Skip to content

Commit bf9f878

Browse files
shreyas-goenkashreyas-goenka
committed
bundle: warn during deploy when workspace folder permissions exceed the bundle's
ValidateFolderPermissions already compares the live workspace ACL against the declared permissions, but it only runs during `bundle validate`. This brings the same check to `bundle deploy` without adding any API latency: ApplyWorkspaceRoot- Permissions already calls SetPermissions on each workspace path prefix (root_path and, when separate, state_path), and the response carries the resulting ACL. Reusing that response, we compare against the declared permissions. Because the Set replaces the folder's direct ACL with the declared set, any principal still showing higher access is inherited from a parent folder — the broader access that actually persists after deploy, which is the scope mismatch worth surfacing. Three telemetry signals are recorded in bool_values during deploy: - state_path_acl_exceeds_permissions: whether the folder holding the deployment state grants more access than the permissions section declares. True by definition when no permissions are declared; determined statically for /Workspace/Shared state folders (all users have read/write) and from the live SetPermissions response otherwise. - state_path_is_shared: state_path is under /Workspace/Shared. - permissions_section_is_set: the bundle declares top-level permissions. Covered by acceptance tests (no permissions / clean ACL / shared state path, and an inherited-ACL mismatch staged via a server override) instead of unit tests. Co-authored-by: Shreyas Goenka <shreyas.goenka@databricks.com>
1 parent b703045 commit bf9f878

24 files changed

Lines changed: 372 additions & 20 deletions

File tree

NEXT_CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
### CLI
88

99
### Bundles
10+
* Warn during `bundle deploy` when a workspace folder used by the bundle grants broader permissions than the bundle's top-level `permissions` section declares, for example through permissions inherited from a parent folder ([#5439](https://github.com/databricks/cli/pull/5439)).
1011

1112
### Dependency updates
1213

acceptance/bundle/resource_deps/job_tasks/out.telemetry.direct.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,12 @@ has_classic_job_compute false
44
has_serverless_compute true
55
local.cache.attempt true
66
local.cache.miss true
7+
permissions_section_is_set false
78
presets_name_prefix_is_set false
89
python_wheel_wrapper_is_set false
910
resref_jobs.tags.* true
1011
resreferr_jobs.task true
1112
run_as_set false
1213
skip_artifact_cleanup false
14+
state_path_acl_exceeds_permissions true
15+
state_path_is_shared false

acceptance/bundle/resource_deps/job_tasks/out.telemetry.terraform.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,12 @@ has_classic_job_compute false
44
has_serverless_compute true
55
local.cache.attempt true
66
local.cache.miss true
7+
permissions_section_is_set false
78
presets_name_prefix_is_set false
89
python_wheel_wrapper_is_set false
910
resref_jobs.tags.* true
1011
resreferr_jobs.task true
1112
run_as_set false
1213
skip_artifact_cleanup false
14+
state_path_acl_exceeds_permissions true
15+
state_path_is_shared false

acceptance/bundle/resource_deps/resources_var/output.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,10 +42,13 @@ has_classic_job_compute false
4242
has_serverless_compute false
4343
local.cache.attempt true
4444
local.cache.hit true
45+
permissions_section_is_set false
4546
presets_name_prefix_is_set true
4647
python_wheel_wrapper_is_set false
4748
resref_volumes.catalog_name true
4849
resref_volumes.name true
4950
resref_volumes.schema_name true
5051
run_as_set false
5152
skip_artifact_cleanup false
53+
state_path_acl_exceeds_permissions true
54+
state_path_is_shared false

acceptance/bundle/resource_deps/tf_path_only_error/out.telemetry.terraform.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,11 @@ has_serverless_compute false
55
has_tf_only_references true
66
local.cache.attempt true
77
local.cache.hit true
8+
permissions_section_is_set false
89
presets_name_prefix_is_set false
910
python_wheel_wrapper_is_set false
1011
resref_jobs.always_running true
1112
run_as_set false
1213
skip_artifact_cleanup false
14+
state_path_acl_exceeds_permissions true
15+
state_path_is_shared false

acceptance/bundle/telemetry/deploy-app-lifecycle-started/output.txt

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,18 @@ Deployment complete!
3737
"key": "skip_artifact_cleanup",
3838
"value": false
3939
},
40+
{
41+
"key": "permissions_section_is_set",
42+
"value": false
43+
},
44+
{
45+
"key": "state_path_is_shared",
46+
"value": false
47+
},
48+
{
49+
"key": "state_path_acl_exceeds_permissions",
50+
"value": true
51+
},
4052
{
4153
"key": "has_serverless_compute",
4254
"value": false

acceptance/bundle/telemetry/deploy-compute-type/output.txt

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,18 @@ Deployment complete!
4141
"key": "skip_artifact_cleanup",
4242
"value": false
4343
},
44+
{
45+
"key": "permissions_section_is_set",
46+
"value": false
47+
},
48+
{
49+
"key": "state_path_is_shared",
50+
"value": false
51+
},
52+
{
53+
"key": "state_path_acl_exceeds_permissions",
54+
"value": true
55+
},
4456
{
4557
"key": "has_serverless_compute",
4658
"value": true
@@ -83,6 +95,18 @@ Deployment complete!
8395
"key": "skip_artifact_cleanup",
8496
"value": false
8597
},
98+
{
99+
"key": "permissions_section_is_set",
100+
"value": false
101+
},
102+
{
103+
"key": "state_path_is_shared",
104+
"value": false
105+
},
106+
{
107+
"key": "state_path_acl_exceeds_permissions",
108+
"value": true
109+
},
86110
{
87111
"key": "has_serverless_compute",
88112
"value": true

acceptance/bundle/telemetry/deploy-experimental/output.txt

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,18 @@ Deployment complete!
4040
"key": "skip_artifact_cleanup",
4141
"value": false
4242
},
43+
{
44+
"key": "permissions_section_is_set",
45+
"value": false
46+
},
47+
{
48+
"key": "state_path_is_shared",
49+
"value": false
50+
},
51+
{
52+
"key": "state_path_acl_exceeds_permissions",
53+
"value": true
54+
},
4355
{
4456
"key": "has_serverless_compute",
4557
"value": false

acceptance/bundle/telemetry/deploy-name-prefix/custom/output.txt

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,18 @@ Deployment complete!
3636
"key": "skip_artifact_cleanup",
3737
"value": false
3838
},
39+
{
40+
"key": "permissions_section_is_set",
41+
"value": false
42+
},
43+
{
44+
"key": "state_path_is_shared",
45+
"value": false
46+
},
47+
{
48+
"key": "state_path_acl_exceeds_permissions",
49+
"value": true
50+
},
3951
{
4052
"key": "has_serverless_compute",
4153
"value": false

acceptance/bundle/telemetry/deploy-name-prefix/mode-development/output.txt

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,18 @@ Deployment complete!
3636
"key": "skip_artifact_cleanup",
3737
"value": false
3838
},
39+
{
40+
"key": "permissions_section_is_set",
41+
"value": false
42+
},
43+
{
44+
"key": "state_path_is_shared",
45+
"value": false
46+
},
47+
{
48+
"key": "state_path_acl_exceeds_permissions",
49+
"value": true
50+
},
3951
{
4052
"key": "has_serverless_compute",
4153
"value": false

0 commit comments

Comments
 (0)