Deprecate auth env + ensure the cmd uses resolved auth context#4904
Closed
simonfaltum wants to merge 12 commits intomainfrom
Closed
Deprecate auth env + ensure the cmd uses resolved auth context#4904simonfaltum wants to merge 12 commits intomainfrom
simonfaltum wants to merge 12 commits intomainfrom
Conversation
Use root.MustAnyClient and auth.Env instead of custom profile/host
resolution logic. auth env now returns the environment variables for the
exact identity the CLI is authenticated as, including bundle context and
all standard auth resolution paths.
Also adds --output text support for KEY=VALUE lines with proper shell
quoting.
Breaking changes:
- Removed command-specific --host and --profile flags (use inherited flags)
- JSON output is a flat map instead of wrapped in {"env": ...}
- Only the primary env var per attribute is emitted (via auth.Env)
Co-authored-by: Isaac
simonfaltum
requested review from
andrewnester,
anton-107,
denik,
pietern and
shreyas-goenka
as code owners
4 tasks
simonfaltum
removed request for
andrewnester,
anton-107,
denik,
pietern and
shreyas-goenka
Approval status: pending
|
Applies go-code-structure.md principles to the auth env command: - Extracts formatting into a pure writeEnvOutput(w, envVars, textMode) function so the business logic does not depend on *cobra.Command. - Replaces the end-to-end Cobra-based test with direct bytes.Buffer tests of writeEnvOutput. No more env var mocking or parent command setup just to verify output formatting. - Fixes the quoteEnvValue doc comment typo (plain ASCII single quotes). - Adds a trailing newline to JSON output so the terminal prompt does not land on the closing brace. - Adds a NEXT_CHANGELOG entry calling out the breaking flag/JSON-shape changes from the parent refactor. Co-authored-by: Isaac
gofmt 1.19+ reformats godoc comments and treats the literal POSIX escape sequence (three adjacent single quotes) as smart-quote candidates, mangling the comment and failing CI. Co-authored-by: Isaac
Keep it invokable (with --help) but out of `databricks auth` and `databricks auth --help` listings. Co-authored-by: Isaac
Reverts the flat-map change to preserve the pre-refactor JSON shape for downstream scripts that may consume `databricks auth env`. Co-authored-by: Isaac
Prints a deprecation warning to stderr when the command is invoked, notes the deprecation in the Long help, and updates the changelog entry. The command remains hidden from the auth command listing. Co-authored-by: Isaac
Re-run to work around transient zipball fetch failure for astral-sh/ruff-action. Co-authored-by: Isaac
simonfaltum
changed the title
Member
Author
|
Closing in favor of #5049, which is a much smaller, deprecation-only change (9 lines added across 2 files) without the refactor and new output modes that muddied this PR. |
bernardo-rodriguez
pushed a commit
to bernardo-rodriguez/b-cli
that referenced
this pull request
Apr 21, 2026
## Why `auth env` has never really fit the rest of the CLI. It has its own custom auth resolution (local `--host`/`--profile` flags, manual ini scanning) instead of going through the standard auth chain, and it overlaps with what callers can get from the SDK directly. Rather than invest more in maintaining it, we want to signal that it's on its way out so users stop depending on it. ## Changes Deprecate the command: - `Hidden: true` — no longer shows up under `databricks auth --help` (still invokable, `--help` still works). - Prints `Warning: 'databricks auth env' is deprecated and will be removed in a future release.` to stderr on every invocation. - Long help and `Short` mention the deprecation. Behavior is otherwise unchanged. JSON output shape, flags, and resolution logic all stay identical so anything currently scripting against the command keeps working until the removal PR. Replaces databricks#4904, which mixed this deprecation with a larger refactor. ## Test plan - [x] `make checks` clean - [x] `go test ./cmd/auth/...` passes - [x] `databricks auth env --help` still works and shows the "Deprecated" note - [x] `databricks auth env` no longer appears under `databricks auth --help` - [x] Running the command prints the warning to stderr and the JSON env output to stdout unchanged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
auth envhad its own custom auth resolution logic (local--host/--profileflags, manual profile-to-host matching via ini file scanning). It didn't go through the standard CLI auth chain, so it couldn't resolve auth from bundle context, default profiles, or environment variables. It was effectively a standalone tool that only worked with explicit profile or host arguments.The command should return the environment variables needed to authenticate as the exact same identity the CLI is currently authenticated as.
Changes
Refactored to use the CLI's standard auth resolution (
root.MustAnyClient+cmdctx.ConfigUsed), same pattern asauth describe. Usesauth.Env(cfg)fromlibs/auth/env.goto generate env vars. This means it now works with bundle context, env var auth, default profiles, and all other standard auth paths.Before:
databricks auth env --host https://my-workspace.cloud.databricks.comwith custom profile matching.Now:
databricks auth envreturns the env vars for whatever identity the CLI resolved through its normal auth chain.Also adds
--output textsupport for KEY=VALUE lines with proper shell quoting, and hides the command fromdatabricks auth --helplistings (still invokable,--helpstill works).JSON shape is preserved (
{"env": {...}}) to avoid breaking downstream scripts.Breaking changes:
--hostand--profileflags (the inherited flags from the parentauthand root commands cover this)auth.Env, consistent withbundle run)Structure:
writeEnvOutput(w, envVars, textMode)function; the CobraRunEis a thin adapter. Follows the decoupling patterns fromgo-code-structure.md(principles 1 and 5).Removed ~120 lines of dead code:
canonicalHost,resolveSection,loadFromDatabricksCfg,collectEnvVars,ErrNoMatchingProfiles.Test plan
writeEnvOutputdirectly, no Cobra setup required)NEXT_CHANGELOG.mdentry addedcmd/authtests pass;make checksand fullgolangci-lintclean--profile e2-dogfood: JSON shape matches priorv0.296.0behavior, all expected env vars present (DATABRICKS_HOST,DATABRICKS_ACCOUNT_ID,DATABRICKS_CONFIG_PROFILE,DATABRICKS_WORKSPACE_ID, etc.), text mode emits sorted shell-quotedKEY=VALUElinesenvno longer appears underdatabricks auth --help, butdatabricks auth env --helpstill works