Implement databricks creds manager

[m-abulazm]

Changes

What does this PR do?

• Support databricks credentials
• Standardize usages of credentials manager

Linked issues

Progresses #1008

Functionality

• added relevant user documentation
• modified existing command: databricks labs lakebridge ...

Tests

• manually tested
• added unit tests
• added integration tests

[codecov]

Codecov Report

❌ Patch coverage is 69.64286% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.37%. Comparing base (eebf284) to head (fef02c5).

Files with missing lines	Patch %	Lines
.../labs/lakebridge/connections/credential_manager.py	85.71%	3 Missing and 1 partial ⚠️
...abs/lakebridge/assessments/configure_assessment.py	33.33%	2 Missing ⚠️
src/databricks/labs/lakebridge/config.py	86.66%	1 Missing and 1 partial ⚠️
...s/assessments/synapse/dedicated_sqlpool_extract.py	0.00%	2 Missing ⚠️
.../assessments/synapse/monitoring_metrics_extract.py	0.00%	2 Missing ⚠️
.../assessments/synapse/serverless_sqlpool_extract.py	0.00%	2 Missing ⚠️
...resources/assessments/synapse/workspace_extract.py	0.00%	2 Missing ⚠️
...databricks/labs/lakebridge/assessments/profiler.py	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2123      +/-   ##
==========================================
+ Coverage   65.24%   65.37%   +0.12%     
==========================================
  Files         100      100              
  Lines        8506     8535      +29     
  Branches      876      878       +2     
==========================================
+ Hits         5550     5580      +30     
+ Misses       2769     2767       -2     
- Partials      187      188       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

✅ 51/51 passed, 11 flaky, 3m53s total

Flaky tests:

• 🤪 test_validate_invalid_source_tech (183ms)
• 🤪 test_validate_table_not_found (1ms)
• 🤪 test_validate_non_empty_tables (7ms)
• 🤪 test_validate_mixed_checks (293ms)
• 🤪 test_validate_invalid_schema_path (1ms)
• 🤪 test_transpiles_informatica_to_sparksql_non_interactive[False] (20.681s)
• 🤪 test_transpiles_informatica_to_sparksql (22.239s)
• 🤪 test_transpile_teradata_sql_non_interactive[False] (22.59s)
• 🤪 test_transpile_teradata_sql_non_interactive[True] (25.232s)
• 🤪 test_transpiles_informatica_to_sparksql_non_interactive[True] (3.838s)
• 🤪 test_transpile_teradata_sql (6.324s)

_{Running from acceptance #3107}

[asnare]

I've highlighted some style and design issues that I think need to be resolved, but appreciate that this is the start of what is needed for #1008. On the testing side I really like that we've eliminated some monkey-patching during tests. (Some integration tests would be nice.)

One big concern I have is that I don't see where we're using the new provider because we don't pass the WorkspaceClient in anywhere that I can see. Can you elaborate a bit on the situation there?

[asnare]

This should probably be ValueError (from e): we're signalling that there's a problem with a user-supplied argument (due to an underlying unicode issue).

[m-abulazm]

I dont think this is on the user. databricks returned a malformed response and not the utf8 base64 value it should return

[asnare]

I think we need a better name for this: it doesn't hold the credentials… it's more of a vault configuration?

[m-abulazm]

agree but renaming this will require changing across three PRs. I would rename it after reviewing all PRs

[asnare]

Although I can see some tests, I can't see where the ws argument is provided in any of the non-test call-sites. Aside from the tests, is it actually being used?

[m-abulazm]

using credential manager in reconcile and supplying ws is done in #2159.

[asnare]

Should this now be using the CredentialManager mechanism?

[m-abulazm]

yes and it is implemented in #2159 to make the reviews more manageable.
And #2157 adds the prompts to configure the creds.

this current PR can go to main first since it is backwards-compatible without the other two.

[asnare]

I think this is different to the other providers: they just return the key if the secret cannot be found, whereas here we raise an exception instead.

What do you think the providers should do? I think they need to be consistent.

[m-abulazm]

we should not raise an error. the return type should be optional and it is up to the caller how to handle missing secrets.

I did not want to change lots of things in one go so the
the implementation you see here of DatabricksSecretProvider is copied from src/databricks/labs/lakebridge/reconcile/connectors/secrets.py without changing the way it works which led to some inconsistency.

I would address your comment here in a later PR if you dont mind