Skip to content

Commit e16df4f

Browse files
committed
Trim verbose comments to keep only necessary rationale
1 parent e1ce25c commit e16df4f

7 files changed

Lines changed: 38 additions & 83 deletions

File tree

bundle/config/workspace.go

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -184,10 +184,8 @@ func (w *Workspace) Client(ctx context.Context) (*databricks.WorkspaceClient, er
184184

185185
switch {
186186
case w.Profile != "":
187-
// An explicit profile (--profile or workspace.profile) takes precedence
188-
// over auth env vars; see databrickscfg.ProfileAuthLoaders (#5096). The
189-
// ValidateConfigAndProfileHost check below still enforces that the bundle
190-
// host matches the profile host.
187+
// An explicit profile wins over auth env vars (#5096).
188+
// ValidateConfigAndProfileHost below still checks host agreement.
191189
cfg.Loaders = databrickscfg.ProfileAuthLoaders
192190
case w.Host != "":
193191
// If only the host is configured, we try and unambiguously match it to

bundle/config/workspace_test.go

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -156,8 +156,7 @@ func TestWorkspaceClientNormalizesHostBeforeProfileResolution(t *testing.T) {
156156
}
157157

158158
func TestWorkspaceClientProfileOverridesAuthEnv(t *testing.T) {
159-
// An explicit profile (--profile or workspace.profile) must win over auth
160-
// env vars, mirroring MustWorkspaceClient (#5096).
159+
// An explicit profile must win over auth env vars (#5096).
161160
setupWorkspaceTest(t)
162161

163162
err := databrickscfg.SaveToProfile(t.Context(), &config.Config{
@@ -202,9 +201,8 @@ func TestWorkspaceClientProfileFillsAuthFromEnv(t *testing.T) {
202201
}
203202

204203
func TestWorkspaceClientHostAndProfileOverridesAuthEnv(t *testing.T) {
205-
// A bundle that pins both workspace.host and workspace.profile: the profile
206-
// still wins for auth over the env vars, the bundle host is honored, and
207-
// ValidateConfigAndProfileHost passes because they agree (#5096).
204+
// Bundle pins both workspace.host and workspace.profile: the profile wins
205+
// for auth and the host check passes because they agree (#5096).
208206
setupWorkspaceTest(t)
209207

210208
err := databrickscfg.SaveToProfile(t.Context(), &config.Config{

cmd/api/api.go

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -98,10 +98,8 @@ func makeCommand(method string) *cobra.Command {
9898
}
9999

100100
if hasProfileFlag {
101-
// An explicit --profile takes precedence over auth env vars; see
102-
// databrickscfg.ProfileAuthLoaders (#5096). NormalizeDatabricksConfigFromEnv
103-
// is skipped too: the host comes from the profile, not DATABRICKS_HOST,
104-
// so promoting its ?o=/?a= query params would be wrong.
101+
// An explicit --profile wins over auth env vars (#5096); the host
102+
// comes from the profile, so skip env host normalization.
105103
cfg.Loaders = databrickscfg.ProfileAuthLoaders
106104
} else {
107105
auth.NormalizeDatabricksConfigFromEnv(cmd.Context(), cfg)

cmd/root/auth.go

Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -110,17 +110,9 @@ func profileFlagValue(cmd *cobra.Command) (string, bool) {
110110
return value, value != ""
111111
}
112112

113-
// applyProfileAuthPrecedence makes an explicitly selected --profile take
114-
// precedence over auth environment variables instead of being shadowed by them.
115-
//
116-
// With a profile flag we install databrickscfg.ProfileAuthLoaders (the single
117-
// source of truth for this precedence rule; see its doc and #5096) and skip
118-
// NormalizeDatabricksConfigFromEnv: the host comes from the profile, not
119-
// DATABRICKS_HOST, so promoting that env host's ?o=/?a= query params would be
120-
// wrong. Trade-off: a host-less profile combined with a SPOG-style
121-
// DATABRICKS_HOST (?o=123) no longer extracts the workspace_id from the query.
122-
//
123-
// Without a profile flag we keep the SDK's env-first behavior.
113+
// applyProfileAuthPrecedence makes an explicit --profile win over auth env vars
114+
// via ProfileAuthLoaders (#5096), skipping env host normalization since the host
115+
// comes from the profile. Without a profile flag, env-first behavior is kept.
124116
func applyProfileAuthPrecedence(ctx context.Context, cfg *config.Config, hasProfileFlag bool) {
125117
if hasProfileFlag {
126118
cfg.Loaders = databrickscfg.ProfileAuthLoaders

cmd/root/auth_test.go

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -454,8 +454,7 @@ token = tst-token
454454
require.NoError(t, err)
455455

456456
t.Setenv("DATABRICKS_CONFIG_FILE", configFile)
457-
// direnv-style auth env vars pointing at a different workspace. Before #5096
458-
// these shadowed the profile selected with --profile.
457+
// Auth env vars for a different workspace; before #5096 these shadowed --profile.
459458
t.Setenv("DATABRICKS_HOST", "https://dev.cloud.databricks.test")
460459
t.Setenv("DATABRICKS_TOKEN", "dev-token")
461460

@@ -522,8 +521,8 @@ token = tst-token
522521
require.NoError(t, err)
523522

524523
t.Setenv("DATABRICKS_CONFIG_FILE", configFile)
525-
// Selected via DATABRICKS_CONFIG_PROFILE, not --profile: this keeps the SDK's
526-
// env-first precedence, so the auth env vars below must still win (#5096).
524+
// Selected via DATABRICKS_CONFIG_PROFILE, not --profile, so env-first
525+
// precedence is kept and the auth env vars below still win (#5096).
527526
t.Setenv("DATABRICKS_CONFIG_PROFILE", "tst-svc")
528527
t.Setenv("DATABRICKS_HOST", "https://dev.cloud.databricks.test")
529528
t.Setenv("DATABRICKS_TOKEN", "dev-token")

libs/databrickscfg/loader.go

Lines changed: 19 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -14,31 +14,20 @@ import (
1414

1515
var ResolveProfileFromHost = profileFromHostLoader{}
1616

17-
// ResolveNonAuthFromEnv reads config from environment variables, except for the
18-
// host and any auth credential. It runs before the config file loader when a
19-
// profile is explicitly selected, so the profile wins over auth env vars: the
20-
// SDK's default chain reads env before the config file and never overwrites a
21-
// set field, which would otherwise let env vars shadow the profile (#5096).
17+
// ResolveNonAuthFromEnv reads non-auth, non-host config from environment
18+
// variables. See ProfileAuthLoaders for how it fits into the chain.
2219
var ResolveNonAuthFromEnv = nonAuthEnvLoader{}
2320

24-
// ProfileAuthLoaders is the loader chain to use when a profile is explicitly
25-
// selected (--profile or a bundle's workspace.profile), and the single source
26-
// of truth for that precedence rule. The profile must win for host, routing and
27-
// auth over the matching env vars (DATABRICKS_HOST, DATABRICKS_TOKEN, ...),
28-
// which the SDK's default env-first chain would otherwise let shadow it (#5096).
21+
// ProfileAuthLoaders is the loader chain for an explicitly selected profile
22+
// (--profile or a bundle's workspace.profile). Unlike the SDK's default
23+
// env-first chain, the profile wins over auth env vars (#5096):
2924
//
30-
// This only governs an explicitly selected profile. One picked up from
31-
// DATABRICKS_CONFIG_PROFILE keeps env-first precedence: reordering two
32-
// environment signals (DATABRICKS_CONFIG_PROFILE vs DATABRICKS_HOST) is the
33-
// SDK's domain; we only override when the profile is named out-of-band.
34-
//
35-
// Order:
36-
// 1. ResolveNonAuthFromEnv: non-auth, non-routing env attrs (e.g. cluster_id),
37-
// keeping env-wins precedence for those.
25+
// 1. ResolveNonAuthFromEnv: non-auth env attrs (e.g. cluster_id), env-wins.
3826
// 2. ConfigFile: the selected profile (host, routing, auth).
39-
// 3. ConfigAttributes: gap-fills only fields the profile left empty (e.g. a
40-
// host-only profile + DATABRICKS_TOKEN, a common CI pattern); it never
41-
// overwrites a profile value, so the profile still wins.
27+
// 3. ConfigAttributes: gap-fills only fields the profile left empty.
28+
//
29+
// A profile from DATABRICKS_CONFIG_PROFILE keeps env-first precedence; only an
30+
// out-of-band profile name triggers this chain.
4231
var ProfileAuthLoaders = []config.Loader{
4332
ResolveNonAuthFromEnv,
4433
config.ConfigFile,
@@ -91,25 +80,12 @@ func findMatchingProfile(configFile *config.File, matcher func(*ini.Section) boo
9180
return matching[0], nil
9281
}
9382

