Skip to content

bundle: warn when a workspace path is in /Workspace/Shared without users CAN_MANAGE#5428

Draft
shreyas-goenka wants to merge 1 commit into
mainfrom
ticklish-munching-bear
Draft

bundle: warn when a workspace path is in /Workspace/Shared without users CAN_MANAGE#5428
shreyas-goenka wants to merge 1 commit into
mainfrom
ticklish-munching-bear

Conversation

@shreyas-goenka

@shreyas-goenka shreyas-goenka commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Warns when a workspace path is configured under /Workspace/Shared — which grants read/write access to all workspace users — without the top-level permissions section declaring that broad access via group_name: users with CAN_MANAGE.

Renames ValidateSharedRootPermissionsValidateWorkspaceSharedPermissions and extends it from root_path-only to also cover state_path:

  1. root_path in /Workspace/Shared without users: CAN_MANAGE
  2. state_path in /Workspace/Shared without users: CAN_MANAGE

The state_path warning is suppressed only when state_path is nested under root_path (the root warning already covers it). When state_path is a separate shared folder, both warnings fire.

@eng-dev-ecosystem-bot

eng-dev-ecosystem-bot commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Commit: b703045

Run: 27226317905

Env 🟨​KNOWN 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 15 261 929 7:42
🟨​ aws windows 7 15 263 927 15:51
💚​ aws-ucws linux 7 15 357 843 9:06
💚​ aws-ucws windows 7 15 359 841 12:45
💚​ azure linux 1 17 264 927 6:44
💚​ azure windows 1 17 266 925 10:50
💚​ azure-ucws linux 1 17 362 839 7:39
💚​ azure-ucws windows 1 17 364 837 12:28
💚​ gcp linux 1 17 260 930 7:13
💚​ gcp windows 1 17 262 928 15:00
22 interesting tests: 15 SKIP, 7 KNOWN
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/grants/select 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
Top 28 slowest tests (at least 2 minutes):
duration env testname
7:07 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
6:49 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
6:07 gcp windows TestAccept
6:03 azure-ucws windows TestAccept
6:02 azure windows TestAccept
5:59 aws-ucws windows TestAccept
4:05 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:59 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:32 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:21 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:20 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:06 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:00 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:00 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:57 aws-ucws linux TestAccept
2:53 gcp linux TestAccept
2:51 azure linux TestAccept
2:49 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:47 azure-ucws linux TestAccept
2:46 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:42 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:42 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:37 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:32 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:27 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:26 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:25 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:24 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from e7e9e83 to 60fba4e Compare June 4, 2026 11:42
@shreyas-goenka shreyas-goenka changed the title bundle: warn when state_path uses /Workspace/Shared and add telemetry for state path scope bundle: warn on /Workspace/Shared workspace paths and add permission-scope telemetry Jun 4, 2026
@shreyas-goenka shreyas-goenka mentioned this pull request Jun 4, 2026
Open
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from 60fba4e to cc47397 Compare June 4, 2026 11:49
@shreyas-goenka shreyas-goenka changed the title bundle: warn on /Workspace/Shared workspace paths and add permission-scope telemetry bundle: warn when a workspace path is in /Workspace/Shared without users CAN_MANAGE Jun 4, 2026
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from cc47397 to b2c7271 Compare June 5, 2026 10:05
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from b2c7271 to c2aa303 Compare June 5, 2026 10:11
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from c2aa303 to b1d732b Compare June 5, 2026 10:14
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from b1d732b to 9e2f26b Compare June 5, 2026 10:18
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from 9e2f26b to 00c5b7b Compare June 5, 2026 10:18
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch 2 times, most recently from addcb6a to 7275a5f Compare June 9, 2026 14:06
@shreyas-goenka
bundle: warn when a workspace path is in /Workspace/Shared without us…
b703045 
…ers CAN_MANAGE

Renames ValidateSharedRootPermissions to ValidateWorkspaceSharedPermissions and
extends it to also cover workspace.state_path. It warns when root_path or state_path
is in /Workspace/Shared — granting read/write to all workspace users — but the
top-level permissions section does not declare that access via group_name: users
CAN_MANAGE.

The state_path warning is suppressed only when state_path is nested under root_path,
since the root warning already covers it. When state_path is a separate shared
folder, both warnings fire.

Co-authored-by: Shreyas Goenka <shreyas.goenka@databricks.com>
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from 7275a5f to b703045 Compare June 9, 2026 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shreyas-goenka @eng-dev-ecosystem-bot