## Changes
Change HTTP client to always retry on 429 and 503, regardless of whether
Retry-After header is present. If absent, default to 1 second, as we do
today.

Subsumes #391 and #396 while we're still discussing error architecture
in the SDK.

## Tests
Unit test to ensure that 429 and 503 work with and without Retry-After
header.

…d with OpenID Connect with Azure User Managed Identity (or Service Principal) (#385)

## Changes
See
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
and
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure

Technically, it should also work with Azure DevOps Workload Identity
Federation, once we figure out the environment variables:
https://techcommunity.microsoft.com/t5/azure-devops-blog/introduction-to-azure-devops-workload-identity-federation-oidc/ba-p/3908687

## Tests

setup:
```
resource "github_actions_environment_secret" "scope" {
  for_each    = github_repository_environment.default
  repository  = each.value.repository
  environment = each.value.environment
  secret_name = "ARM_CLIENT_ID"
  # this value is not a secret as well
  plaintext_value = data.azurerm_user_assigned_identity.scopes[local.project_scopes[each.key]].client_id
}

...

resource "azurerm_federated_identity_credential" "oidc" {
  for_each            = github_repository_environment.default
  name                = "${local.org}-${each.value.repository}-${each.value.environment}-oidc"
  resource_group_name = local.resource_group_name
  audience            = ["api://AzureADTokenExchange"]
  issuer              = "https://token.actions.githubusercontent.com"
  parent_id           = data.azurerm_user_assigned_identity.scopes[local.project_scopes[each.key]].id
  subject             = "repo:${local.org}/${each.value.repository}:environment:${each.value.environment}"
}

...

resource "azurerm_user_assigned_identity" "scopes" {
  for_each = local.scopes
  name     = "labs-${each.key}-identity"

  resource_group_name = azurerm_resource_group.this.name
  location            = azurerm_resource_group.this.location
  // ...
}

...

resource "databricks_service_principal" "scopes" {
  provider = databricks.account
  for_each = local.scopes

  application_id = azurerm_user_assigned_identity.scopes[each.key].client_id
  display_name   = azurerm_user_assigned_identity.scopes[each.key].name
  external_id    = azurerm_user_assigned_identity.scopes[each.key].principal_id
}
```

result

<img width="603"
alt="_Experiment__Call_integration_tests_via_OIDC_·_databrickslabs_ucx_5a94b24"
src="https://github.com/databricks/databricks-sdk-py/assets/259697/33b08224-ceed-4c15-bfcd-32e0b58f8483">

- [ ] `make test` run locally
- [x] `make fmt` applied
- [ ] relevant integration tests applied

)

## Changes
This warning is a bit noisy: in the happy path, we print it multiple
times, and even if we don't use Azure CLI auth, we may print it anyways.
Also, it will be printed always when using account-level authentication.

This PR reduces the noise for this warning by only printing it when we
are certainly going to use Azure CLI auth, authenticating to a
workspace, and can't get the subscription ID (e.g. because it is not
configured).

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [x] Ran locally: with accounts client, no warning is printed, and with
workspace client, only one warning is printed.

* Retry on all 429 and 503, even when missing Retry-After header
([#402](#402)).
* Add support for tokenless authentication for GitHub Actions configured
with OpenID Connect with Azure User Managed Identity (or Service
Principal)
([#385](#385)).
* Reduce redundant warning messages in azure-cli credential provider
([#410](#410)).

API Changes:

* Added `attributes`, `count`, `excluded_attributes`, `filter`,
`sort_by`, `sort_order`, and `start_index` fields for
`databricks.sdk.service.iam.GetAccountUserRequest` and
`databricks.sdk.service.iam.GetUserRequest`.
* Added `schemas` field for `databricks.sdk.service.iam.Group`,
`databricks.sdk.service.iam.ListGroupsResponse`,
`databricks.sdk.service.iam.ListServicePrincipalResponse`,
`databricks.sdk.service.iam.ListUsersResponse`,
`databricks.sdk.service.iam.ServicePrincipal`, and
`databricks.sdk.service.iam.User`.
* Added `databricks.sdk.service.iam.GetSortOrder`,
`databricks.sdk.service.iam.GroupSchema`,
`databricks.sdk.service.iam.ListResponseSchema`,
`databricks.sdk.service.iam.ServicePrincipalSchema`, and
`databricks.sdk.service.iam.UserSchema` dataclasses.
* Added `webhook_notifications` field for
`databricks.sdk.service.jobs.SubmitTask`.
* Added
[w.apps](https://databricks-sdk-py.readthedocs.io/en/latest/workspace/apps.html)
workspace-level service and related dataclasses
* Added
[a.account_network_policy](https://databricks-sdk-py.readthedocs.io/en/latest/account/account_network_policy.html)
account-level service and related dataclasses.

OpenAPI SHA: 5903bb39137fd76ac384b2044e425f9c56840e00, Date: 2023-10-23