Infer azure tenant ID.

[sreekanth-db]

What changes are proposed in this pull request?

This PR modifies Azure service principal credential provider to attempt to load the tenant ID of the workspace if not provided before authenticating. Tenant ID is indirectly exposed via the redirect URL used when logging into a workspace. In this PR, we fetch the tenant ID from this endpoint and configure it if not already set.

Reference PR: databricks/databricks-sdk-py#638

Key changes:

• Added inferTenantId() method in AzureUtils that makes an HTTP request to {host}/aad/auth and extracts the tenant ID from the redirect URL
• Modified AzureServicePrincipalCredentialsProvider to remove the explicit azureTenantId requirement and automatically call tenant ID discovery
• Added comprehensive unit tests covering success scenarios, error handling, and edge cases

Technical implementation:

• Makes HTTP GET request to https://<workspace-host>/aad/auth endpoint
• Follows redirect chain to extract tenant ID from URLs like https://login.microsoftonline.com/{tenant-id}/oauth2/authorize
• Handles various error scenarios gracefully (404, missing headers, malformed URLs)
• Only works for Azure workspaces (skips for non-Azure hosts)
• Respects existing tenant ID if already configured

Why are these changes needed?

Currently, Azure Databricks users must manually specify the tenant-id when using Service Principal authentication. With this feature, users don't need to manually specify tenant ID, thus improving the user experience.

How is this tested?

Unit Tests

Comprehensive unit tests in AzureUtilsTest covering:

• ✅ Happy path (successful tenant ID extraction)
• ✅ Error scenarios (404, missing Location header, malformed URLs)
• ✅ Edge cases (non-Azure workspaces, already set tenant ID, missing host)
• ✅ Integration with existing functionality

Manual Testing

• ✅ Locally built SDK JAR imported into JDBC driver and tested connection without passing azure_tenant_id
• ✅ Verified successful authentication using auto-discovered tenant ID
• ✅ Confirmed backward compatibility - still works when explicit tenant ID is provided

[samikshya-db]

can you return null if azure tenant id fails? to be consistent with line 26?
Also, can we keep the azureSPCredentials specific helpers for extracting tenant id here in credentialsProvider itself?

[sreekanth-db]

Have updated the code to return null if loading tenant id fails.

I think we should keep loadAzureTenantId() in DatabricksConfig for reusability. Looking at the Python SDK's implementation, load_azure_tenant_id() is called from multiple Azure credential providers (azure_service_principal and azure_cli), which demonstrates it's designed as a shared utility in the main Config class. This approach ensures consistency across our SDKs and allows for future reuse by other Azure authentication methods.

[gopalldb]

why is this needed?

[sreekanth-db]

The logger field is excluded from cloning because it's a static final field. The clone(Set<String> fieldsToSkip) method uses reflection to copy field values with f.set(newConfig, f.get(this)).

Attempting to clone a static field causes an IllegalAccessException with the message: "Can not set static final org.slf4j.Logger field com.databricks.sdk.core.DatabricksConfig.logger to org.slf4j.reload4j.Reload4jLoggerAdapter"

[nikhilsuri-db]

Do we have to clone this method for all our config classes?

[sreekanth-db]

Could you elaborate on this comment? Are you asking whether we need to implement similar clone() methods in other configuration classes, or are you suggesting a different architectural approach for handling object cloning?

[nikhilsuri-db]

Should not the isAzure check be the first check in this method & return false even if azureTenantId is having some value?

[sreekanth-db]

The purpose of this method is to load the tenant ID, so if it's already set (explicitly by the user), we should respect that and return true. The isAzure() check is only needed when we need to discover the tenant ID from the workspace host. If the tenant ID is set and the host is not Azure, it should get caught at appropriate layers - this method should not be responsible for returning false and blocking the flow.

[renaudhartert-db]

I understand that there's a lot of exceptions in the current code but I would recommend treating the config as an immutable object. That is, do not change the tenantId in the config and rather have a mutable copy in the AzureServicePrincipalCredentialsProvider.

[sreekanth-db]

Thanks for the suggestion, I have updated the code to not make any changes to the state of DatabricksConfig

[renaudhartert-db]

As mentioned in another comment, I would recommend implementing the loadAzureTenantId as an immutable function that would return the tenantId or fail. The tenantId can be stored in this class.

Something like this:

try {
  this.tenantId = inferTenantId(config)
} catch (Exception e) {
  logger.debug("Failed to extract tenant ID: {}", e.getMessage())
}

[sreekanth-db]

Updated the code as per your suggestions:

• Not changing the state of DatabricksConfig
• Maintaining local variable for tenantId in AzureServicePrincipalCredentialsProvider
• Moved the tenant id inferring logic to AzureUtils for reusability

[renaudhartert-db]

Let's throw an exception instead, the caller should be the one deciding whether these should be logged or not. Same in other places.

[sreekanth-db]

Updated the code in AzureUtils to throw exception, caller will handle it now and logs the message

[renaudhartert-db]

LGTM modulo remaining comment to remove the logger from AzureUtils.

[renaudhartert-db]

Also remove private static final Logger logger = LoggerFactory.getLogger(AzureUtils.class);

Suggested change

logger.info("Successfully discovered Azure tenant ID: {}", extractedTenantId);

[github-actions]

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-java

Inputs:

• PR number: 482
• Commit SHA: ea7ebc302324e8e9306780a23e055ebf364d179f

Checks will be approved automatically on success.