-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle HTTP 403 responses nicer #821
Comments
Just to add color here: I'm a TF newbie creating my first ever TF script, and of course I've not gone through a proper tutorial :) I managed to get a script working that created a workspace from the account (AWS). I then got stuck when trying to create a PAT token. I used the TF_LOG=DEBUG to uncover that the workspace provider was being authenticated using a token from my databrickscfg file. This file had been created many months ago and included a token for a completely separate workspace. I would have expected the databricks provider to be authenticated using the username and password that I had supplied in the .tf script. The DEBUG setting was useful so that I could discover where the credentials were being pulled from. Since this is my first time using TF, it was confusing to understand the flow. |
@pohlposition yes, this issue is to shorter time-to-working workspace in cases like yours. |
This one is very similar to #836 |
|
Reopening this issue. Scope of this work would include refactoring authorizer to return two values: label ("serge@me.com through ~/.databrickscfg", "079945-3545-... through Azure CLI", ...) and request visitor. Perhaps we can even try to force auth as provider conf. |
Not to forget, but special handling of empty host on data resources should be added: ignoring Databricks CLI auth, as this will finally force all users to explicitly add "depends_on" block to data resources, even for environment-configured providers. |
Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` Fixes #821
Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` Fixes #821
* Added support for `databricks_permissions` for `databricks_mlflow_experiment` and `databricks_mlflow_model` ([#1013](#1013)). * Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` ([#821](#821)). * Improved documentation with regards to public subnets in AWS quick start ([#1005](#1005)). * Added `databricks_mount` code genration for [exporter](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/guides/experimental-exporter) tooling ([#1006](#1006)). * Increase dependency check frequency ([#1007](#1007)). * Added experimental resources.
Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` Fixes databricks#821
* Added support for `databricks_permissions` for `databricks_mlflow_experiment` and `databricks_mlflow_model` ([databricks#1013](databricks#1013)). * Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` ([databricks#821](databricks#821)). * Improved documentation with regards to public subnets in AWS quick start ([databricks#1005](databricks#1005)). * Added `databricks_mount` code genration for [exporter](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/guides/experimental-exporter) tooling ([databricks#1006](databricks#1006)). * Increase dependency check frequency ([databricks#1007](databricks#1007)). * Added experimental resources.
Debugging authentication with 20 different parameters is frequently frustrating, especially for TF first-time users.
Enrich every HTTP 403 error with niceError wrapper. As well as adding what authorizer was used for specific request, as people frequently forget about
~/.databrickscfg
having configured profiles.cc @pohlposition
The text was updated successfully, but these errors were encountered: