Skip to content

Commit 72b1acb

Browse files
committed
Trim verbose comments to keep only necessary rationale
1 parent ae05b0e commit 72b1acb

5 files changed

Lines changed: 36 additions & 74 deletions

File tree

bundle/config/workspace.go

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -178,10 +178,9 @@ func (w *Workspace) Client(ctx context.Context) (*databricks.WorkspaceClient, er
178178

179179
switch {
180180
case w.Profile != "":
181-
// An explicit profile (--profile or workspace.profile) takes precedence
182-
// over auth env vars; see databrickscfg.ProfileAuthLoaders (#5096). The
183-
// ValidateConfigAndProfileHost check below still enforces that the bundle
184-
// host matches the profile host.
181+
// An explicit profile wins over auth env vars; see
182+
// databrickscfg.ProfileAuthLoaders (#5096). ValidateConfigAndProfileHost
183+
// below still checks the bundle host matches the profile host.
185184
cfg.Loaders = databrickscfg.ProfileAuthLoaders
186185
case w.Host != "":
187186
// If only the host is configured, we try and unambiguously match it to

cmd/api/api.go

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -98,10 +98,9 @@ func makeCommand(method string) *cobra.Command {
9898
}
9999

100100
if hasProfileFlag {
101-
// An explicit --profile takes precedence over auth env vars; see
102-
// databrickscfg.ProfileAuthLoaders (#5096). NormalizeDatabricksConfigFromEnv
103-
// is skipped too: the host comes from the profile, not DATABRICKS_HOST,
104-
// so promoting its ?o=/?a= query params would be wrong.
101+
// An explicit --profile wins over auth env vars; see
102+
// databrickscfg.ProfileAuthLoaders (#5096). Skip env host
103+
// normalization too, since the host comes from the profile.
105104
cfg.Loaders = databrickscfg.ProfileAuthLoaders
106105
} else {
107106
auth.NormalizeDatabricksConfigFromEnv(cmd.Context(), cfg)

cmd/root/auth.go

Lines changed: 4 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -110,17 +110,10 @@ func profileFlagValue(cmd *cobra.Command) (string, bool) {
110110
return value, value != ""
111111
}
112112

113-
// applyProfileAuthPrecedence makes an explicitly selected --profile take
114-
// precedence over auth environment variables instead of being shadowed by them.
115-
//
116-
// With a profile flag we install databrickscfg.ProfileAuthLoaders (the single
117-
// source of truth for this precedence rule; see its doc and #5096) and skip
118-
// NormalizeDatabricksConfigFromEnv: the host comes from the profile, not
119-
// DATABRICKS_HOST, so promoting that env host's ?o=/?a= query params would be
120-
// wrong. Trade-off: a host-less profile combined with a SPOG-style
121-
// DATABRICKS_HOST (?o=123) no longer extracts the workspace_id from the query.
122-
//
123-
// Without a profile flag we keep the SDK's env-first behavior.
113+
// applyProfileAuthPrecedence makes an explicitly selected --profile win over
114+
// auth env vars via databrickscfg.ProfileAuthLoaders (#5096). It also skips
115+
// NormalizeDatabricksConfigFromEnv, since the host comes from the profile rather
116+
// than DATABRICKS_HOST. Without a profile flag, env-first behavior is kept.
124117
func applyProfileAuthPrecedence(ctx context.Context, cfg *config.Config, hasProfileFlag bool) {
125118
if hasProfileFlag {
126119
cfg.Loaders = databrickscfg.ProfileAuthLoaders

libs/databrickscfg/loader.go

Lines changed: 20 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -14,31 +14,20 @@ import (
1414

1515
var ResolveProfileFromHost = profileFromHostLoader{}
1616

17-
// ResolveNonAuthFromEnv reads config from environment variables, except for the
18-
// host and any auth credential. It runs before the config file loader when a
19-
// profile is explicitly selected, so the profile wins over auth env vars: the
20-
// SDK's default chain reads env before the config file and never overwrites a
21-
// set field, which would otherwise let env vars shadow the profile (#5096).
17+
// ResolveNonAuthFromEnv reads non-auth, non-host config from environment
18+
// variables. See ProfileAuthLoaders for how it fits into the chain.
2219
var ResolveNonAuthFromEnv = nonAuthEnvLoader{}
2320

24-
// ProfileAuthLoaders is the loader chain to use when a profile is explicitly
25-
// selected (--profile or a bundle's workspace.profile), and the single source
26-
// of truth for that precedence rule. The profile must win for host, routing and
27-
// auth over the matching env vars (DATABRICKS_HOST, DATABRICKS_TOKEN, ...),
28-
// which the SDK's default env-first chain would otherwise let shadow it (#5096).
21+
// ProfileAuthLoaders is the loader chain for an explicitly selected profile
22+
// (--profile or a bundle's workspace.profile). Unlike the SDK's default
23+
// env-first chain, the profile wins over auth env vars (#5096):
2924
//
30-
// This only governs an explicitly selected profile. One picked up from
31-
// DATABRICKS_CONFIG_PROFILE keeps env-first precedence: reordering two
32-
// environment signals (DATABRICKS_CONFIG_PROFILE vs DATABRICKS_HOST) is the
33-
// SDK's domain; we only override when the profile is named out-of-band.
34-
//
35-
// Order:
36-
// 1. ResolveNonAuthFromEnv: non-auth, non-routing env attrs (e.g. cluster_id),
37-
// keeping env-wins precedence for those.
25+
// 1. ResolveNonAuthFromEnv: non-auth env attrs (e.g. cluster_id), env-wins.
3826
// 2. ConfigFile: the selected profile (host, routing, auth).
39-
// 3. ConfigAttributes: gap-fills only fields the profile left empty (e.g. a
40-
// host-only profile + DATABRICKS_TOKEN, a common CI pattern); it never
41-
// overwrites a profile value, so the profile still wins.
27+
// 3. ConfigAttributes: gap-fills only fields the profile left empty.
28+
//
29+
// A profile from DATABRICKS_CONFIG_PROFILE keeps env-first precedence; only an
30+
// out-of-band profile name triggers this chain.
4231
var ProfileAuthLoaders = []config.Loader{
4332
ResolveNonAuthFromEnv,
4433
config.ConfigFile,
@@ -91,25 +80,13 @@ func findMatchingProfile(configFile *config.File, matcher func(*ini.Section) boo
9180
return matching[0], nil
9281
}
9382

94-
// nonAuthEnvSkipAttrs lists SDK config attributes nonAuthEnvLoader must not read
95-
// from the environment, beyond those caught by HasAuthAttribute. They identify
96-
// the target workspace/account (host, routing IDs) or steer the auth method but
97-
// are tagged auth:"-" (collapsed to Internal), so HasAuthAttribute misses them;
98-
// leaving them to env would let an env var shadow the selected profile (#5096).
99-
// Skipping only changes precedence: the trailing ConfigAttributes loader still
100-
// gap-fills any the profile leaves empty.
101-
//
102-
// - host: no `auth` tag at all.
103-
// - workspace_id / account_id: routing identifiers; an env var must not route
104-
// the profile's credentials elsewhere.
105-
// - auth_type: forces a specific auth method.
106-
// - discovery_url: redirects OIDC discovery.
107-
// - audience: selects the OIDC/workload-identity token audience.
108-
// - cloud: steers cloud-specific auth (Azure/GCP/AWS).
109-
//
110-
// Non-auth attrs tagged auth:"-" (oauth_callback_port, debug_headers, ...) are
111-
// intentionally not skipped; TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs
112-
// guards that every auth-steering internal attribute stays classified.
83+
// nonAuthEnvSkipAttrs lists attributes nonAuthEnvLoader must not read from the
84+
// environment, beyond those HasAuthAttribute catches. They set the target
85+
// host/account (host, workspace_id, account_id) or steer the auth method
86+
// (auth_type, discovery_url, audience, cloud); the latter are tagged auth:"-",
87+
// so HasAuthAttribute misses them. Reading them from env would let an env var
88+
// shadow the selected profile (#5096). TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs
89+
// guards this classification against SDK drift.
11390
var nonAuthEnvSkipAttrs = map[string]bool{
11491
"host": true,
11592
"workspace_id": true,
@@ -128,12 +105,11 @@ func (nonAuthEnvLoader) Name() string {
128105

129106
func (nonAuthEnvLoader) Configure(cfg *config.Config) error {
130107
for _, attr := range config.ConfigAttributes {
131-
// Leave the host and authentication settings for the config file
132-
// (i.e. the selected profile) to provide.
108+
// Host and auth come from the profile (config file), not env.
133109
if nonAuthEnvSkipAttrs[attr.Name] || attr.HasAuthAttribute() {
134110
continue
135111
}
136-
// Match the SDK loader semantics: don't overwrite a value previously set.
112+
// Don't overwrite an already-set value (SDK loader semantics).
137113
if !attr.IsZero(cfg) {
138114
continue
139115
}
@@ -144,8 +120,7 @@ func (nonAuthEnvLoader) Configure(cfg *config.Config) error {
144120
if err := attr.SetS(cfg, v); err != nil {
145121
return err
146122
}
147-
// Record the source so `databricks auth describe` and debug output
148-
// attribute the value to the environment, matching the SDK loader.
123+
// Record the source so `auth describe` attributes the value to env.
149124
cfg.SetAttrSource(&attr, config.Source{Type: config.SourceEnv, Name: envName})
150125
}
151126
return nil

libs/databrickscfg/loader_test.go

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -66,11 +66,9 @@ func TestResolveNonAuthFromEnvSkipsHostAndAuth(t *testing.T) {
6666
}
6767

6868
func TestProfileAuthLoadersConflictingEnvAuthMethodErrors(t *testing.T) {
69-
// The profile provides a complete PAT, while the env provides a different
70-
// complete method (OAuth M2M). The gap-fill loads the empty client_id/secret
71-
// from env, so the resolved config carries two auth methods and the SDK
72-
// rejects it: the profile wins for the fields it sets, but a conflicting
73-
// complete method in env still errors rather than being dropped (#5096).
69+
// Profile has a PAT; env gap-fills a different complete method (OAuth M2M).
70+
// The config then carries two auth methods, which the SDK rejects rather
71+
// than silently dropping the env one (#5096).
7472
t.Setenv("DATABRICKS_CLIENT_ID", "env-client-id")
7573
t.Setenv("DATABRICKS_CLIENT_SECRET", "env-client-secret")
7674

@@ -84,11 +82,9 @@ func TestProfileAuthLoadersConflictingEnvAuthMethodErrors(t *testing.T) {
8482
require.ErrorContains(t, err, "more than one authorization method configured")
8583
}
8684

87-
// TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs guards against an SDK bump
88-
// silently re-introducing #5096. Every Internal (auth:"-") env-backed attribute
89-
// that HasAuthAttribute misses must be either skipped (auth-steering) or listed
90-
// below as a reviewed env-first attribute; a new SDK attribute fails this test
91-
// until a human classifies it.
85+
// TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs fails when an SDK bump adds an
86+
// Internal (auth:"-") env-backed attribute that is neither skipped nor listed as
87+
// a reviewed env-first attribute, forcing a human to classify it (#5096).
9288
func TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs(t *testing.T) {
9389
knownEnvFirstInternal := map[string]bool{
9490
"oauth_callback_port": true,

0 commit comments

Comments
 (0)