Skip to content

Ensure owner/mgmt permission for current user #3780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
denik merged 13 commits into from
Oct 20, 2025
Merged

Ensure owner/mgmt permission for current user #3780

denik merged 13 commits into from
Oct 20, 2025

Conversation

@denik
Copy link
Contributor

@denik denik commented Oct 17, 2025
edited
Loading

Changes

Instead of removing current user from permissions and relying on terraform to add it back, we'll instead add IS_OWNER/CAN_MANAGE ourselves.

Previous attempt to remove this mutator completely #3688 failed because backend complains about "ambiguous" permissions when both CAN_MANAGE and IS_OWNER are present. Thus we do additional transformation here: we upgrade CAN_MANAGE to IS_OWNER if we can.

Don't apply this logic to secret scopes resource as it's not implemented via databricks_permissions resource in terraform and does not have IS_OWNER/CAN_MANAGE insertion logic. This means we no longer filter out current user permissions from secret scopes resources.

Why

  • Enables direct implementation which will not do any transformations, just use whatever in the config. With this PR, the request payload will match terraform's.
  • Final permissions visible in 'bundle validate -o json'.

Tests

#3781

@denik denik temporarily deployed to test-trigger-is October 17, 2025 12:43 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is October 17, 2025 12:54 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is October 17, 2025 13:02 — with GitHub Actions Inactive
@eng-dev-ecosystem-bot
Copy link
Collaborator

eng-dev-ecosystem-bot commented Oct 17, 2025
edited
Loading

Run: 18650127433

Env 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip
💚​ aws linux 1 1 321 560
💚​ aws windows 1 1 322 559
🔄​ aws-ucws linux 2 1 436 456
🔄​ aws-ucws windows 2 1 437 455
💚​ azure linux 1 1 321 559
💚​ azure windows 1 1 322 558
💚​ azure-ucws linux 1 1 437 455
💚​ azure-ucws windows 1 1 438 454
🔄​ gcp linux 4 1 1 316 561
🔄​ gcp windows 5 1 1 316 560
12 failing tests:
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
TestAccept 💚​R 💚​R 🔄​f 🔄​f 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
TestAccept/bundle/resources/pipelines/allow-duplicate-names ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p
TestAccept/bundle/resources/pipelines/allow-duplicate-names/DATABRICKS_BUNDLE_ENGINE=terraform ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p
TestAccept/bundle/resources/pipelines/lakeflow-pipeline ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p
TestAccept/bundle/resources/pipelines/lakeflow-pipeline/DATABRICKS_BUNDLE_ENGINE=terraform ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p
TestAccept/bundle/resources/secret_scopes ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
TestAccept/bundle/resources/synced_database_tables/basic 🙈​s 🙈​s 🔄​f 🔄​f 🙈​s 🙈​s ✅​p ✅​p 🙈​s 🙈​s
TestAccept/bundle/run/app-with-job 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
TestAccept/bundle/templates/default-python/combinations/classic ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
TestAccept/bundle/templates/default-python/combinations/classic/DATABRICKS_BUNDLE_ENGINE=terraform/DLT=yes/NBOOK=no/PY=yes ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
TestAccept/bundle/templates/default-python/integration_classic ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
TestAccept/bundle/templates/default-python/integration_classic/DATABRICKS_BUNDLE_ENGINE=terraform/UV_PYTHON=3.11 ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f

@denik denik temporarily deployed to test-trigger-is October 17, 2025 14:25 — with GitHub Actions Inactive
@denik denik mentioned this pull request Oct 17, 2025
Merged
@denik denik changed the title Insert management permission for current user Ensure owner/mgmt permission for current user Oct 17, 2025
@denik denik force-pushed the denik/current-user-permissions branch from b2f59df to bb5413f Compare October 17, 2025 15:40
@denik denik temporarily deployed to test-trigger-is October 17, 2025 15:41 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is October 17, 2025 15:42 — with GitHub Actions Inactive
@denik denik changed the base branch from main to denik/permissions-tests October 17, 2025 15:43
@denik denik temporarily deployed to test-trigger-is October 17, 2025 15:48 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is October 17, 2025 16:02 — with GitHub Actions Inactive
@denik denik marked this pull request as ready for review October 17, 2025 16:27
@denik denik temporarily deployed to test-trigger-is October 20, 2025 08:28 — with GitHub Actions Inactive
andrewnester
andrewnester approved these changes Oct 20, 2025
View reviewed changes
libs/dyn/visit_get.go Outdated
}

