diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md index 30a64c54100..6e6119c4c34 100644 --- a/NEXT_CHANGELOG.md +++ b/NEXT_CHANGELOG.md @@ -6,6 +6,8 @@ ### CLI +* An explicitly selected profile (`--profile` or a bundle's `workspace.profile`) now takes precedence over auth environment variables (`DATABRICKS_HOST`, `DATABRICKS_TOKEN`, etc.) instead of being silently shadowed by them; env vars still fill auth fields the profile leaves empty ([#5096](https://github.com/databricks/cli/issues/5096)). + ### Bundles ### Dependency updates diff --git a/acceptance/cmd/api/default-profile-vs-env/out.test.toml b/acceptance/cmd/api/default-profile-vs-env/out.test.toml new file mode 100644 index 00000000000..f784a183258 --- /dev/null +++ b/acceptance/cmd/api/default-profile-vs-env/out.test.toml @@ -0,0 +1,3 @@ +Local = true +Cloud = false +EnvMatrix.DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"] diff --git a/acceptance/cmd/api/default-profile-vs-env/output.txt b/acceptance/cmd/api/default-profile-vs-env/output.txt new file mode 100644 index 00000000000..9839d897b5c --- /dev/null +++ b/acceptance/cmd/api/default-profile-vs-env/output.txt @@ -0,0 +1,22 @@ + +=== api without --profile uses env auth, ignoring default_profile (#5616) + +>>> [CLI] api get /api/2.0/clusters/list +{} + +>>> print_requests.py --get //api/2.0/clusters/list +{ + "headers": { + "Authorization": [ + "Bearer [DATABRICKS_TOKEN]" + ], + "User-Agent": [ + "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/[OS] cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat" + ], + "X-Databricks-Workspace-Id": [ + "[NUMID]" + ] + }, + "method": "GET", + "path": "/api/2.0/clusters/list" +} diff --git a/acceptance/cmd/api/default-profile-vs-env/script b/acceptance/cmd/api/default-profile-vs-env/script new file mode 100644 index 00000000000..4ec3bc29997 --- /dev/null +++ b/acceptance/cmd/api/default-profile-vs-env/script @@ -0,0 +1,19 @@ +sethome "./home" + +# A default profile with conflicting (basic) auth on a different host. The env +# below still points a PAT at the test server. Without the #5616 guard, the +# default profile would be pinned and merged with the env PAT, failing with +# "more than one authorization method configured". +cat > "./home/.databrickscfg" <>> [CLI] api get /api/2.0/clusters/list --profile my-workspace +{} + +>>> print_requests.py --get //api/2.0/clusters/list +{ + "headers": { + "Authorization": [ + "Bearer [DATABRICKS_TOKEN]" + ], + "User-Agent": [ + "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/[OS] cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat" + ], + "X-Databricks-Workspace-Id": [ + "[NUMID]" + ] + }, + "method": "GET", + "path": "/api/2.0/clusters/list" +} + +=== api host-only --profile fills the token from the environment (#5096) + +>>> [CLI] api get /api/2.0/clusters/list --profile host-only +{} + +>>> print_requests.py --get //api/2.0/clusters/list +{ + "headers": { + "Authorization": [ + "Bearer [DATABRICKS_TOKEN]" + ], + "User-Agent": [ + "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/[OS] cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat" + ], + "X-Databricks-Workspace-Id": [ + "[NUMID]" + ] + }, + "method": "GET", + "path": "/api/2.0/clusters/list" +} diff --git a/acceptance/cmd/api/profile-overrides-env/script b/acceptance/cmd/api/profile-overrides-env/script new file mode 100644 index 00000000000..a1ec0315dce --- /dev/null +++ b/acceptance/cmd/api/profile-overrides-env/script @@ -0,0 +1,29 @@ +sethome "./home" + +# One profile with full credentials, one host-only; both point at the test +# server while the auth env vars below point elsewhere. +cat > "./home/.databrickscfg" <>> [CLI] auth describe --profile my-workspace +Host: [DATABRICKS_URL] +User: [USERNAME] +Authenticated with: pat +----- +Current configuration: + ✓ host: [DATABRICKS_URL] (from [TEST_TMP_DIR]/home/.databrickscfg config file) + ✓ workspace_id: [NUMID] + ✓ token: ******** (from [TEST_TMP_DIR]/home/.databrickscfg config file) + ✓ profile: my-workspace (from --profile flag) + ✓ databricks_cli_path: [CLI] + ✓ auth_type: pat + ✓ rate_limit: [NUMID] (from DATABRICKS_RATE_LIMIT environment variable) + ✓ cloud: AWS + ✓ discovery_url: [DATABRICKS_URL]/oidc/.well-known/oauth-authorization-server + +=== Describe with a host-only --profile fills the token from the environment (#5096) + +>>> [CLI] auth describe --profile host-only +Host: [DATABRICKS_URL] +User: [USERNAME] +Authenticated with: pat +----- +Current configuration: + ✓ host: [DATABRICKS_URL] (from [TEST_TMP_DIR]/home/.databrickscfg config file) + ✓ workspace_id: [NUMID] + ✓ token: ******** (from DATABRICKS_TOKEN environment variable) + ✓ profile: host-only (from --profile flag) + ✓ databricks_cli_path: [CLI] + ✓ auth_type: pat + ✓ rate_limit: [NUMID] (from DATABRICKS_RATE_LIMIT environment variable) + ✓ cloud: AWS + ✓ discovery_url: [DATABRICKS_URL]/oidc/.well-known/oauth-authorization-server diff --git a/acceptance/cmd/auth/describe/profile-overrides-env/script b/acceptance/cmd/auth/describe/profile-overrides-env/script new file mode 100644 index 00000000000..b3846922c8f --- /dev/null +++ b/acceptance/cmd/auth/describe/profile-overrides-env/script @@ -0,0 +1,26 @@ +sethome "./home" + +# A profile carries full credentials; a second profile carries only a host. +cat > "./home/.databrickscfg" <