucesful, it then tries Workload Identity Federation (WIF) based authentication(`AuthType: "databricks-wif"` in `*databricks.Config`). Currently, only GitHub provided JWT Tokens is supported.
+By default, the Databricks SDK for Go initially tries Databricks token authentication (`AuthType: "pat"` in `*databricks.Config`). If the SDK is unsuccessful, it then tries Workload Identity Federation (WIF) based authentication(`AuthType: "databricks-wif"` in `*databricks.Config`). Currently, only GitHub provided JWT Tokens is supported.
 
 - For Databricks token authentication, you must provide `Host` and `Token`; or their environment variable or `.databrickscfg` file field equivalents.
-- For Databricks basic authentication, you must provide `Host`, `Username`, and `Password` _(for AWS workspace-level operations)_; or `Host`, `AccountID`, `Username`, and `Password` _(for AWS, Azure, or GCP account-level operations)_; or their environment variable or `.databrickscfg` file field equivalents.
-- For Databricks wif authentication, you must provide `Host`, `ClientID` and `TokenAudience`; or their environment variable or `.databrickscfg` file field equivalents.
+- For Databricks wif authentication, you must provide `Host`, `ClientID` and `TokenAudience` _(optional)_; or their environment variable or `.databrickscfg` file field equivalents.
 
 | `*databricks.Config` argument | Description                                                                                                                                                                                                                                                              | Environment variable / `.databrickscfg` file field |
 | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- |
 | `Host`                        | _(String)_ The Databricks host URL for either the Databricks workspace endpoint or the Databricks accounts endpoint.                                                                                                                                                     | `DATABRICKS_HOST` / `host`                         |
 | `AccountID`                   | _(String)_ The Databricks account ID for the Databricks accounts endpoint. Only has effect when `Host` is either `https://accounts.cloud.databricks.com/` _(AWS)_, `https://accounts.azuredatabricks.net/` _(Azure)_, or `https://accounts.gcp.databricks.com/` _(GCP)_. | `DATABRICKS_ACCOUNT_ID` / `account_id`             |
 | `Token`                       | _(String)_ The Databricks personal access token (PAT) _(AWS, Azure, and GCP)_ or Azure Active Directory (Azure AD) token _(Azure)_.                                                                                                                                      | `DATABRICKS_TOKEN` / `token`                       |
-| `Username`                    | _(String)_ The Databricks username part of basic authentication. Only possible when `Host` is `*.cloud.databricks.com` _(AWS)_.                                                                                                                                          | `DATABRICKS_USERNAME` / `username`                 |
-| `Password`                    | _(String)_ The Databricks password part of basic authentication. Only possible when `Host` is `*.cloud.databricks.com` _(AWS)_.                                                                                                                                          | `DATABRICKS_PASSWORD` / `password`                 |
-| `TokenAudience`               | _(String)_ The Audience for the JWT Token.                                                                                                                                                                                                                               | `TOKEN_AUDIENCE` / `token_audience`                |
+| `TokenAudience`               | _(String)_ When using Workload Identity Federation, the audience to specify when fetching an ID token from the ID token supplier.                                                                                                                               | `TOKEN_AUDIENCE` / `token_audience`                |
 
 For example, to use Databricks token authentication:
 

config/auth_databricks_wif.go

@@ -11,11 +11,16 @@ import (
 	"golang.org/x/oauth2/clientcredentials"
 )
 
+// DatabricksWIFCredentials uses a Token Supplier to get a JWT Token and exchanges
+// it for a Databricks Token.
+//
+// Supported suppliers:
+// - GitHub OIDC
 type DatabricksWIFCredentials struct{}
 
 // Configure implements CredentialsStrategy.
 func (d DatabricksWIFCredentials) Configure(ctx context.Context, cfg *Config) (credentials.CredentialsProvider, error) {
-	if cfg.Host == "" || cfg.ClientID == "" || cfg.TokenAudience == "" {
+	if cfg.Host == "" || cfg.ClientID == "" {
 		return nil, nil
 	}
 
@@ -38,12 +43,12 @@ func (d DatabricksWIFCredentials) Configure(ctx context.Context, cfg *Config) (c
 	}
 
 	ts := &databricksWIFTokenSource{
-		ctx:               ctx,
-		jwtTokenSupplicer: &supplier,
-		audience:          cfg.TokenAudience,
-		clientId:          cfg.ClientID,
-		cfg:               cfg,
-		tokenEndpoint:     endpoints.TokenEndpoint,
+		ctx:             ctx,
+		idTokenSupplier: &supplier,
+		audience:        cfg.TokenAudience,
+		clientId:        cfg.ClientID,
+		cfg:             cfg,
+		tokenEndpoint:   endpoints.TokenEndpoint,
 	}
 
 	visitor := refreshableVisitor(ts)
@@ -56,16 +61,16 @@ func (d DatabricksWIFCredentials) Name() string {
 }
 
 type databricksWIFTokenSource struct {
-	ctx               context.Context
-	jwtTokenSupplicer *GithubOIDCTokenSupplier
-	tokenEndpoint     string
-	audience          string
-	clientId          string
-	cfg               *Config
+	ctx             context.Context
+	idTokenSupplier *GithubOIDCTokenSupplier
+	tokenEndpoint   string
+	audience        string
+	clientId        string
+	cfg             *Config
 }
 
 func (d *databricksWIFTokenSource) Token() (*oauth2.Token, error) {
-	token, err := d.jwtTokenSupplicer.GetOIDCToken(d.ctx, d.audience)
+	token, err := d.idTokenSupplier.GetOIDCToken(d.ctx, d.audience)
 	if err != nil {
 		return nil, err
 	}
@@ -87,7 +92,7 @@ func (d *databricksWIFTokenSource) Token() (*oauth2.Token, error) {
 		},
 	}
 
-	logger.Debugf(d.ctx, "Getting tokken for client %s", d.clientId)
+	logger.Debugf(d.ctx, "Getting token for client %s", d.clientId)
 
 	return tsConfig.Token(d.ctx)
 }

config/auth_databricks_wif_test.go

@@ -25,16 +25,6 @@ func TestDatabricksGithubWIFCredentials(t *testing.T) {
 			},
 			wantErrPrefix: errPrefix("databricks-wif auth: not configured"),
 		},
-		{
-			desc: "missing token audience",
-			cfg: &Config{
-				Host:                       "http://host.com/test",
-				ClientID:                   "client-id",
-				ActionsIDTokenRequestURL:   "http://endpoint.com/test?version=1",
-				ActionsIDTokenRequestToken: "token-1337",
-			},
-			wantErrPrefix: errPrefix("databricks-wif auth: not configured"),
-		},
 		{
 			desc: "missing host",
 			cfg: &Config{
@@ -257,6 +247,41 @@ func TestDatabricksGithubWIFCredentials(t *testing.T) {
 				"Authorization": "access-token test-auth-token",
 			},
 		},
+		{
+			desc: "default token audience",
+			cfg: &Config{
+				ClientID:                   "client-id",
+				AccountID:                  "ac123",
+				Host:                       "https://accounts.databricks.com",
+				ActionsIDTokenRequestURL:   "http://endpoint.com/test?version=1",
+				ActionsIDTokenRequestToken: "token-1337",
+				HTTPTransport: fixtures.MappingTransport{
+					"GET /test?version=1": {
+						Status: http.StatusOK,
+						ExpectedHeaders: map[string]string{
+							"Authorization": "Bearer token-1337",
+							"Accept":        "application/json",
+						},
+						Response: `{"value": "id-token-42"}`,
+					},
+					"POST /oidc/accounts/ac123/v1/token": {
+						Status: http.StatusOK,
+						ExpectedHeaders: map[string]string{
+							"Content-Type": "application/x-www-form-urlencoded",
+						},
+						Response: map[string]string{
+							"token_type":    "access-token",
+							"access_token":  "test-auth-token",
+							"refresh_token": "refresh",
+							"expires_on":    "0",
+						},
+					},
+				},
+			},
+			wantHeaders: map[string]string{
+				"Authorization": "access-token test-auth-token",
+			},
+		},
 	}
 
 	for _, tc := range testCases {

config/config.go

@@ -133,7 +133,7 @@ type Config struct {
 	// Environment override to return when resolving the current environment.
 	DatabricksEnvironment *environment.DatabricksEnvironment
 
-	// OIDC and WIF audience for the token
+	// When using Workload Identity Federation, the audience to specify when fetching an ID token from the ID token supplier.
 	TokenAudience string `name:"audience" auth:"-"`
 
 	Loaders []Loader

config/oidc_github.go

@@ -3,7 +3,6 @@ package config
 import (
 	"context"
 	"fmt"
-	"time"
 
 	"github.com/databricks/databricks-sdk-go/httpclient"
 	"github.com/databricks/databricks-sdk-go/logger"
@@ -27,17 +26,17 @@ func (g *GithubOIDCTokenSupplier) GetOIDCToken(ctx context.Context, audience str
 	resp := struct { // anonymous struct to parse the response
 		Value string `json:"value"`
 	}{}
-	err := g.cfg.refreshClient.Do(ctx, "GET", fmt.Sprintf("%s&audience=%s", g.cfg.ActionsIDTokenRequestURL, audience),
+	requestUrl := g.cfg.ActionsIDTokenRequestURL
+	if audience != "" {
+		requestUrl = fmt.Sprintf("%s&audience=%s", requestUrl, audience)
+	}
+	err := g.cfg.refreshClient.Do(ctx, "GET", requestUrl,
 		httpclient.WithRequestHeader("Authorization", fmt.Sprintf("Bearer %s", g.cfg.ActionsIDTokenRequestToken)),
 		httpclient.WithResponseUnmarshal(&resp),
 	)
 	if err != nil {
 		return "", fmt.Errorf("failed to request ID token from %s: %w", g.cfg.ActionsIDTokenRequestURL, err)
 	}
 
-	// GitHub issued time is not allways in sync, and can give tokens which are not yet valid.
-	// TODO: Remove this after Databricks API is updated to handle such cases.
-	time.Sleep(2 * time.Second)
-
 	return resp.Value, nil
 }

internal/auth_test.go

@@ -12,6 +12,8 @@ import (
 )
 
 func TestUcAccWifAuth(t *testing.T) {
+	// This test cannot be run locally. It can only be run from GitHub Workflows.
+	_ = GetEnvOrSkipTest(t, "ACTIONS_ID_TOKEN_REQUEST_URL")
 	ctx, a := ucacctTest(t)
 
 	// Create SP with access to the workspace
@@ -74,6 +76,8 @@ func TestUcAccWifAuth(t *testing.T) {
 }
 
 func TestUcAccWifAuthWorkspace(t *testing.T) {
+	// This test cannot be run locally. It can only be run from GitHub Workflows.
+	_ = GetEnvOrSkipTest(t, "ACTIONS_ID_TOKEN_REQUEST_URL")
 	ctx, a := ucacctTest(t)
 
 	workspaceIdEnvVar := GetEnvOrSkipTest(t, "TEST_WORKSPACE_ID")