Skip to content

Direct-engine reconcile classification fixes#5816

Open
radakam wants to merge 1 commit into
mainfrom
fix/direct-reconcile-classification
Open

Direct-engine reconcile classification fixes#5816
radakam wants to merge 1 commit into
mainfrom
fix/direct-reconcile-classification

Conversation

@radakam

@radakam radakam commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Why

Fuzzing the direct engine found fields that UC/serving GET responses either compute or never echo back. They weren't classified, so bundle plan showed a permanent update after deploy and redeploy could fail with 400 ... Nothing to update.

Changes

bundle/direct/dresources/resources.yml:

  • catalogs: skip UC-injected properties['unity.catalog.managed.*'] as backend_defaults (mirrors existing schemas fix).
  • registered_models: browse_onlyignore_remote_changes (output-only, backend-computed, not in update surface).
  • model_serving_endpoints: config.served_entities[*].burst_scaling_enabled + all external-model *_plaintext secrets → ignore_remote_changes (input-only, accepted on write but never returned on GET).

These aren't annotated in the OpenAPI spec, so they're declared manually (absent from resources.generated.yml).

libs/testserver/:

  • catalogs.go / registered_models.go: inject the computed values, scoped to dedicated names (catalog_managed_defaults, model_browse_only).
  • serving_endpoints.go: strip *_plaintext secrets on read (burst_scaling_enabled already wasn't round-tripped).

Tests

New direct-engine acceptance tests asserting no-op plan + no update call on redeploy:

  • acceptance/bundle/resources/catalogs/drift/managed_properties
  • acceptance/bundle/resources/registered_models/drift/browse_only
  • acceptance/bundle/resources/model_serving_endpoints/drift/write_only

@radakam radakam temporarily deployed to test-trigger-is July 3, 2026 09:12 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is July 3, 2026 09:12 — with GitHub Actions Inactive
… fields

Several fields returned (or intentionally not returned) by UC/serving GET
responses were not classified, so `bundle plan` reported a perpetual Update
after deploy and could hard-fail with "Nothing to update" on redeploy.

- catalogs: skip UC-injected `unity.catalog.managed.*` properties as
  backend defaults (mirrors the existing schemas handling).
- registered_models: treat backend-computed `browse_only` as output-only.
- model_serving_endpoints: ignore remote changes for `burst_scaling_enabled`
  and the write-only external-model `*_plaintext` secrets, none of which are
  echoed on GET.

The testserver is extended to reproduce each drift (scoped catalog/model
names, and stripping serving secrets on read) and new acceptance tests under
each resource's `drift/` dir lock in the no-op plan and redeploy behavior.
@radakam radakam force-pushed the fix/direct-reconcile-classification branch from c01de9a to f4ed131 Compare July 3, 2026 09:19
@radakam radakam temporarily deployed to test-trigger-is July 3, 2026 09:20 — with GitHub Actions Inactive
@radakam radakam temporarily deployed to test-trigger-is July 3, 2026 09:20 — with GitHub Actions Inactive
@radakam radakam marked this pull request as ready for review July 3, 2026 09:21
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Approval status: pending

/acceptance/bundle/ - needs approval

15 files changed
Suggested: @pietern
Also eligible: @denik, @janniklasrose, @andrewnester, @shreyas-goenka, @anton-107, @lennartkats-db

/bundle/ - needs approval

Files: bundle/direct/dresources/resources.yml
Suggested: @pietern
Also eligible: @denik, @janniklasrose, @andrewnester, @shreyas-goenka, @anton-107, @lennartkats-db

General files (require maintainer)

Files: libs/testserver/catalogs.go, libs/testserver/registered_models.go, libs/testserver/serving_endpoints.go
Based on git history:

  • @pietern -- recent work in bundle/direct/dresources/, libs/testserver/

Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @shreyas-goenka, @simonfaltum, @renaudhartert-db) can approve all areas.
See OWNERS for ownership rules.

@eng-dev-ecosystem-bot

Copy link
Copy Markdown
Collaborator

Integration test report

Commit: f4ed131

Run: 28651141264

Env 🟨​KNOWN 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 3 13 230 1048 7:07
🟨​ aws windows 7 3 13 232 1046 6:40
💚​ aws-ucws linux 10 13 314 966 4:50
💚​ aws-ucws windows 10 13 316 964 4:11
💚​ azure linux 4 15 230 1047 4:12
💚​ azure windows 4 15 232 1045 3:57
💚​ azure-ucws linux 4 15 316 963 4:36
💚​ azure-ucws windows 4 15 318 961 3:58
💚​ gcp linux 4 15 229 1049 3:48
💚​ gcp windows 4 15 231 1047 3:45
23 interesting tests: 13 SKIP, 7 KNOWN, 3 RECOVERED
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/recreate/embedding_dimension 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
💚​ TestFetchRepositoryInfoAPI_FromRepo 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
💚​ TestFetchRepositoryInfoAPI_FromRepo/root 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
💚​ TestFetchRepositoryInfoAPI_FromRepo/subdir 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
Top 5 slowest tests (at least 2 minutes):
duration env testname
3:22 aws linux TestSecretsPutSecretStringValue
3:05 aws-ucws windows TestAccept
3:05 azure windows TestAccept
3:02 gcp windows TestAccept
2:55 azure-ucws windows TestAccept

reason: output_only
- field: updated_by
reason: output_only
# Backend-computed; the user never sets it. Not annotated output_only in the spec.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably annotate browse_only as output-only (or drop it from the create request) in the universe OpenAPI spec so the regenerated SDK stops surfacing it as a writable field.

# Accepted on write but not returned by GET.
- field: config.served_entities[*].burst_scaling_enabled
reason: input_only
# Write-only secrets: the backend stores them and returns the reference field, not the plaintext.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we wild-card match these? there will be more as more models are added

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about that, wildcards can't match *_plaintext, and broader wildcards would also ignore legitimate GET fields. It might be better to mark these fields as write-only in the OpenAPI spec so they're generated automatically, like browse_only, what do you think?

resources:
catalogs:
catalog1:
name: catalog_managed_defaults

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have acceptance/bundle/invariant/configs/catalog.yml.tmpl why did not it catch this?

Is it because fuzz testing was against dogfood which adds these fields but our test env does not?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly -- the testserver wasn't populating these fields (dogfood does), so there was no drift to catch. I also added that to the testserver so it's now reproducible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants