Skip to content

Emit permission overlap warnings instead of discarding them#5520

Merged
simonfaltum merged 5 commits into
mainfrom
simonfaltum/b49-permission-overlap-warnings
Jul 1, 2026
Merged

Emit permission overlap warnings instead of discarding them#5520
simonfaltum merged 5 commits into
mainfrom
simonfaltum/b49-permission-overlap-warnings

Conversation

@simonfaltum

Copy link
Copy Markdown
Member

Why

Found during a full-repo review of the CLI. When a bundle defines top-level permissions and a resource already has its own permission entry for the same user, group, or service principal, the bundle-level grant is skipped for that resource. The warnings explaining why the grant was skipped were computed but never shown (a TODO that predates logdiag), so users had no way to tell why a permission they configured did not get applied.

Changes

Before, the overlap warnings built in bundle/config/mutator/resourcemutator/apply_bundle_permissions.go were discarded; now they are logged via logdiag and show up in command output, for example:

Warning: 'jobs' already has permissions set for 'overlap@example.com' user name

The skip behavior itself is unchanged, only the warning is now visible. The stale TODO is replaced by the actual logging, and the existing TestWarningOnOverlapPermission unit test now asserts the warning is emitted.

Test plan

  • Extended TestWarningOnOverlapPermission to assert exactly one warning with the expected summary is emitted
  • Added acceptance test acceptance/bundle/validate/permissions_overlap with overlapping top-level and resource permissions, covering both the warning and the resulting permissions (both engines)
  • Ran go test ./bundle/config/mutator/resourcemutator ./bundle/tests
  • Ran permission-related acceptance subtrees (bundle/validate, bundle/resources/permissions, bundle/run_as, bundle/migrate, bundle/apps/job_permissions) to confirm no existing outputs change
  • ./task fmt-q, ./task lint-q, ./task checks

This pull request and its description were written by Isaac.

When a bundle-level permission is skipped because the resource already
defines a permission for the same principal, the explanatory warnings
were computed but dropped (a TODO predating logdiag). Log them via
logdiag so users can see why a grant was not applied.

Co-authored-by: Isaac
@eng-dev-ecosystem-bot

eng-dev-ecosystem-bot commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

Integration test report

Commit: 6665244

Run: 28501453088

Env 🟨​KNOWN 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 3 13 230 1038 8:40
🟨​ aws windows 7 3 13 232 1036 8:07
🔄​ aws-ucws linux 1 9 13 314 956 13:20
💚​ aws-ucws windows 10 13 316 954 10:23
🟨​ azure linux 3 1 15 230 1037 9:05
🟨​ azure windows 3 1 15 232 1035 8:00
🟨​ azure-ucws linux 3 1 15 316 953 16:25
🟨​ azure-ucws windows 1 2 1 15 318 951 15:28
💚​ gcp linux 4 15 229 1039 7:37
🔄​ gcp windows 5 1 15 229 1037 8:33
25 interesting tests: 13 SKIP, 10 KNOWN, 2 flaky
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 🔄​f
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/recreate/embedding_dimension 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🔄​ TestAccept/selftest/record_cloud/pipeline-crud ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
🔄​ TestAccept/selftest/record_cloud/pipeline-crud/DATABRICKS_BUNDLE_ENGINE=terraform ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestFetchRepositoryInfoAPI_FromRepo 💚​R 💚​R 🔄​f 💚​R 🟨​K 🟨​K 🟨​K 🔄​f 💚​R 💚​R
🟨​ TestFetchRepositoryInfoAPI_FromRepo/root 💚​R 💚​R 💚​R 💚​R 🟨​K 🟨​K 🟨​K 🔄​f 💚​R 🔄​f
🟨​ TestFetchRepositoryInfoAPI_FromRepo/subdir 💚​R 💚​R 💚​R 💚​R 🟨​K 🟨​K 🟨​K 🟨​K 💚​R 🔄​f
Top 7 slowest tests (at least 2 minutes):
duration env testname
2:58 aws-ucws linux TestFsCpDir/dbfs_to_dbfs
2:46 azure-ucws windows TestAccept
2:42 azure windows TestAccept
2:32 aws-ucws windows TestAccept
2:07 azure-ucws linux TestFsCpDirToDirFileNotOverwritten/dbfs_to_dbfs
2:07 azure-ucws linux TestFsCpFileToDirFileNotOverwritten/dbfs_to_dbfs
2:03 gcp linux TestFsCpDirToDirFileNotOverwritten/dbfs_to_dbfs

@simonfaltum simonfaltum requested review from janniklasrose and removed request for andrewnester June 12, 2026 10:45
@janniklasrose janniklasrose requested a review from denik June 17, 2026 08:09
@simonfaltum simonfaltum removed the request for review from denik June 22, 2026 10:34

@janniklasrose janniklasrose left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since it's customer facing, consider a changelog entry (although this change is pretty minor)

@@ -0,0 +1 @@
$CLI bundle validate -o json | jq '.resources.jobs | map_values(.permissions)'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the actual .resources.jobs[].permissions isn't really necessary for this test, we just want to see the warning. maybe we can pipe stdout to /dev/null and only print stderr (assuming the warnings go there)

@simonfaltum simonfaltum added this pull request to the merge queue Jul 1, 2026
Merged via the queue into main with commit b35b2db Jul 1, 2026
25 checks passed
@simonfaltum simonfaltum deleted the simonfaltum/b49-permission-overlap-warnings branch July 1, 2026 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants