Skip to content

Modify permissions to use SDK types where available#4686

Open
denik wants to merge 27 commits intomainfrom
denik/simpler-permissions
Open

Modify permissions to use SDK types where available#4686
denik wants to merge 27 commits intomainfrom
denik/simpler-permissions

Conversation

@denik
Copy link
Contributor

@denik denik commented Mar 9, 2026
edited
Loading

Changes

Replace custom permission types (JobPermission, PipelinePermission, AlertPermission, etc.) and their associated per-resource permission level enums with a single generic-based permission type that embeds Level type from SDK where it's available and iam.PermissionLevel where it is not.

Why

Simplification. Supports autogeneration of resource, no need to manually provide allowed levels.

Similar change for grants: #4666

@denik denik temporarily deployed to test-trigger-is March 9, 2026 15:05 — with GitHub Actions Inactive
denik added a commit that referenced this pull request Mar 9, 2026
@denik @claude
Add NEXT_CHANGELOG entry for #4686
90050ca 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik denik temporarily deployed to test-trigger-is March 9, 2026 15:07 — with GitHub Actions Inactive
@denik denik changed the title Modify permissions to use SDK structs Modify permissions to use a shared Permission type Mar 9, 2026
@denik denik requested a review from kanterov March 9, 2026 15:10
@eng-dev-ecosystem-bot
Copy link
Collaborator

eng-dev-ecosystem-bot commented Mar 9, 2026
edited
Loading

Commit: 1f1ae53

Run: 22912071546

Env ❌​FAIL 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
💚​ aws linux 8 7 268 781 6:17
💚​ aws windows 8 7 270 779 5:50
💚​ aws-ucws linux 8 7 365 696 10:11
🔄​ aws-ucws windows 2 7 7 366 694 7:00
❌​ azure linux 2 1 2 9 268 779 7:22
💚​ azure windows 2 9 273 777 5:32
🔄​ azure-ucws windows 2 1 9 371 690 6:47
💚​ gcp linux 2 9 267 782 5:13
🔄​ gcp windows 3 1 9 267 780 5:20
21 interesting tests: 7 SKIP, 7 RECOVERED, 5 flaky, 2 FAIL
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws windows gcp linux gcp windows
🔄​ TestAccept 💚​R 💚​R 💚​R 🔄​f 💚​R 💚​R 🔄​f 💚​R 🔄​f
🔄​ TestAccept/bundle/resources/jobs/check-metadata ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
🔄​ TestAccept/bundle/resources/jobs/check-metadata/DATABRICKS_BUNDLE_ENGINE=terraform ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 💚​R 💚​R 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 💚​R 💚​R 💚​R 💚​R
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 💚​R 💚​R 💚​R 💚​R
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 💚​R 💚​R 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 💚​R 💚​R 💚​R 💚​R
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🔄​ TestAccept/ssh/connect-serverless-gpu 🙈​s 🙈​s ✅​p 🔄​f 🙈​s 🙈​s 🔄​f 🙈​s 🙈​s
💚​ TestAccept/ssh/connection 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🔄​ TestFetchRepositoryInfoAPI_FromRepo ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p ✅​p ✅​p ✅​p
❌​ TestFetchRepositoryInfoAPI_FromRepo//Workspace/Repos/222cace5-bdb4-4852-97e6-7cb1109cc0e9/integration-test-2d9bb45e909344a29d4d1d054b333fe6 ❌​F
❌​ TestFetchRepositoryInfoAPI_FromRepo//Workspace/Repos/222cace5-bdb4-4852-97e6-7cb1109cc0e9/integration-test-2d9bb45e909344a29d4d1d054b333fe6/knowledge_base/dashboard_nyc_taxi ❌​F
Top 19 slowest tests (at least 2 minutes):
duration env testname
4:15 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:10 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:06 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
4:05 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:04 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:04 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:50 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:48 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:42 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:10 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:08 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:06 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:42 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:27 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:22 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:18 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:16 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:15 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:13 aws-ucws linux TestAccept/ssh/connect-serverless-gpu

denik added a commit that referenced this pull request Mar 10, 2026
@denik @claude
Add NEXT_CHANGELOG entry for #4686
fa651eb 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik denik force-pushed the denik/simpler-permissions branch from a39e224 to 04f0df6 Compare March 10, 2026 13:32
@denik denik temporarily deployed to test-trigger-is March 10, 2026 13:33 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is March 10, 2026 14:08 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is March 10, 2026 14:33 — with GitHub Actions Inactive
denik and others added 14 commits March 10, 2026 16:24
@denik @claude
Add plan for simplifying permissions types
27fe479 
Analogous to simpler-grant: replace 12 resource-specific permission types
with iam.AccessControlRequest from the SDK directly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik @claude
Replace per-resource permission types with shared Permission type
858a559 
- Remove 12 per-resource permission structs (JobPermission, PipelinePermission, etc.)
  and corresponding PermissionLevel enum types in favor of shared resources.Permission
- Remove IPermission interface and reflection-based dispatch in dresources/permissions.go
- Replace with static permissionResourceToObjectType map and direct type assertion
- Update annotations.yml and annotations_openapi_overrides.yml to remove obsolete entries
- Regenerate JSON schema
- Add backward-compat aliases (JobPermission, PipelinePermission, etc.) in Python __init__.py

