Skip deploying identity's own CAN_MANAGE in folder permissions validator#4796
Open
tplass-ias wants to merge 2 commits intodatabricks:mainfrom
Open
Skip deploying identity's own CAN_MANAGE in folder permissions validator#4796tplass-ias wants to merge 2 commits intodatabricks:mainfrom
tplass-ias wants to merge 2 commits intodatabricks:mainfrom
Conversation
Databricks automatically grants the deploying identity CAN_MANAGE on the workspace folder. The folder permissions validator was warning when this implicit permission wasn't listed in the bundle's permissions block, which is noise for a grant the user never configured. Fix: pass the current user's identity to ObjectAclToResourcePermissions and skip ACL entries matching it (by UserName or ServicePrincipalName), parallel to the existing admins skip. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
tplass-ias
requested review from
andrewnester,
anton-107,
denik,
pietern,
shreyas-goenka and
simonfaltum
as code owners
|
An authorized user can trigger integration tests manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
Author
|
forgive me maintainers for I have slop-PR'd. Happy to answer questions about the intent and problem being addressed. Claude can answer code questions better than me. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CAN_MANAGEon the workspace folder, so warning about it being absent from the bundle'spermissions:block is noise.ObjectAclToResourcePermissionsnow accepts acurrentUser stringparameter and skips ACL entries matching the deploying identity (byUserNameorServicePrincipalName), parallel to the existingadminsskip.checkFolderPermissionfor bundles whereCurrentUseris not yet populated.Test plan
go test ./bundle/permissions/... ./bundle/config/validate/...passesTestValidateFolderPermissionsNoWarnForDeployingIdentity) verifies no warning when deployer'sCAN_MANAGEis the only ACL entry not in bundle permissionspermissions:block using a service principal — warning no longer fires for the SP's ownCAN_MANAGE🤖 Generated with Claude Code