You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
test(e2e): authenticate e2e via OAuth M2M so staging tests match DATABRICKS_USER
The e2e suite connected via a PAT (DATABRICKS_TOKEN). The Personal Staging
Location tests PUT/GET/REMOVE against stage://tmp/<DATABRICKS_USER>/..., where
DATABRICKS_USER is the PECO service principal (TEST_PECO_SP_ID). A personal
stage is identity-scoped by design (there is even a test asserting you cannot
touch another user's stage), so the connecting identity MUST equal
DATABRICKS_USER. When DATABRICKS_TOKEN authenticates as a different identity,
those tests fail with `PERMISSION_DENIED: <user> does not have access to
Personal Stage`.
Switch the e2e connection to OAuth M2M as the service principal via
credentials_provider (conftest.auth_connect_kwargs), so the connecting identity
IS the SP == DATABRICKS_USER. Falls back to the PAT when SP OAuth creds aren't
set, so local PAT runs are unaffected. Wires DATABRICKS_CLIENT_ID /
DATABRICKS_CLIENT_SECRET (TEST_PECO_SP_ID / TEST_PECO_SP_OAUTH_SECRET, already
in azure-prod) into code-coverage.yml.
Verified locally against the PECO workspace: all 9 staging_ingestion e2e tests
pass via the real M2M path (including fails_to_modify_another_staging_user,
which validates the identity scoping). Kernel e2e files are unchanged (they run
in kernel-e2e.yml, ignored by code-coverage.yml).
Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
0 commit comments