// Get1 returns the value without the error (InvalidValue indicates that error did happen)
func Get1(v Value, path string) Value {
Copy link
Contributor

@andrewnester andrewnester Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we call it GetValue?

Copy link
Contributor Author

@denik denik Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good idea, 236a550

bundle/config/mutator/resourcemutator/filter_current_user.go Outdated
priorityPermission := mgmtPerms[0]
permissionToUpgrade := -1

permissionArray := permissions.MustSequence()
Copy link
Contributor

@andrewnester andrewnester Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we use AsSequence instead and retirn error if it fails to convert?

Copy link
Contributor Author

@denik denik Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make sense; although we don't need an error, we can just skip it: 8f7a965

@denik denik temporarily deployed to test-trigger-is October 20, 2025 10:36 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is October 20, 2025 10:37 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is October 20, 2025 10:53 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is October 20, 2025 10:54 — with GitHub Actions Inactive
github-merge-queue bot pushed a commit that referenced this pull request Oct 20, 2025
@denik
Add acceptance tests for permissions logic (#3781)
9b32fc1 
## Why
Going to make some changes there, want to record how requests look like
and how they will change.

#3780
Base automatically changed from denik/permissions-tests to main October 20, 2025 11:08
@denik denik force-pushed the denik/current-user-permissions branch from 730857b to c60359b Compare October 20, 2025 11:08
@denik denik temporarily deployed to test-trigger-is October 20, 2025 11:08 — with GitHub Actions Inactive
@denik denik enabled auto-merge October 20, 2025 11:16
@denik denik disabled auto-merge October 20, 2025 12:11
@denik denik merged commit 9a1cc33 into main Oct 20, 2025
12 of 13 checks passed
@denik denik deleted the denik/current-user-permissions branch October 20, 2025 12:11
lennartkats-db added a commit that referenced this pull request Oct 21, 2025
@lennartkats-db
Update acceptance test output for permissions changes from main
1f82c34 
After merging main, the acceptance tests now reflect the new permissions behavior:
- Automatically adds IS_OWNER permission for current user
- This matches the changes from PR #3780
deco-sdk-tagging bot added a commit that referenced this pull request Oct 22, 2025
@deco-sdk-tagging
[Release] Release v0.274.0
db63bbe 
## Release v0.274.0

### Bundles
* Fix a panic in TF when it fails to read the job ([#3799](#3799))
* For secret scopes, no longer remove current user's permissions ([#3780](#3780))
* Automatically add owner permissions during bundle initialization, this makes final permissions visible in 'bundle validate -o json' ([#3780](#3780))
@denik denik mentioned this pull request Oct 31, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Oct 31, 2025
@denik
Fix permissions logic not to add 2nd IS_OWNER (#3850)
fb3b270 
## Changes
When processing permissions, do not add 2nd IS_OWNER for current user.

Bug introduced in #3780

## Why
It was always the intention.

#3849

## Tests
Existing tests.
@github-actions github-actions bot mentioned this pull request Jan 3, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewnester andrewnester andrewnester approved these changes

@anton-107 anton-107 Awaiting requested review from anton-107 anton-107 is a code owner

@pietern pietern Awaiting requested review from pietern pietern is a code owner

@shreyas-goenka shreyas-goenka Awaiting requested review from shreyas-goenka shreyas-goenka is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@denik @eng-dev-ecosystem-bot @andrewnester