Skip to content

Warn and record when state_path folder permissions exceed static permissions block.#5439

Open
shreyas-goenka wants to merge 1 commit into
mainfrom
pr-deploy-folder-permission-check
Open

Warn and record when state_path folder permissions exceed static permissions block.#5439
shreyas-goenka wants to merge 1 commit into
mainfrom
pr-deploy-folder-permission-check

Conversation

@shreyas-goenka

@shreyas-goenka shreyas-goenka commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Previously the "workspace folder has permissions not configured in bundle" warning was only emitted by bundle validate. This emits it on bundle deploy as well, and records related telemetry.

No extra API latency: deploy already calls SetPermissions on each workspace path prefix, and the response carries the folder's resulting ACL. We compare that against the declared permissions instead of issuing a separate GetPermissions. Since the Set replaces the direct ACL, any principal still showing higher access is inherited from a parent folder — broader access that persists after the deploy.

Telemetry (bool_values):

  • state_path_acl_exceeds_permissions — the folder holding the deployment state grants more access than declared.
  • state_path_is_shared, permissions_section_is_set

@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from 60fba4e to cc47397 Compare June 4, 2026 11:49
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from e7e9e83 to 7c783aa Compare June 4, 2026 11:50
@shreyas-goenka shreyas-goenka mentioned this pull request Jun 4, 2026
Draft
@eng-dev-ecosystem-bot

eng-dev-ecosystem-bot commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Commit: 313ab31

Run: 27226691899

Env 🟨​KNOWN 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 15 261 921 7:50
🟨​ aws windows 7 15 263 919 15:19
💚​ aws-ucws linux 7 15 357 835 8:10
💚​ aws-ucws windows 7 15 359 833 13:19
💚​ azure linux 1 17 264 919 7:07
💚​ azure windows 1 17 266 917 10:46
🔄​ azure-ucws linux 1 1 17 361 831 9:17
💚​ azure-ucws windows 1 17 364 829 12:16
💚​ gcp linux 1 17 260 922 7:46
💚​ gcp windows 1 17 262 920 11:16
23 interesting tests: 15 SKIP, 7 KNOWN, 1 flaky
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/grants/select 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🔄​ TestSyncEnsureRemotePathIsUsableIfRepoExists ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p ✅​p ✅​p
Top 28 slowest tests (at least 2 minutes):
duration env testname
6:16 azure-ucws windows TestAccept
5:56 gcp windows TestAccept
5:45 azure windows TestAccept
5:36 aws-ucws windows TestAccept
5:00 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:23 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:09 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
4:01 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:33 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:32 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:26 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:17 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:12 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:09 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:09 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:08 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:07 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:00 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:57 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:55 gcp linux TestAccept
2:53 azure linux TestAccept
2:51 azure-ucws linux TestAccept
2:48 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:47 aws-ucws linux TestAccept
2:43 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:37 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:33 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:32 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from cc47397 to b2c7271 Compare June 5, 2026 10:05
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 7c783aa to 5e587f0 Compare June 5, 2026 10:05
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from b2c7271 to c2aa303 Compare June 5, 2026 10:11
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 5e587f0 to 2cd3ef3 Compare June 5, 2026 10:11
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from c2aa303 to b1d732b Compare June 5, 2026 10:14
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 2cd3ef3 to 07abec1 Compare June 5, 2026 10:14
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from b1d732b to 9e2f26b Compare June 5, 2026 10:18
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 07abec1 to 26c3380 Compare June 5, 2026 10:18
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from 9e2f26b to 00c5b7b Compare June 5, 2026 10:18
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 26c3380 to 30172b5 Compare June 5, 2026 10:19
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from 00c5b7b to addcb6a Compare June 9, 2026 14:06
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 30172b5 to 3646391 Compare June 9, 2026 14:06
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 46c9c69 to bf9f878 Compare June 10, 2026 10:37
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from bf9f878 to abe3dfb Compare June 10, 2026 10:42
shreyas-goenka
shreyas-goenka commented Jun 10, 2026
View reviewed changes
Comment thread acceptance/bundle/resource_deps/job_tasks/out.telemetry.direct.txt
has_serverless_compute true
local.cache.attempt true
local.cache.miss true
permissions_section_is_set false

@shreyas-goenka shreyas-goenka Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because permissions are not set here, by definition state_path_acl_exceeds_permissions is true.

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analysis needs to take this into account when looking at state_path_acl_exceeds_permissions.

Can we choose to not emit it when permissions are not set?

@shreyas-goenka shreyas-goenka changed the title bundle: warn during deploy when workspace folder permissions exceed the bundle's Warn and record when state_path folder permissions exceed static permissions block. Jun 10, 2026
@shreyas-goenka shreyas-goenka marked this pull request as ready for review June 10, 2026 10:53
@github-actions

github-actions Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Approval status: pending

/acceptance/bundle/ - needs approval

20 files changed
Suggested: @denik
Also eligible: @pietern, @janniklasrose, @andrewnester, @lennartkats-db, @anton-107

/bundle/ - needs approval

4 files changed
Suggested: @denik
Also eligible: @pietern, @janniklasrose, @andrewnester, @lennartkats-db, @anton-107

General files (require maintainer)

Files: NEXT_CHANGELOG.md
Based on git history:

  • @denik -- recent work in ./, bundle/permissions/, bundle/metrics/

Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @simonfaltum, @renaudhartert-db) can approve all areas.
See OWNERS for ownership rules.

@shreyas-goenka shreyas-goenka marked this pull request as draft June 10, 2026 11:12
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from abe3dfb to 3c6a454 Compare June 10, 2026 11:15
@shreyas-goenka shreyas-goenka changed the base branch from ticklish-munching-bear to main June 10, 2026 11:15
@shreyas-goenka shreyas-goenka marked this pull request as ready for review June 10, 2026 11:31
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 3c6a454 to 681e089 Compare June 10, 2026 11:32
pietern
pietern reviewed Jun 10, 2026
View reviewed changes
Comment thread acceptance/bundle/resource_deps/job_tasks/out.telemetry.direct.txt
has_serverless_compute true
local.cache.attempt true
local.cache.miss true
permissions_section_is_set false

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analysis needs to take this into account when looking at state_path_acl_exceeds_permissions.

Can we choose to not emit it when permissions are not set?

Comment thread acceptance/bundle/telemetry/deploy-workspace-folder-permissions-acl-mismatch/output.txt
- level: CAN_MANAGE, group_name: data-engineers

Add them to your bundle permissions or remove them from the folder.
See https://docs.databricks.com/dev-tools/bundles/permissions

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is odd to see the same warning twice here. Anything we can do about it?

@shreyas-goenka shreyas-goenka Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is by design - we get two warnings, one for the root path and one for the state path (because they are different). The naming is a bit confusing because the target name is state_path as well.

Comment thread bundle/permissions/workspace_root.go Outdated
statePath := b.Config.Workspace.StatePath
for i, p := range bundlePaths {
if pathContains(p, statePath) && !libraries.IsWorkspaceSharedPath(p) {
b.Metrics.SetBoolValue(metrics.StatePathAclExceedsPermissions, len(results[i]) > 0)

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This depends on the presence or absence of diags for a path? Seems brittle if so.

Comment thread NEXT_CHANGELOG.md
* Set the default `data_security_mode` to `DATA_SECURITY_MODE_AUTO` in bundle templates ([#5452](https://github.com/databricks/cli/pull/5452)).
* Mark vector search index index_subtype as backend_default to prevent drift after deployment ([#5454](https://github.com/databricks/cli/pull/5454)).
* `bundle deployment migrate`: handle resources added to or removed from `databricks.yml` since the last Terraform deploy ([#5463](https://github.com/databricks/cli/pull/5463)).
* Warn during `bundle deploy` when a workspace folder used by the bundle grants broader permissions than the bundle's top-level `permissions` section declares, for example through permissions inherited from a parent folder ([#5439](https://github.com/databricks/cli/pull/5439)).

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, we already do this and this is not new. The only difference is that we record it.

@shreyas-goenka shreyas-goenka Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only warn in the bundle validate command today, where we fetch the permissions on all folders. This is new because now we also warn on bundle deploy.

@shreyas-goenka
bundle: warn during deploy when workspace folder permissions exceed t…
e6521fb 
…he bundle's

ValidateFolderPermissions already compares the live workspace ACL against the
declared permissions, but it only runs during `bundle validate`. This brings the
same check to `bundle deploy` without adding any API latency: ApplyWorkspaceRoot-
Permissions already calls SetPermissions on each workspace path prefix (root_path
and, when separate, state_path), and the response carries the resulting ACL.

Reusing that response, we compare against the declared permissions. Because the
Set replaces the folder's direct ACL with the declared set, any principal still
showing higher access is inherited from a parent folder — the broader access that
actually persists after deploy, which is the scope mismatch worth surfacing.

Three telemetry signals are recorded in bool_values during deploy:
- state_path_acl_exceeds_permissions: whether the folder holding the deployment
  state grants more access than the permissions section declares. True by
  definition when no permissions are declared; determined statically for
  /Workspace/Shared state folders (all users have read/write) and from the live
  SetPermissions response otherwise.
- state_path_is_shared: state_path is under /Workspace/Shared.
- permissions_section_is_set: the bundle declares top-level permissions.

Covered by acceptance tests (no permissions / clean ACL / shared state path, and
an inherited-ACL mismatch staged via a server override) instead of unit tests.

Co-authored-by: Shreyas Goenka <shreyas.goenka@databricks.com>
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 681e089 to e6521fb Compare June 10, 2026 12:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pietern pietern pietern left review comments

@denik denik Awaiting requested review from denik

@andrewnester andrewnester Awaiting requested review from andrewnester

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shreyas-goenka @eng-dev-ecosystem-bot @pietern