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik @claude
Use aliases_patch.py for backward-compat permission aliases
26c9f1d 
Move jobs/pipelines permission aliases from packages.EXTRA_ALIASES to
aliases_patch.ALIASES, consistent with how grant aliases are handled.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik
rm settings.local
4b19872
@denik
update jsonschema_for_docs.json
a8221a8
@denik
rm PLAN
d980f7a
@denik @claude
Add backward-compat aliases for *PermissionLevel types in Python
9314ddd 
JobPermissionLevel = str and PipelinePermissionLevel = str preserve
the exported names while reflecting that levels are now plain strings.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik @claude
Add NEXT_CHANGELOG entry for #4686
61b08e8 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik @claude
Use resource-specific SDK permission level types for bundle resources
0b214a4 
Replace the generic `[]resources.Permission[iam.PermissionLevel]` with
per-resource typed `resources.Permissions[L]` using the SDK's own enum types
(e.g. `jobs.JobPermissionLevel`, `pipelines.PipelinePermissionLevel`, etc.).

This provides type safety and IDE autocomplete for valid permission levels
per resource. A `PermissionsSlice` interface enables type-agnostic conversion
to `iam.AccessControlRequest` without reflection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik
undo yaml
d0569b5
@denik @claude
Define named non-generic permission types for each resource
15367de 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik
rm settings
5ff1674
@denik @claude
Use IamPermission for generic iam.PermissionLevel; drop named slice t…
300c081 
…ypes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik @claude
Replace resources.Permission[iam.PermissionLevel] with resources.IamP…
e493014 
…ermission

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
denik and others added 4 commits March 10, 2026 16:24
@denik @claude
Fix exhaustruct lint: add ForceSendFields to AccessControlRequest
b824f3c 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik @claude
Fix toAccessControlRequests to dereference pointer-to-slice
660aef2 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik
update refschema
419012d
@denik @claude
Restore formatting and revert unrelated ssh changes
c622af0 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik denik force-pushed the denik/simpler-permissions branch from 294d6c4 to c622af0 Compare March 10, 2026 15:26
@denik denik temporarily deployed to test-trigger-is March 10, 2026 15:26 — with GitHub Actions Inactive
@denik @claude
Remove unused ToAccessControlRequest methods and wrapper boilerplate
79441e2 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik denik changed the title Modify permissions to use a shared Permission type Modify permissions to use SDK types where available Mar 10, 2026
denik and others added 2 commits March 10, 2026 16:43
@denik @claude
Rename Permission -> PermissionT, IamPermission -> Permission to mini…
7731212 
…mize diff

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik @claude
Remove accidentally committed files
adfb3a0 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik denik temporarily deployed to test-trigger-is March 10, 2026 15:47 — with GitHub Actions Inactive
denik and others added 3 commits March 10, 2026 16:48
@denik @claude
Update annotations.yml for Permission rename
71f5667 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik @claude
Regenerate schema after Permission rename
b26d2aa 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik @claude
Restore descriptions for resources.Permission in annotations
5a7137c 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik denik temporarily deployed to test-trigger-is March 10, 2026 15:52 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is March 10, 2026 15:54 — with GitHub Actions Inactive
@denik @claude
Remove unnecessary Permission aliases and clean up _flatten_spec in P…
bff60d4 
…ython codegen

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik denik temporarily deployed to test-trigger-is March 10, 2026 15:59 — with GitHub Actions Inactive
@denik @claude
Revert unnecessary Python codegen changes
1f1ae53 
The spec is already flat with dotted keys; no logic changes needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@denik denik temporarily deployed to test-trigger-is March 10, 2026 16:08 — with GitHub Actions Inactive
kanterov
kanterov approved these changes Mar 10, 2026
View reviewed changes
Copy link
Collaborator

@kanterov kanterov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

//python/... LGTM

Other code I didn't check

NEXT_CHANGELOG.md

### Bundles
* Modify grants to use SDK types ([#4666](https://github.com/databricks/cli/pull/4666))
* Modify permissions to use SDK types where available ([#4686](https://github.com/databricks/cli/pull/4686))
Copy link
Collaborator

@kanterov kanterov Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a user-visible change now? We can clarify that we re-ordered Python enums

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kanterov kanterov kanterov approved these changes

@andrewnester andrewnester Awaiting requested review from andrewnester andrewnester is a code owner

@anton-107 anton-107 Awaiting requested review from anton-107 anton-107 is a code owner

@pietern pietern Awaiting requested review from pietern pietern is a code owner

@shreyas-goenka shreyas-goenka Awaiting requested review from shreyas-goenka shreyas-goenka is a code owner

@simonfaltum simonfaltum Awaiting requested review from simonfaltum simonfaltum is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@denik @eng-dev-ecosystem-bot @kanterov