Handle HTTP 403 responses nicer #821
Comments
|
Just to add color here: I'm a TF newbie creating my first ever TF script, and of course I've not gone through a proper tutorial :) I managed to get a script working that created a workspace from the account (AWS). I then got stuck when trying to create a PAT token. I used the TF_LOG=DEBUG to uncover that the workspace provider was being authenticated using a token from my databrickscfg file. This file had been created many months ago and included a token for a completely separate workspace. I would have expected the databricks provider to be authenticated using the username and password that I had supplied in the .tf script. The DEBUG setting was useful so that I could discover where the credentials were being pulled from. Since this is my first time using TF, it was confusing to understand the flow. |
|
@pohlposition yes, this issue is to shorter time-to-working workspace in cases like yours. |
|
This one is very similar to #836 |
|
|
|
Reopening this issue. Scope of this work would include refactoring authorizer to return two values: label ("serge@me.com through ~/.databrickscfg", "079945-3545-... through Azure CLI", ...) and request visitor. Perhaps we can even try to force auth as provider conf. |
|
Not to forget, but special handling of empty host on data resources should be added: ignoring Databricks CLI auth, as this will finally force all users to explicitly add "depends_on" block to data resources, even for environment-configured providers. |
Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` Fixes #821
Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` Fixes #821
* Added support for `databricks_permissions` for `databricks_mlflow_experiment` and `databricks_mlflow_model` ([#1013](#1013)). * Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` ([#821](#821)). * Improved documentation with regards to public subnets in AWS quick start ([#1005](#1005)). * Added `databricks_mount` code genration for [exporter](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/guides/experimental-exporter) tooling ([#1006](#1006)). * Increase dependency check frequency ([#1007](#1007)). * Added experimental resources.
Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` Fixes databricks#821
* Added support for `databricks_permissions` for `databricks_mlflow_experiment` and `databricks_mlflow_model` ([databricks#1013](databricks#1013)). * Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` ([databricks#821](databricks#821)). * Improved documentation with regards to public subnets in AWS quick start ([databricks#1005](databricks#1005)). * Added `databricks_mount` code genration for [exporter](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/guides/experimental-exporter) tooling ([databricks#1006](databricks#1006)). * Increase dependency check frequency ([databricks#1007](databricks#1007)). * Added experimental resources.
Debugging authentication with 20 different parameters is frequently frustrating, especially for TF first-time users.
Enrich every HTTP 403 error with niceError wrapper. As well as adding what authorizer was used for specific request, as people frequently forget about
~/.databrickscfghaving configured profiles.cc @pohlposition
The text was updated successfully, but these errors were encountered: