Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] Error: cannot create group: unexpected error handling request: invalid character 'h' looking for beginning of value #1022

Open
mike-decaro opened this issue Aug 21, 2024 · 4 comments
Open

[ISSUE] Error: cannot create group: unexpected error handling request: invalid character 'h' looking for beginning of value #1022

mike-decaro opened this issue Aug 21, 2024 · 4 comments

Comments

@mike-decaro
Copy link

mike-decaro commented Aug 21, 2024
edited
Loading

Description
Attempting to create a workspace group through terraform; intent of the group is to manage workspace permissions for any service principal associated to the account

Provider access key being used is that of an account-level admin.

Apply works successfully without below databricks_group resource

Reproduction

Provider:

provider "databricks" {
  host  = data.aws_ssm_parameter.databricks_workspace_url.value
  token = data.aws_ssm_parameter.databricks_workspace_token.value
}

Resource:

resource "databricks_group" "service_principals" {
  display_name = "Service Principals - ${local.workspace_name}"
}

Expected behavior
Group is created in workspace

Is it a regression?
No

Debug Logs
Request log:

│ POST /api/2.0/preview/scim/v2/Groups
│ > * Host: 
│ > * Accept: application/json
│ > * Authorization: REDACTED
│ > * Content-Type: application/scim+json; charset=utf-8
│ > * Traceparent: 00-03f3a8b365c15c5f7ba5441774ecae42-5471b186fc92ad05-01
│ > * User-Agent: databricks-tf-provider/1.50.0 databricks-sdk-go/0.44.0 go/1.22.6 os/darwin terraform/1.2.2 resource/group auth/pat
│ > {
│ >   "displayName": "Service Principals - playground",
│ >   "entitlements": [
│ >     {}
│ >   ],
│ >   "schemas": [
│ >     "urn:ietf:params:scim:schemas:core:2.0:Group"
│ >   ]
│ > }
│ < HTTP/2.0 403 Forbidden
│ < * Content-Type: application/json
│ < * Date: Wed, 21 Aug 2024 00:31:39 GMT
│ < * Server: databricks
│ < * Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
│ < * Vary: Accept-Encoding
│ < * X-Content-Type-Options: nosniff
│ < * X-Databricks-Org-Id: 1936515022650552
│ < * X-Databricks-Reason-Phrase: https://dbc-2afba066-fe0a.cloud.databricks.com/api/2.0/preview/scim/v2/Groups is only accessible by admins.
│ < https://dbc-2afba066-fe0a.cloud.databricks.com/api/2.0/preview/scim/v2/Groups is only accessible by admins.
│ 
│   with databricks_group.service_principals,
│   on groups.tf line 13, in resource "databricks_group" "service_principals":
│   13: resource "databricks_group" "service_principals" {
│

Other Information

  • Terraform version 1.2.2
  • Databricks provider 1.5.0

Additional context

Group is being created after change from basic auth to OAuth so that account level service principal's token can be used to apply workspace infrastructure.
@mike-decaro
Copy link
Author

It looks like this resulted from an account-level issue we had. A service principal created in the account was not correctly propagated to all of our workspaces; in the ones that it did, we were able to assign admin permissions to the service principal and the terraform was successfully applied. In the others, the error remains.

The message buried in the error that "Groups is only accessible by admins." is correct here, because the service principal is not admin (as it is not found at all in the workspace), but I do feel it is a bit hidden in the response, and a message that "service principal could not be found in workspace XXXX" would have been more clear.

@dhawal25
Copy link

Hi @mike-decaro Even I am facing this issue with databricks_entitlement resource in TF. The SP used has admin level access for said DBX workspace. Anything specific I need to check?

@mike-decaro
Copy link
Author

@dhawal25 here are the things I have added for the SP

Account

  • Service Principal > Roles > Account Admin
  • Service Principal > Permissions > Service Principal: Manager & Service Principal: User

Workspace

  • workspace settings > Identity and Access > Groups > admins
    • I imagine you've done this already, but worth mentioning just as "stuff I have done"
  • I also made a specific "Service Principals - " group that contains only this SP, and has Workspace Access and SQL Access entitlements. It feels like I don't need this, but things are too fragile right now for me to want to remove things.
  • Make sure that the Permissions from the account and federated down to the workspace too, so in the workspace you see Service Principal: Manager & Service Principal: User on the SP's permission page for the account principal.

Caveat: Ran into this the same time I was converting to use OAuth instead of basic auth. In order to get the token updated in it's storage for the workspace to use (our account and workspace terraform are split into multiple backends), I had to hand-assign the SP's permissions in the workspace to apply the account Terraform, or the client ID & Secret being used by the account had no permissions to apply the workspace. It felt very circular, but that may well be just how our set up took. It was a previous issue we faced prior to this "group requires admin" though so I'm hoping you don't have to deal with this.

@dhawal25
Copy link

Hey @mike-decaro Thanks for the details. Granting admin rights to SP as mentioned worked. Thank you again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mike-decaro @dhawal25