Skip to content

bundle: record auto-migration compatibility telemetry on deploy#5439

Open
shreyas-goenka wants to merge 1 commit into
mainfrom
pr-deploy-folder-permission-check
Open

bundle: record auto-migration compatibility telemetry on deploy#5439
shreyas-goenka wants to merge 1 commit into
mainfrom
pr-deploy-folder-permission-check

Conversation

@shreyas-goenka

@shreyas-goenka shreyas-goenka commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Telemetry only. During bundle deploy we reuse the existing SetPermissions response (no extra API call) to record whether this deploy is compatible with an automatic DMS migration — i.e. whether the deployment state folder can be managed by only the declared permissions plus the deployer (allowed undeclared only under their own home /Workspace/Users/<deployer>; /Workspace/Shared needs users: CAN_MANAGE).

Exactly one verdict per deploy (bool_values):

  • is_definitely_auto_migration_compatible — ACL observed and compatible.
  • is_not_auto_migration_compatible — observed (or statically known for shared) and not.
  • is_maybe_auto_migration_compatible — no permissions section, so the ACL is unobserved.

Plus state_path_is_shared. Aggregate by deployment ID (a bundle target is migratable only if all its deploys are).

Tested by one acceptance test over the location × permissions matrix; the fake server models home-folder ownership so cases are driven by bundle config alone.

@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from 60fba4e to cc47397 Compare June 4, 2026 11:49
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from e7e9e83 to 7c783aa Compare June 4, 2026 11:50
@shreyas-goenka shreyas-goenka mentioned this pull request Jun 4, 2026
Draft
@eng-dev-ecosystem-bot

eng-dev-ecosystem-bot commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Commit: 313ab31

Run: 27226691899

Env 🟨​KNOWN 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 15 261 921 7:50
🟨​ aws windows 7 15 263 919 15:19
💚​ aws-ucws linux 7 15 357 835 8:10
💚​ aws-ucws windows 7 15 359 833 13:19
💚​ azure linux 1 17 264 919 7:07
💚​ azure windows 1 17 266 917 10:46
🔄​ azure-ucws linux 1 1 17 361 831 9:17
💚​ azure-ucws windows 1 17 364 829 12:16
💚​ gcp linux 1 17 260 922 7:46
💚​ gcp windows 1 17 262 920 11:16
23 interesting tests: 15 SKIP, 7 KNOWN, 1 flaky
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/grants/select 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🔄​ TestSyncEnsureRemotePathIsUsableIfRepoExists ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p ✅​p ✅​p
Top 28 slowest tests (at least 2 minutes):
duration env testname
6:16 azure-ucws windows TestAccept
5:56 gcp windows TestAccept
5:45 azure windows TestAccept
5:36 aws-ucws windows TestAccept
5:00 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:23 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:09 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
4:01 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:33 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:32 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:26 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:17 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:12 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:09 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:09 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:08 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:07 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:00 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:57 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:55 gcp linux TestAccept
2:53 azure linux TestAccept
2:51 azure-ucws linux TestAccept
2:48 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:47 aws-ucws linux TestAccept
2:43 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:37 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:33 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:32 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from cc47397 to b2c7271 Compare June 5, 2026 10:05
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 7c783aa to 5e587f0 Compare June 5, 2026 10:05
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from b2c7271 to c2aa303 Compare June 5, 2026 10:11
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 5e587f0 to 2cd3ef3 Compare June 5, 2026 10:11
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from c2aa303 to b1d732b Compare June 5, 2026 10:14
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 2cd3ef3 to 07abec1 Compare June 5, 2026 10:14
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from b1d732b to 9e2f26b Compare June 5, 2026 10:18
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 07abec1 to 26c3380 Compare June 5, 2026 10:18
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from 9e2f26b to 00c5b7b Compare June 5, 2026 10:18
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 26c3380 to 30172b5 Compare June 5, 2026 10:19
@shreyas-goenka shreyas-goenka force-pushed the ticklish-munching-bear branch from 00c5b7b to addcb6a Compare June 9, 2026 14:06
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 30172b5 to 3646391 Compare June 9, 2026 14:06
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 46c9c69 to bf9f878 Compare June 10, 2026 10:37
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from bf9f878 to abe3dfb Compare June 10, 2026 10:42
shreyas-goenka
shreyas-goenka commented Jun 10, 2026
View reviewed changes
Comment thread acceptance/bundle/resource_deps/job_tasks/out.telemetry.direct.txt Outdated
has_serverless_compute true
local.cache.attempt true
local.cache.miss true
permissions_section_is_set false

@shreyas-goenka shreyas-goenka Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because permissions are not set here, by definition state_path_acl_exceeds_permissions is true.

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analysis needs to take this into account when looking at state_path_acl_exceeds_permissions.

Can we choose to not emit it when permissions are not set?

@shreyas-goenka shreyas-goenka Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simpliefied. We only record a single is_auto_migration_compatible. All the rich logic lives in the CLI.

@shreyas-goenka shreyas-goenka changed the title bundle: warn during deploy when workspace folder permissions exceed the bundle's Warn and record when state_path folder permissions exceed static permissions block. Jun 10, 2026
@shreyas-goenka shreyas-goenka marked this pull request as ready for review June 10, 2026 10:53
@github-actions

github-actions Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Approval status: pending

/acceptance/bundle/ - needs approval

15 files changed
Suggested: @denik
Also eligible: @andrewnester, @janniklasrose, @pietern, @lennartkats-db, @anton-107

/bundle/ - needs approval

4 files changed
Suggested: @denik
Also eligible: @andrewnester, @janniklasrose, @pietern, @lennartkats-db, @anton-107

General files (require maintainer)

Files: libs/testserver/permissions.go
Based on git history:

  • @denik -- recent work in bundle/permissions/, libs/testserver/, bundle/metrics/

Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @simonfaltum, @renaudhartert-db) can approve all areas.
See OWNERS for ownership rules.

@shreyas-goenka shreyas-goenka marked this pull request as draft June 10, 2026 11:12
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from abe3dfb to 3c6a454 Compare June 10, 2026 11:15
@shreyas-goenka shreyas-goenka changed the base branch from ticklish-munching-bear to main June 10, 2026 11:15
@shreyas-goenka shreyas-goenka marked this pull request as ready for review June 10, 2026 11:31
@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 3c6a454 to 681e089 Compare June 10, 2026 11:32
pietern
pietern reviewed Jun 10, 2026
View reviewed changes
Comment thread acceptance/bundle/resource_deps/job_tasks/out.telemetry.direct.txt Outdated
has_serverless_compute true
local.cache.attempt true
local.cache.miss true
permissions_section_is_set false

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analysis needs to take this into account when looking at state_path_acl_exceeds_permissions.

Can we choose to not emit it when permissions are not set?

Comment thread acceptance/bundle/telemetry/deploy-workspace-folder-permissions-acl-mismatch/output.txt Outdated
- level: CAN_MANAGE, group_name: data-engineers

Add them to your bundle permissions or remove them from the folder.
See https://docs.databricks.com/dev-tools/bundles/permissions

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is odd to see the same warning twice here. Anything we can do about it?

@shreyas-goenka shreyas-goenka Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is by design - we get two warnings, one for the root path and one for the state path (because they are different). The naming is a bit confusing because the target name is state_path as well.

Comment thread bundle/permissions/workspace_root.go Outdated
statePath := b.Config.Workspace.StatePath
for i, p := range bundlePaths {
if pathContains(p, statePath) && !libraries.IsWorkspaceSharedPath(p) {
b.Metrics.SetBoolValue(metrics.StatePathAclExceedsPermissions, len(results[i]) > 0)

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This depends on the presence or absence of diags for a path? Seems brittle if so.

Comment thread NEXT_CHANGELOG.md Outdated
* Set the default `data_security_mode` to `DATA_SECURITY_MODE_AUTO` in bundle templates ([#5452](https://github.com/databricks/cli/pull/5452)).
* Mark vector search index index_subtype as backend_default to prevent drift after deployment ([#5454](https://github.com/databricks/cli/pull/5454)).
* `bundle deployment migrate`: handle resources added to or removed from `databricks.yml` since the last Terraform deploy ([#5463](https://github.com/databricks/cli/pull/5463)).
* Warn during `bundle deploy` when a workspace folder used by the bundle grants broader permissions than the bundle's top-level `permissions` section declares, for example through permissions inherited from a parent folder ([#5439](https://github.com/databricks/cli/pull/5439)).

@pietern pietern Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, we already do this and this is not new. The only difference is that we record it.

@shreyas-goenka shreyas-goenka Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only warn in the bundle validate command today, where we fetch the permissions on all folders. This is new because now we also warn on bundle deploy.

@shreyas-goenka shreyas-goenka force-pushed the pr-deploy-folder-permission-check branch from 681e089 to e6521fb Compare June 10, 2026 12:07
@shreyas-goenka
bundle: record auto-migration compatibility telemetry on deploy
d134907 
ApplyWorkspaceRootPermissions already calls SetPermissions on each workspace path
prefix during deploy; the response carries the folder's resulting ACL. Reusing it
(no extra API call), we record whether this deploy is compatible with an automatic
DMS migration — i.e. whether, after migration, the deployment state folder can be
managed by only the declared permissions plus the deployer (allowed without being
declared only when the state is under the deployer's home).

Exactly one verdict is recorded per deploy:
- is_definitely_auto_migration_compatible: folder ACL observed and compatible.
- is_not_auto_migration_compatible: folder ACL observed (or known statically for
  /Workspace/Shared) and not compatible.
- is_maybe_auto_migration_compatible: no permissions section, so the folder was not
  synced and the ACL is unobserved; resolving it needs a GetPermissions call.

Aggregate by deployment ID: a deployment (bundle target) is auto-migratable only if
all of its deploys are compatible.

The fake test server now models home-folder ownership (a directory under
/Workspace/Users/<owner> returns that owner's inherited CAN_MANAGE), so the
acceptance test exercises the full matrix via bundle paths and declared
permissions alone.

Co-authored-by: Shreyas Goenka <shreyas.goenka@databricks.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pietern pietern pietern left review comments

@denik denik Awaiting requested review from denik

@andrewnester andrewnester Awaiting requested review from andrewnester

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shreyas-goenka @eng-dev-ecosystem-bot @pietern