Skip to content

Do not filter out current user from permissions list #3688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
andrewnester wants to merge 4 commits into from
Closed

Do not filter out current user from permissions list #3688

andrewnester wants to merge 4 commits into from

Conversation

@andrewnester
Copy link
Contributor

@andrewnester andrewnester commented Sep 30, 2025

Changes

It removes the FilterCurrentUser mutator.

Why

This mutator was introduced to avoid Terraform-related issues regarding setting the permission for the user who deploys the resources (current user). Since then Terraform issue was resolved, and we don't need to filter out current users from the permission list anymore

databricks/terraform-provider-databricks#3956

Tests

Existing tests pass + manually checked that deploying with different identities for the owner works

@eng-dev-ecosystem-bot
Copy link
Collaborator

eng-dev-ecosystem-bot commented Sep 30, 2025
edited
Loading

Run: 18136388471

Env ✅​pass ❌​FAIL 🔄​flaky 🙈​skip
✅​ aws linux 315 536
✅​ aws windows 316 535
✅​ aws-ucws linux 428 433
✅​ aws-ucws windows 429 432
✅​ azure linux 315 535
✅​ azure windows 316 534
✅​ azure-ucws linux 428 432
✅​ azure-ucws windows 429 431
❌​ gcp linux 302 12 537
❌​ gcp windows 301 12 2 536
14 failing tests:
Test Name gcp linux gcp windows
TestAccept ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/combinations/classic ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/combinations/classic/DATABRICKS_BUNDLE_ENGINE=terraform/DLT=yes/NBOOK=no/PY=no ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/combinations/classic/DATABRICKS_BUNDLE_ENGINE=terraform/DLT=yes/NBOOK=no/PY=yes ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/combinations/classic/DATABRICKS_BUNDLE_ENGINE=terraform/DLT=yes/NBOOK=yes/PY=no ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/combinations/classic/DATABRICKS_BUNDLE_ENGINE=terraform/DLT=yes/NBOOK=yes/PY=yes ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/integration_classic ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/integration_classic/DATABRICKS_BUNDLE_ENGINE=terraform/UV_PYTHON=3.10 ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/integration_classic/DATABRICKS_BUNDLE_ENGINE=terraform/UV_PYTHON=3.11 ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/integration_classic/DATABRICKS_BUNDLE_ENGINE=terraform/UV_PYTHON=3.12 ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/integration_classic/DATABRICKS_BUNDLE_ENGINE=terraform/UV_PYTHON=3.13 ❌​FAIL ❌​FAIL
TestAccept/bundle/templates/default-python/integration_classic/DATABRICKS_BUNDLE_ENGINE=terraform/UV_PYTHON=3.9 ❌​FAIL ❌​FAIL
TestFilerWorkspaceNotebook ✅​pass 🔄​flaky
TestFilerWorkspaceNotebook/rJupyterNb.ipynb ✅​pass 🔄​flaky

@andrewnester
Copy link
Contributor Author

andrewnester commented Oct 1, 2025

Unfortunately it appears that we still to have to filter it out due to this
https://github.com/databricks/terraform-provider-databricks/blob/main/permissions/permission_definitions.go#L269

Otherwise our default template sends permissions with 2 different levels for the current user (CAN_MANAGE and IS_OWNER) leading to the failure on GCP https://github.com/databricks-eng/eng-dev-ecosystem/actions/runs/18136388471/job/51616200179

+Error: cannot create permissions: Permissions being set for UserName([USERNAME]) are ambiguous

auto-merge was automatically disabled October 1, 2025 13:47

Pull request was closed

@denik denik mentioned this pull request Oct 17, 2025
Merged
denik added a commit that referenced this pull request Oct 20, 2025
@denik
Ensure owner/mgmt permission for current user (#3780)
9a1cc33 
## Changes
Instead of removing current user from permissions and relying on
terraform to add it back, we'll instead add IS_OWNER/CAN_MANAGE
ourselves.

Previous attempt to remove this mutator completely
#3688 failed because backend
complains about "ambiguous" permissions when both CAN_MANAGE and
IS_OWNER are present. Thus we do additional transformation here: we
upgrade CAN_MANAGE to IS_OWNER if we can.

Don't apply this logic to secret scopes resource as it's not implemented
via databricks_permissions resource in terraform and does not have
IS_OWNER/CAN_MANAGE insertion logic. This means we no longer filter out
current user permissions from secret scopes resources.

## Why
- Enables direct implementation which will not do any transformations,
just use whatever in the config. With this PR, the request payload will
match terraform's.
- Final permissions visible in 'bundle validate -o json'.

## Tests

#3781
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@denik denik denik approved these changes

@shreyas-goenka shreyas-goenka shreyas-goenka approved these changes

@anton-107 anton-107 Awaiting requested review from anton-107 anton-107 is a code owner

@pietern pietern Awaiting requested review from pietern pietern is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@andrewnester @eng-dev-ecosystem-bot @denik @shreyas-goenka