The 0.32.0 release included some changes (#741) that refactored error handling. There's a regression in the handling for PermissionDenied that results in an AttributeError being raised because the code tries to set message on PermissionDenied, but that attribute isn't present.
Reproduction
On an account where you don't have permission to create a group, raising PermissionDenied fails:
Python 3.10.15 (main, Sep 7 2024, 00:20:06) [Clang 15.0.0 (clang-1500.3.9.4)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import logging
>>> logging.basicConfig(level=logging.DEBUG)
>>> from databricks.sdk import AccountClient, version
>>> version.__version__
'0.32.1'
>>> acc = AccountClient()
DEBUG:databricks.sdk:Loaded from environment
DEBUG:databricks.sdk:Attempting to configure auth: pat
DEBUG:databricks.sdk:Attempting to configure auth: basic
DEBUG:databricks.sdk:Attempting to configure auth: metadata-service
DEBUG:databricks.sdk:Attempting to configure auth: oauth-m2m
DEBUG:databricks.sdk:Attempting to configure auth: azure-client-secret
DEBUG:databricks.sdk:Attempting to configure auth: github-oidc-azure
DEBUG:databricks.sdk:Attempting to configure auth: azure-cli
DEBUG:databricks.sdk:Loading tenant ID from https://**REDACTED**/aad/auth
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): **REDACTED**:443
DEBUG:urllib3.connectionpool:https://**REDACTED**:443 "GET /aad/auth HTTP/11" 302 0
DEBUG:databricks.sdk:Loaded tenant ID: common
INFO:databricks.sdk:Using Azure CLI authentication with AAD tokens
>>> acc.groups.create(display_name='test-group-1234')
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): **REDACTED**:443
DEBUG:urllib3.connectionpool:https://**REDACTED**:443 "POST /api/2.0/accounts/**REDACTED**/scim/v2/Groups HTTP/11" 403 146
DEBUG:databricks.sdk:POST /api/2.0/accounts/**REDACTED**/scim/v2/Groups
> {
> "displayName": "test-group-1234"
> }
< 403 Forbidden
< {
< "error_code": "403",
< "message": "Source IP address: **REDACTED** is blocked by Databricks IP ACL for account: **REDACTED**"
< }
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/service/iam.py", line 1502, in create
res = self._api.do('POST',
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/core.py", line 155, in do
response = retryable(self._perform)(method,
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/retries.py", line 54, in wrapper
raise err
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/retries.py", line 33, in wrapper
return func(*args, **kwargs)
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/core.py", line 270, in _perform
error.message = self._cfg.wrap_debug_info(error.message)
AttributeError: 'PermissionDenied' object has no attribute 'message'
Expected behavior
The PermissionDenied error should be raised correctly:
Python 3.10.15 (main, Sep 7 2024, 00:20:06) [Clang 15.0.0 (clang-1500.3.9.4)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import logging
>>> logging.basicConfig(level=logging.DEBUG)
>>> from databricks.sdk import AccountClient, version
>>> version.__version__
'0.31.1'
>>> acc.groups.create(display_name='test-group-1234')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
NameError: name 'acc' is not defined
>>> acc = AccountClient()
DEBUG:databricks.sdk:Loaded from environment
DEBUG:databricks.sdk:Attempting to configure auth: pat
DEBUG:databricks.sdk:Attempting to configure auth: basic
DEBUG:databricks.sdk:Attempting to configure auth: metadata-service
DEBUG:databricks.sdk:Attempting to configure auth: oauth-m2m
DEBUG:databricks.sdk:Attempting to configure auth: azure-client-secret
DEBUG:databricks.sdk:Attempting to configure auth: github-oidc-azure
DEBUG:databricks.sdk:Attempting to configure auth: azure-cli
DEBUG:databricks.sdk:Loading tenant ID from https://**REDACTED**/aad/auth
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): **REDACTED**:443
DEBUG:urllib3.connectionpool:https://**REDACTED**:443 "GET /aad/auth HTTP/11" 302 0
DEBUG:databricks.sdk:Loaded tenant ID: common
INFO:databricks.sdk:Using Azure CLI authentication with AAD tokens
>>> acc.groups.create(display_name='test-group-1234')
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): **REDACTED**:443
DEBUG:urllib3.connectionpool:https://**REDACTED**:443 "POST /api/2.0/accounts/**REDACTED**/scim/v2/Groups HTTP/11" 403 146
DEBUG:databricks.sdk:POST /api/2.0/accounts/**REDACTED**/scim/v2/Groups
> {
> "displayName": "test-group-1234"
> }
< 403 Forbidden
< {
< "error_code": "403",
< "message": "Source IP address: **REDACTED** is blocked by Databricks IP ACL for account: **REDACTED**"
< }
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/service/iam.py", line 1502, in create
res = self._api.do('POST',
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/core.py", line 157, in do
response = retryable(self._perform)(method,
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/retries.py", line 54, in wrapper
raise err
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/retries.py", line 33, in wrapper
return func(*args, **kwargs)
File ".../.venv/lib/python3.10/site-packages/databricks/sdk/core.py", line 271, in _perform
raise self._make_nicer_error(response=response, **payload) from None
databricks.sdk.errors.platform.PermissionDenied: Source IP address: **REDACTED** is blocked by Databricks IP ACL for account: **REDACTED**. Config: host=https://**REDACTED**, account_id=**REDACTED**, azure_tenant_id=common, auth_type=azure-cli. Env: DATABRICKS_HOST, DATABRICKS_ACCOUNT_ID
Is it a regression?
This is a regression introduced in 0.32.0 against 0.31.1. (It is not fixed in 0.32.1.)
Description
The 0.32.0 release included some changes (#741) that refactored error handling. There's a regression in the handling for
PermissionDenied
that results in anAttributeError
being raised because the code tries to setmessage
onPermissionDenied
, but that attribute isn't present.Reproduction
On an account where you don't have permission to create a group, raising
PermissionDenied
fails:Expected behavior
The
PermissionDenied
error should be raised correctly:Is it a regression?
This is a regression introduced in 0.32.0 against 0.31.1. (It is not fixed in 0.32.1.)
Debug Logs
Logs are included in the examples above.
Other Information
Additional context
We (UCX) discovered this when users reported difficulty understanding the cause of a (permissions-related) error: https://github.com/databrickslabs/ucx/issues/2542