bundle: warn when a workspace path is in /Workspace/Shared without users CAN_MANAGE#5428
Draft
shreyas-goenka wants to merge 1 commit into
Draft
bundle: warn when a workspace path is in /Workspace/Shared without users CAN_MANAGE#5428shreyas-goenka wants to merge 1 commit into
shreyas-goenka wants to merge 1 commit into
Conversation
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Collaborator
|
Commit: cc47397 |
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
force-pushed
the
ticklish-munching-bear
branch
from
e7e9e83 to
60fba4e
Compare
shreyas-goenka
changed the title
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
…ers CAN_MANAGE Renames ValidateSharedRootPermissions to ValidateWorkspacePermissions and extends it to also cover workspace.state_path. It warns when root_path or state_path is in /Workspace/Shared — granting read/write to all workspace users — but the top-level permissions section does not declare that access via group_name: users CAN_MANAGE. The state_path warning is suppressed when root_path is also shared, since the root warning already covers the entire bundle tree. Co-authored-by: Shreyas Goenka <shreyas.goenka@databricks.com>
shreyas-goenka
force-pushed
the
ticklish-munching-bear
branch
from
60fba4e to
cc47397
Compare
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Warns when a workspace path is configured under
/Workspace/Shared— which grants read/write access to all workspace users — without the top-levelpermissionssection declaring that broad access viagroup_name: userswithCAN_MANAGE.Renames
ValidateSharedRootPermissions→ValidateWorkspacePermissionsand extends it from root_path-only to also coverstate_path:root_pathin/Workspace/Sharedwithoutusers: CAN_MANAGEstate_pathin/Workspace/Sharedwithoutusers: CAN_MANAGE(suppressed when root_path is also shared — the root warning already covers the whole tree)Independent of the telemetry PR (#5440) and the deploy-time live-ACL check (#5439).