search

databricks / cli

Databricks CLI
Other
145 stars 55 forks source link

Authenticating with azure clientID and secret does not work for databricks account api #721

Closed BramWeterings closed 1 year ago

BramWeterings commented 1 year ago

I'm trying to create a metastore with the databricks CLI on my azure environment. Command databricks metastores create Dataplatform abfss://container>@<storageaccount.dfs.core.windows.net/unitycatalogs/

Works fine from my local terminal where i login using az login

I try to run it inside a container instance where i login using a clientID and Secret (https://learn.microsoft.com/en-us/azure/databricks/dev-tools/cli/databricks-cli-ref#--azure-service-principal-authentication)

This works well for all workspace related stuff, but creating a metastore on the accountlevel does not work. trace export of the command:

json
" time=2023-08-31T08:51:48.865Z level=TRACE source="config.go 193}" 
msg="Loading config via environment" sdk=true time=2023-08-31T08:51:48.865Z level=TRACE source="config.go 193}" 
msg="Loading config via config-file" sdk=true time=2023-08-31T08:51:48.865Z level=DEBUG source="config_file.go 96}" 
msg="Loading profile profile from /root/.databrickscfg" sdk=true time=2023-08-31T08:51:48.865Z level=TRACE source="auth_default.go 52}" 
msg="Attempting to configure auth: pat" sdk=true time=2023-08-31T08:51:48.866Z level=TRACE source="auth_default.go 52}"
msg="Attempting to configure auth: basic" sdk=true time=2023-08-31T08:51:48.866Z level=TRACE source="auth_default.go 52}"
msg="Attempting to configure auth: oauth-m2m" sdk=true time=2023-08-31T08:51:48.866Z level=TRACE source="auth_default.go 52}" 
msg="Attempting to configure auth: databricks-cli" sdk=true time=2023-08-31T08:51:48.866Z level=TRACE source="auth_default.go 52}" 
msg="Attempting to configure auth: metadata-service" sdk=true time=2023-08-31T08:51:48.866Z level=TRACE source="auth_default.go 52}" 
msg="Attempting to configure auth: azure-msi" sdk=true time=2023-08-31T08:51:48.866Z level=TRACE source="auth_default.go 52}" 
msg="Attempting to configure auth: azure-client-secret" sdk=true time=2023-08-31T08:51:48.866Z level=INFO source="auth_azure_client_secret.go 53}" 
msg="Generating AAD token for Service Principal (fab09e2c-f5bd-44a5-8f4e-cfc9f667babe)" sdk=true time=2023-08-31T08:51:49.696Z level=DEBUG source="client.go 264}" 
msg="GET /api/2.0/preview/scim/v2/Me\n< HTTP/2.0 200 OK\n[non-JSON document of 727 bytes]. <!doctype html><html lang=\"en\"><head><meta charset=\"utf-8\"/><meta name=\"viewport\" content=\"width... (631 more bytes)" sdk=true Error: invalid character '<' looking for beginning of value time=2023-08-31T08:51:49.698Z level=ERROR source="root.go 110}" 
msg="failed execution" exit_code=1 error="invalid character '<' looking for beginning of value"

It seems the parsing the return of the token request is not correct.

pietern commented 1 year ago

Thanks for reporting.

Which command are you executing specifically? Are you positive that the SP has access to the account console?

pietern commented 1 year ago

Please also include the CLI version you're using.

BramWeterings commented 1 year ago

Command is:

databricks metastores create Dataplatform abfss://catalog@<storageaccount>.dfs.core.windows.net/unitycatalogs/

SP has the admin role on account level

version=0.203.3

pietern commented 1 year ago

Only the databricks account commands work with the account console.

The command you list is a workspace level command. If you're using a .databrickscfg profile without an account ID, but with the account host, then it won't work. You can try either pointing it at a workspace, or using the databricks account command to do the same.

BramWeterings commented 1 year ago

A, i have both the accountID and host (accounts.azuredatabricks.net) in the .databrickscfg I see databricks account metastores create only accepts json for the configuration. I can't seem to find the structure of the json that is required for this request.

pietern commented 1 year ago

The API reference can be found at https://docs.databricks.com/api/account/accountmetastores/create

I'll double-check if we return an error earlier when an account profile is used for a workspace command. If we don't, we should, to avoid the misunderstanding.

BramWeterings commented 1 year ago

Request now returns "invalid Databricks Account configuration" but that's probably something on my end.

the initial error that got me confusedwas just " error="invalid character '<' looking for beginning of value" when using the workspace command on an account profile

pietern commented 1 year ago

If you see invalid Databricks Account configuration it means you're trying to use a workspace configuration (i.e. a workspace host, or the account ID is not set) when trying to call account level APIs.

The linked PR adds support to return a similar error if the reverse happens; when an account configuration is used when trying to call workspace level APIs.

Given this is otherwise resolved, I'll close this issue.