Skip to content

Scope current_user lookup to policy-carrying resources#622

Merged
riyazsh merged 2 commits into
mainfrom
riyaz/HAMR-392-scoped-org-principal-lookup
Jul 10, 2026
Merged

Scope current_user lookup to policy-carrying resources#622
riyazsh merged 2 commits into
mainfrom
riyaz/HAMR-392-scoped-org-principal-lookup

Conversation

@riyazsh

@riyazsh riyazsh commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #616 addressing @nathantournant's non-blocking review comment: only fetch destination org UUID when at least one source resource actually carries a restriction_policy.

Change

  • New helper BaseResource._fetch_destination_org_principal(has_policy) scans state.source[resource_type] and calls GET /api/v2/current_user only when the predicate matches.
  • monitors.py, synthetics_tests.py, restriction_policies.py pre_apply_hook now delegate to the helper. Behavior unchanged when policies exist; skipped entirely otherwise.
  • 4 new unit tests per resource covering: success, failure, empty-source-skip, no-policy-skip.
  • Integration cassettes re-recorded (monitors + synthetics_tests).

Motivation

@nathantournant: "On destinations where credentials lack current_user access (or on a transient failure / unexpected response shape → KeyError), this would abort the whole synthetics sync rather than just the affected resources."

After this PR: syncs that carry no restriction_policy don't touch /api/v2/current_user at all — no unnecessary call, no new failure dependency.

Ref: HAMR-392

Adds BaseResource._fetch_destination_org_principal(has_policy) helper.
monitors, synthetics_tests, restriction_policies use it in pre_apply_hook
to skip GET /api/v2/current_user when no source resource carries a
restriction_policy.

Addresses non-blocking review comment on #616. Removes an unnecessary
API call and failure dependency for policy-free syncs.

Ref: HAMR-392
…fires

PR 622 scopes the current_user org lookup to policy-carrying source resources, so the helper short-circuits and skips the GET when source state has no such resource. The restriction_policies unit tests built a bare mock state, leaving the gate closed — so org_principal was never set and the failure path never raised. Seed a policy-carrying resource into source state so the GET (and its error path) is exercised, matching the monitors/synthetics test pattern. Also add an empty-source skip-path test for parity.

Environment: Datadog workspace

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@nathantournant nathantournant left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving — the scoped current_user lookup is a solid reliability fix (no more aborting policy-free syncs on a current_user permission/shape failure), and the gate correctly matches the remap-consumption condition. Pushed a small follow-up to seed source state in test_restriction_policies.py so the current_user GET (and its failure path) is actually exercised; CI is now green across all jobs.

@riyazsh riyazsh merged commit 7b3fe2b into main Jul 10, 2026
11 checks passed
@riyazsh riyazsh deleted the riyaz/HAMR-392-scoped-org-principal-lookup branch July 10, 2026 11:48
@riyazsh

riyazsh commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Thanks @nathantournant — much appreciated for the test-state seed fix. That's the exact patch I was about to push based on a Codex review flagging the same P1. Pulled your commit locally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants