bundle: warn during deploy when workspace folder permissions exceed the bundle's#5439
Draft
shreyas-goenka wants to merge 1 commit into
Draft
bundle: warn during deploy when workspace folder permissions exceed the bundle's#5439shreyas-goenka wants to merge 1 commit into
shreyas-goenka wants to merge 1 commit into
Conversation
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
force-pushed
the
ticklish-munching-bear
branch
from
60fba4e to
cc47397
Compare
…he bundle's ValidateFolderPermissions already compares the live workspace ACL against the declared permissions, but it only runs during `bundle validate`. This brings the same check to `bundle deploy` without adding any API latency: ApplyWorkspaceRoot- Permissions already calls SetPermissions on each workspace path prefix (root_path and, when separate, state_path), and the response carries the resulting ACL. Reusing that response, we compare against the declared permissions. Because the Set replaces the folder's direct ACL with the declared set, any principal still showing higher access is inherited from a parent folder — the broader access that actually persists after deploy, which is the scope mismatch worth surfacing. No extra GetPermissions round trip is made. The check is skipped for /Workspace/ Shared paths, consistent with the existing behavior. Co-authored-by: Shreyas Goenka <shreyas.goenka@databricks.com>
shreyas-goenka
force-pushed
the
pr-deploy-folder-permission-check
branch
from
e7e9e83 to
7c783aa
Compare
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
shreyas-goenka
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Collaborator
|
Commit: 7c783aa |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the live workspace-folder ACL comparison (already done in
bundle validateviaValidateFolderPermissions) tobundle deploy— without adding any API latency.ApplyWorkspaceRootPermissionsalready callsSetPermissionson each workspace path prefix (root_path and, when separate, state_path). The SDK response carries the resulting ACL, so we reuse it for the comparison instead of issuing a separateGetPermissions.Because the Set replaces the folder's direct ACL with the declared permissions, any principal still showing higher access in the response is inherited from a parent folder — the broader access that actually persists after the deploy, which is exactly the scope mismatch worth surfacing.
The check is skipped for
/Workspace/Sharedpaths, consistent with existing behavior.