Skip to content

Fix #5682: add IS_OWNER for permissions added by Python mutators#5821

Open
denik wants to merge 6 commits into
mainfrom
denik/permissions-5682-one-owner
Open

Fix #5682: add IS_OWNER for permissions added by Python mutators#5821
denik wants to merge 6 commits into
mainfrom
denik/permissions-5682-one-owner

Conversation

@denik

@denik denik commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Permissions added to an existing job/pipeline by a PyDABs mutator went through NormalizeResources, which skipped FixPermissions. The deploying user was never added as IS_OWNER, so the direct engine sent an ownerless permissions PUT and the API rejected it with The <resource> must have exactly one owner (#5682). The terraform provider re-injects the owner at PUT time, which is why the same bundle worked on terraform but failed on the direct engine.

Fix: run FixPermissions in NormalizeResources so permissions added by a Python mutator get the same owner treatment as permissions declared in YAML. FixPermissions is idempotent, so it is a no-op for resources that already have an owner; ApplyBundlePermissions is intentionally not re-run (not idempotent, already applied earlier). FixPermissions also now skips when CurrentUser is unset.

Includes an acceptance test that deploys a pipeline whose only permission is added by a Python mutator; verified against real AWS on both engines.

This pull request and its description were written by Isaac.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Approval status: pending

/acceptance/bundle/ - needs approval

7 files changed
Suggested: @janniklasrose
Also eligible: @pietern, @shreyas-goenka, @andrewnester, @anton-107, @lennartkats-db

/bundle/ - needs approval

Files: bundle/config/mutator/resourcemutator/fix_permissions.go, bundle/config/mutator/resourcemutator/resource_mutator.go, bundle/direct/dresources/all_test.go
Suggested: @janniklasrose
Also eligible: @pietern, @shreyas-goenka, @andrewnester, @anton-107, @lennartkats-db

General files (require maintainer)

Files: NEXT_CHANGELOG.md, libs/testserver/permissions.go
Based on git history:

  • @janniklasrose -- recent work in ./, bundle/config/mutator/resourcemutator/, libs/testserver/

Any maintainer (@andrewnester, @anton-107, @pietern, @shreyas-goenka, @simonfaltum, @renaudhartert-db, @janniklasrose) can approve all areas.
See OWNERS for ownership rules.

@denik denik temporarily deployed to test-trigger-is July 3, 2026 11:55 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is July 3, 2026 11:55 — with GitHub Actions Inactive
@eng-dev-ecosystem-bot

eng-dev-ecosystem-bot commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Integration test report

Commit: cc5aac3

Run: 28666047764

Env 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
💚​ aws linux 4 15 230 1046 4:21
💚​ aws windows 4 15 232 1044 3:37
💚​ aws-ucws linux 4 15 314 964 6:20
💚​ aws-ucws windows 4 15 316 962 4:09
💚​ azure linux 4 15 230 1045 4:08
💚​ azure windows 4 15 232 1043 3:39
💚​ azure-ucws linux 4 15 316 961 5:55
💚​ azure-ucws windows 4 15 318 959 3:59
💚​ gcp linux 4 15 229 1047 3:41
💚​ gcp windows 4 15 231 1045 3:47
19 interesting tests: 15 SKIP, 4 RECOVERED
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
💚​ TestAccept 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/recreate/embedding_dimension 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
💚​ TestFetchRepositoryInfoAPI_FromRepo 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
💚​ TestFetchRepositoryInfoAPI_FromRepo/root 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
💚​ TestFetchRepositoryInfoAPI_FromRepo/subdir 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
Top 5 slowest tests (at least 2 minutes):
duration env testname
3:02 gcp windows TestAccept
2:46 aws windows TestAccept
2:44 azure windows TestAccept
2:41 aws-ucws windows TestAccept
2:37 azure-ucws windows TestAccept

@denik denik temporarily deployed to test-trigger-is July 3, 2026 12:22 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is July 3, 2026 12:22 — with GitHub Actions Inactive
@denik denik changed the title Reproduce #5682: Python-mutator permissions miss IS_OWNER on direct engine Fix #5682: add IS_OWNER for permissions added by Python mutators Jul 3, 2026
denik added a commit that referenced this pull request Jul 3, 2026
Co-authored-by: Isaac
denik added 5 commits July 3, 2026 16:02
Permissions added to an existing resource by a PyDABs job/pipeline mutator go
through NormalizeResources (UpdatedResources path), which does not run
FixPermissions. The deploying user is therefore never added as IS_OWNER, and the
direct engine PUTs an ownerless ACL that the Permissions API rejects with
"The pipeline must have exactly one owner". The terraform provider re-injects the
owner at PUT time, so it succeeds - hence the terraform-vs-direct divergence.

Model the real backend rule (jobs and pipelines require exactly one owner; zero
or two both fail) in the testserver, and add an acceptance test that deploys and
records the per-engine outcome.

Co-authored-by: Isaac
Convert the reproduction to a real deploy against a UC pipeline: notebook
library, unique names via envsubst, a real grantee group on cloud, and cleanup.
Add INVALID_PARAMETER_VALUE to the testserver's owner error to match the real
Permissions API response shown in the issue.

Co-authored-by: Isaac
Permissions added to an existing resource by a PyDABs job/pipeline mutator went
through NormalizeResources, which ran only the normalize mutators and skipped
FixPermissions. The deploying user was therefore never added as IS_OWNER, and the
direct engine PUT an ownerless ACL that the Permissions API rejects with
"must have exactly one owner". The terraform provider re-injected the owner at PUT
time, hiding the bug for that engine.

Run FixPermissions in NormalizeResources so Python-sourced permissions get the same
owner treatment as YAML ones. FixPermissions is idempotent, so re-running it on
resources that already have an owner is a no-op; ApplyBundlePermissions is not
re-run because it is not idempotent and already ran in ProcessStaticResources.
Guard FixPermissions against a nil CurrentUser, which is possible when it runs
outside the initialize phase.

Co-authored-by: Isaac
Co-authored-by: Isaac
The testserver now enforces exactly-one-owner for pipelines (like jobs), so the
pipelines.permissions CRUD fixture must set IS_OWNER instead of CAN_MANAGE.

Co-authored-by: Isaac
@denik denik force-pushed the denik/permissions-5682-one-owner branch from 796efdb to 1306a5d Compare July 3, 2026 14:07
@denik denik temporarily deployed to test-trigger-is July 3, 2026 14:07 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is July 3, 2026 14:07 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is July 3, 2026 14:13 — with GitHub Actions Inactive
@denik denik temporarily deployed to test-trigger-is July 3, 2026 14:13 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants