Add "ssh" and "ssh setup" commands (#3470)

## Changes

This is the first PR that introduces the ssh-tunnel functionality into
the CLI

See README for an overview of the SSH tunnel feature and its usage. 

This PR only adds `ssh setup` command, `connect` and `server` are here:
- #3471
- #3475

The whole `ssh` command group is hidden (not available in `--help`
output, and in this PR it's not even added to the root cmd), and the
usage text has private preview disclaimer. Hidden flag will be removed
when we move to public preview phase (no timeline yet).

`setup` command updates local ssh config (`~/.ssh/config`). The config
entry relies on `ProxyCommand` option calling `databricks ssh connect`,
which is implemented in a follow up PR.


## Why
We've agreed to move the implementation form the separate repo to the
main databricks CLI

## Tests
Manually and unit tests.

---------

Co-authored-by: Pieter Noordhuis <[email protected]>

Author: ilia-db

cmd/ssh/README.md

@@ -0,0 +1,122 @@
+## SSH Tunnel for Databricks
+
+The SSH tunnel lets customers connect any IDE to Databricks compute to run and debug all code - including non-Spark/ML - with environment parity, and simple setup.
+
+## Compute Requirements
+- Dedicated (single user) access mode if you want to use Remote Development tools in IDEs
+- Dedicated or standard access mode for terminal SSH connections
+
+## Usage
+A. With local ssh config setup:
+```shell
+databricks ssh setup --name=hello --cluster=id # one time only
+ssh hello # use system SSH client to create a session
+```
+B. Spawn an ssh session directly:
+```shell
+databricks ssh connect --cluster=id
+```
+
+## Development
+```shell
+make build snapshot-release
+./cli ssh connect --cluster=<id> --releases-dir=./dist --debug # or modify ssh config accordingly
+```
+
+## Design
+
+High level:
+```mermaid
+---
+config:
+  theme: redux
+  layout: dagre
+---
+flowchart TD
+ n1(["Client A"])
+ subgraph s1["Control Plane"]
+        n3["Jobs API"]
+        n2["Driver Proxy API"]
+        n11["Workspace API"]
+  end
+ subgraph s3["Spark User A or root"]
+        n4["SSH Server A"]
+  end
+ subgraph s4["Spark User B or root"]
+        n6["SSH Server B"]
+  end
+ subgraph s2["Cluster"]
+        s3
+        s4
+        n12["Workspace Filesystem"]
+  end
+    n1 -. "1 - start an ssh server job" .-> n3
+    n3 -. "2 - start ssh server" .-> n4
+    n4 <-. "3 - save the ssh server port number" .-> n12
+    n1 <-. "4 - get ssh server port number" .-> n11
+    n1 <-. "6 - websocket connection" .-> n2
+    n2 <-. "7 - websocket connection" .-> n4
+    n6 <-.-> n12
+    style s2 stroke:#757575
+    style s1 stroke:#757575
+    style s4 stroke-dasharray: 5 5
+    style n6 stroke-dasharray: 5 5
+```
+
+Connection flow:
+```mermaid
+---
+config:
+  theme: base
+---
+sequenceDiagram
+  autonumber
+  participant P1 as databricks ssh connect
+  participant P2 as ssh client
+  participant P3 as databricks ssh connect --proxy
+  participant P4 as wsfs
+  participant P6 as databricks ssh server
+  participant P7 as sshd
+  Note over P1,P6: Try to get a port and a remote user name of an existing server<br/> ($v is databricks CLI version, $cluster is supplied by the user)
+  activate P1
+  P1 ->> P4: GET ~/.ssh/$v/$cluster/metadata.json
+  P4 -->> P1: {port: xxxx} or error
+  P1 ->> P6: GET /driver-proxy-api/$cluster/$port/metadata
+  P6 -->> P1: {user: spark-xxxx} or {user: root} or error
+  Note over P1,P6: Start the new server in the case of an error
+  opt
+    P1 -->> P1: generate<br/>key pair
+    P1 -->> P4: PUT ~/.ssh/$v/bin/databricks, unless it's already there
+    P1 ->> P4: PUT ~/.ssh/$v/$cluster/start-server-with-pub-key.ipynb
+    P1 ->> P6: jobs/runs/submit start-server-with-pub-key.ipynb $cluster
+    activate P6
+    P6 ->> P6: start self-kill-timeout<br/>generate server key pair<br/>create custom sshd config<br/>listen for /ssh and /metadata on a free port
+    P6 ->> P4: PUT ~/.ssh/$v/$cluster/metadata.json<br/>{port: xxxx}
+    loop unil successful or timed out
+      P1 -> P6: Get port and remote user name of the server (sequence 1 - 4 above)
+    end
+  end
+  Note over P1,P7: We know the port and the user, spawn "ssh"
+  P1 ->> P2: ssh -l $user -i $key<br/> -o ProxyCommand="databricks ssh connect --proxy $cluster $user $port"
+  activate P2
+  P2 ->> P3: exec ProxyCommand
+  activate P3
+  P3 ->> P6: wss:/dirver-proxy-api/$cluster/$port/ssh
+  P6 ->> P6: stop self-kill-timeout
+  P6 ->> P7: /usr/sbin/sshd -i -f config
+  activate P7
+  P2 -> P7: pubkey auth
+  loop until the connection is closed<br/>by ssh client, sshd, or driver-proxy
+    P2 -> P7: stdin and stdout
+    P1 -> P2: stdin, stdout, and stderr
+    deactivate P7
+    deactivate P3
+    deactivate P2
+    deactivate P1
+  end
+  break when the last ws connection drops
+    P6 ->> P6: start self-kill-timeout
+    P6 ->> P4: DELETE  ~/.ssh/$v/$cluster/metadata.json
+    deactivate P6
+  end
+```

cmd/ssh/setup.go

@@ -0,0 +1,51 @@
+package ssh
+
+import (
+	"time"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/ssh"
+	"github.com/spf13/cobra"
+)
+
+func newSetupCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "setup",
+		Short: "Setup SSH configuration for Databricks compute",
+		Long: `Setup SSH configuration for Databricks compute.
+
+This command configures SSH to connect to Databricks compute by adding
+an SSH host configuration to your SSH config file.
+
+` + disclaimer,
+	}
+
+	var hostName string
+	var clusterID string
+	var sshConfigPath string
+	var shutdownDelay time.Duration
+
+	cmd.Flags().StringVar(&hostName, "name", "", "Host name to use in SSH config")
+	cmd.MarkFlagRequired("name")
+	cmd.Flags().StringVar(&clusterID, "cluster", "", "Databricks cluster ID")
+	cmd.MarkFlagRequired("cluster")
+	cmd.Flags().StringVar(&sshConfigPath, "ssh-config", "", "Path to SSH config file (default ~/.ssh/config)")
+	cmd.Flags().DurationVar(&shutdownDelay, "shutdown-delay", 10*time.Minute, "SSH server will terminate after this delay if there are no active connections")
+
+	cmd.PreRunE = root.MustWorkspaceClient
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Context()
+		client := cmdctx.WorkspaceClient(ctx)
+		opts := ssh.SetupOptions{
+			HostName:      hostName,
+			ClusterID:     clusterID,
+			SSHConfigPath: sshConfigPath,
+			ShutdownDelay: shutdownDelay,
+			Profile:       client.Config.Profile,
+		}
+		return ssh.Setup(ctx, client, opts)
+	}
+
+	return cmd
+}

cmd/ssh/ssh.go

@@ -0,0 +1,33 @@
+package ssh
+
+import (
+	"github.com/spf13/cobra"
+)
+
+const disclaimer = `WARNING! This is an experimental feature:
+- The product is in preview and not intended to be used in production;
+- The product may change or may never be released;
+- While we will not charge separately for this product right now, we may charge for it in the future. You will still incur charges for DBUs;
+- There's no formal support or SLAs for the preview - so please reach out to your account or other contact with any questions or feedback;`
+
+func New() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:    "ssh",
+		Short:  "Connect to Databricks compute with ssh",
+		Hidden: true,
+		Long: `Connect to Databricks compute with ssh.
+
+SSH commands let you setup and establish ssh connections to Databricks compute.
+
+Common workflows:
+  databricks ssh connect --cluster=<cluster-id> --profile=<profile-name>  # connect to a cluster without any setup
+  databricks ssh setup --name=my-compute --cluster=<cluster-id>           # update local ssh config
+  ssh my-compute                                                          # connect to the compute using ssh client
+
+` + disclaimer,
+	}
+
+	cmd.AddCommand(newSetupCommand())
+
+	return cmd
+}

libs/ssh/keys.go

@@ -0,0 +1,19 @@
+package ssh
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+// We use different client keys for each cluster as a good practice for better isolation and control.
+func getLocalSSHKeyPath(clusterID, keysDir string) (string, error) {
+	if keysDir == "" {
+		homeDir, err := os.UserHomeDir()
+		if err != nil {
+			return "", fmt.Errorf("failed to get home directory: %w", err)
+		}
+		keysDir = filepath.Join(homeDir, ".databricks", "ssh-tunnel-keys")
+	}
+	return filepath.Join(keysDir, clusterID), nil
+}