Make GCP SA token refresh non-blocking with warning on failure#716
Closed
hectorcast-db wants to merge 7 commits intomainfrom
Closed
Make GCP SA token refresh non-blocking with warning on failure#716hectorcast-db wants to merge 7 commits intomainfrom
hectorcast-db wants to merge 7 commits intomainfrom
Conversation
Port of Go SDK #1512. Adds a `cloud` field (String, `@JsonProperty("cloud")`)
to the HostMetadata class, with getter and updated constructor. Includes
deserialization and constructor tests.
Co-authored-by: Isaac
Port of Go SDK #1517. Previously getWorkspaceClient() mutated the AccountClient's own config when setting workspaceId for unified hosts, causing stale state on subsequent calls. Now clones the config instead. Co-authored-by: Isaac
Port of Go SDK #1518. Verifies that getWorkspaceClient() on a unified (SPOG) host clones the config rather than mutating the AccountClient's config, so multiple calls produce independent WorkspaceClients. Co-authored-by: Isaac
Port of Go SDK #1542. Calls resolveHostMetadata() during config resolve() to populate accountId, workspaceId, and discoveryUrl from the host's well-known endpoint. Failures are logged at debug level and do not block initialization. Also fixes clone() to skip static fields (needed for the new Logger field). Co-authored-by: Isaac
Port of Go SDK #1543. When resolveHostMetadata() runs on an account host and tokenAudience is not already set, automatically sets it to the accountId. This enables OIDC token exchange to work correctly for account-level operations without explicit TOKEN_AUDIENCE config. Co-authored-by: Isaac
Port of Go SDK #1547. Removes HostType.UNIFIED and all runtime checks of experimentalIsUnifiedHost. Host type is now determined solely from URL pattern (accounts.* = ACCOUNTS, else WORKSPACE). Host metadata resolution from /.well-known/databricks-config (added in PR 4) handles populating accountId, workspaceId, and discoveryUrl automatically. Key changes: - getHostType(): no longer returns UNIFIED - isAccountClient(): no longer throws for unified hosts - getClientType(): simplified, no UNIFIED case - fetchDefaultOidcEndpoints(): removed unified OIDC branch - DatabricksCliCredentialsProvider: removed --experimental-is-unified-host - AccountClient.getWorkspaceClient(): uses DNS zone matching (like Go SDK) to decide whether to reuse host or build deployment URL Co-authored-by: Isaac
Port of Go SDK #1544. The GCP SA access token (X-Databricks-GCP-SA-Access-Token) refresh is now non-blocking in both GoogleIdCredentialsProvider and GoogleCredentialsCredentialsProvider. On failure, a warning is logged and the header is skipped instead of throwing an exception. The token is also now always attempted regardless of client type (not just for ACCOUNT clients). Co-authored-by: Isaac
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
Please ensure that the NEXT_CHANGELOG.md file is updated with any relevant changes. |
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🥞 Stacked PR
Use this link to review incremental changes.
Summary
Port of Go SDK #1544. The GCP SA access token
(X-Databricks-GCP-SA-Access-Token) refresh is now non-blocking in both
GoogleIdCredentialsProvider and GoogleCredentialsCredentialsProvider.
On failure, a warning is logged and the header is skipped instead of
throwing an exception. The token is also now always attempted regardless
of client type (not just for ACCOUNT clients).
Co-authored-by: Isaac
Why
What changed
Interface changes
Behavioral changes
Internal changes
How is this tested?