94-
// nonAuthEnvSkipAttrs lists SDK config attributes nonAuthEnvLoader must not read
95-
// from the environment, beyond those caught by HasAuthAttribute. They identify
96-
// the target workspace/account (host, routing IDs) or steer the auth method but
97-
// are tagged auth:"-" (collapsed to Internal), so HasAuthAttribute misses them;
98-
// leaving them to env would let an env var shadow the selected profile (#5096).
99-
// Skipping only changes precedence: the trailing ConfigAttributes loader still
100-
// gap-fills any the profile leaves empty.
101-
//
102-
// - host: no `auth` tag at all.
103-
// - workspace_id / account_id: routing identifiers; an env var must not route
104-
// the profile's credentials elsewhere.
105-
// - auth_type: forces a specific auth method.
106-
// - discovery_url: redirects OIDC discovery.
107-
// - audience: selects the OIDC/workload-identity token audience.
108-
// - cloud: steers cloud-specific auth (Azure/GCP/AWS).
109-
//
110-
// Non-auth attrs tagged auth:"-" (oauth_callback_port, debug_headers, ...) are
111-
// intentionally not skipped; TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs
112-
// guards that every auth-steering internal attribute stays classified.
83+
// nonAuthEnvSkipAttrs lists env attributes nonAuthEnvLoader must skip on top of
84+
// those HasAuthAttribute catches: host/routing (host, workspace_id, account_id)
85+
// and auth-steering fields tagged auth:"-" (auth_type, discovery_url, audience,
86+
// cloud), which HasAuthAttribute misses. Reading these from env would shadow the
87+
// selected profile (#5096). TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs
88+
// guards against SDK drift.
11389
var nonAuthEnvSkipAttrs = map[string]bool{
11490
"host": true,
11591
"workspace_id": true,
@@ -128,12 +104,11 @@ func (nonAuthEnvLoader) Name() string {
128104

129105
func (nonAuthEnvLoader) Configure(cfg *config.Config) error {
130106
for _, attr := range config.ConfigAttributes {
131-
// Leave the host and authentication settings for the config file
132-
// (i.e. the selected profile) to provide.
107+
// Host and auth come from the profile (config file), not env.
133108
if nonAuthEnvSkipAttrs[attr.Name] || attr.HasAuthAttribute() {
134109
continue
135110
}
136-
// Match the SDK loader semantics: don't overwrite a value previously set.
111+
// Don't overwrite an already-set value (SDK loader semantics).
137112
if !attr.IsZero(cfg) {
138113
continue
139114
}
@@ -144,8 +119,7 @@ func (nonAuthEnvLoader) Configure(cfg *config.Config) error {
144119
if err := attr.SetS(cfg, v); err != nil {
145120
return err
146121
}
147-
// Record the source so `databricks auth describe` and debug output
148-
// attribute the value to the environment, matching the SDK loader.
122+
// Record the source so `auth describe` attributes the value to env.
149123
cfg.SetAttrSource(&attr, config.Source{Type: config.SourceEnv, Name: envName})
150124
}
151125
return nil

libs/databrickscfg/loader_test.go

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -66,11 +66,9 @@ func TestResolveNonAuthFromEnvSkipsHostAndAuth(t *testing.T) {
6666
}
6767

6868
func TestProfileAuthLoadersConflictingEnvAuthMethodErrors(t *testing.T) {
69-
// The profile provides a complete PAT, while the env provides a different
70-
// complete method (OAuth M2M). The gap-fill loads the empty client_id/secret
71-
// from env, so the resolved config carries two auth methods and the SDK
72-
// rejects it: the profile wins for the fields it sets, but a conflicting
73-
// complete method in env still errors rather than being dropped (#5096).
69+
// Profile has a PAT; env gap-fills a different complete method (OAuth M2M).
70+
// The config then carries two auth methods, which the SDK rejects rather
71+
// than silently dropping the env one (#5096).
7472
t.Setenv("DATABRICKS_CLIENT_ID", "env-client-id")
7573
t.Setenv("DATABRICKS_CLIENT_SECRET", "env-client-secret")
7674

@@ -84,11 +82,9 @@ func TestProfileAuthLoadersConflictingEnvAuthMethodErrors(t *testing.T) {
8482
require.ErrorContains(t, err, "more than one authorization method configured")
8583
}
8684

87-
// TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs guards against an SDK bump
88-
// silently re-introducing #5096. Every Internal (auth:"-") env-backed attribute
89-
// that HasAuthAttribute misses must be either skipped (auth-steering) or listed
90-
// below as a reviewed env-first attribute; a new SDK attribute fails this test
91-
// until a human classifies it.
85+
// TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs fails when an SDK bump adds an
86+
// Internal (auth:"-") env-backed attribute that is neither skipped nor listed as
87+
// a reviewed env-first attribute, forcing a human to classify it (#5096).
9288
func TestNonAuthEnvSkipAttrsCoverSDKInternalEnvAttrs(t *testing.T) {
9389
knownEnvFirstInternal := map[string]bool{
9490
"oauth_callback_port": true,

0 commit comments

Comments
 (0)