experimental/ssh: validate dedicated access mode on direct ssh connect#5767
Open
TanishqMaheshwari wants to merge 1 commit into
Open
Conversation
`ssh connect --cluster` could be run without going through `ssh setup`,
which is where the cluster's access mode was validated. A user pointing
the command directly at a non-dedicated cluster got no early error and
the connection only failed later at runtime.
Move the access-mode check into the client package as the exported
ValidateClusterAccess and call it on the direct, non-proxy
`connect --cluster` path. Proxy mode is skipped (its ProxyCommand was
generated by `setup`, which already validated the cluster) as is
serverless (no cluster to inspect). `setup` now reuses the same function.
The error message now reports the access mode using the Databricks UI
label ("Dedicated"/"Standard"/"No isolation") instead of the raw API
enum (SINGLE_USER/USER_ISOLATION), so it matches what the user selected
when creating the cluster.
Co-authored-by: Isaac
Contributor
Waiting for approvalBased on git history, these people are best suited to review:
Eligible reviewers: Suggestions based on git history. See OWNERS for ownership rules. |
Contributor
|
An authorized user can trigger integration tests manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
databricks ssh connect --cluster <id>could be run without going throughdatabricks ssh setup, which is where the cluster's access mode was validated. A user pointing the command directly at a non-dedicated cluster got no early error — the connection only failed later at runtime with an opaque message.This change validates the cluster's access mode on the direct
connect --clusterpath as well:DataSecurityMode == SINGLE_USER) moves into theclientpackage as the exportedValidateClusterAccess.setupnow reuses it instead of its own private copy, so there is a single source of truth.Run()calls it only on the direct, non-proxyconnect --clusterpath:ProxyCommandwas generated bysetup, which already validated the cluster, so re-checking would add aClusters.Geton every (re)connection.SINGLE_USER/USER_ISOLATION), so it matches what the user selected when creating the cluster. Legacy/auto/unknown modes fall back to the raw value.Example
Before:
After:
Tests
validateClusterAccessunit tests intoclient_internal_test.go(now testing the exported function) and updated assertions for the new wording.TestAccessModeUILabelcovering the enum → UI-label mapping, including the raw-value fallback for legacy modes.This pull request and its description were written by Isaac.