From bdb1640307bdd6923fd8d594090c4949486f5225 Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Mon, 28 Jul 2025 14:19:12 +0200 Subject: [PATCH 1/4] Add top level run_as support for DLT pipelines --- acceptance/bundle/run_as/databricks.yml | 40 +++++++++++++++++++ acceptance/bundle/run_as/out.test.toml | 5 +++ acceptance/bundle/run_as/output.txt | 24 +++++++++++ acceptance/bundle/run_as/script | 3 ++ .../config/mutator/resourcemutator/run_as.go | 32 ++++++++++----- .../mutator/resourcemutator/run_as_test.go | 4 ++ 6 files changed, 98 insertions(+), 10 deletions(-) create mode 100644 acceptance/bundle/run_as/databricks.yml create mode 100644 acceptance/bundle/run_as/out.test.toml create mode 100644 acceptance/bundle/run_as/output.txt create mode 100644 acceptance/bundle/run_as/script diff --git a/acceptance/bundle/run_as/databricks.yml b/acceptance/bundle/run_as/databricks.yml new file mode 100644 index 0000000000..88f96155af --- /dev/null +++ b/acceptance/bundle/run_as/databricks.yml @@ -0,0 +1,40 @@ +resources: + jobs: + job_one: + name: Job 1 + + job_two: + name: Job 2 + run_as: + service_principal_name: "sp_override" + + job_three: + name: Job 3 + run_as: + user_name: "user_override" + + pipelines: + pipeline_one: + name: Pipeline 1 + + pipeline_two: + name: Pipeline 2 + run_as: + service_principal_name: "sp_override" + + pipeline_three: + name: Pipeline 3 + run_as: + user_name: "user_override" + +targets: + no_run_as: + default: true + + with_user_run_as: + run_as: + user_name: "user_base" + + with_sp_run_as: + run_as: + service_principal_name: "sp_base" diff --git a/acceptance/bundle/run_as/out.test.toml b/acceptance/bundle/run_as/out.test.toml new file mode 100644 index 0000000000..8f3575be7b --- /dev/null +++ b/acceptance/bundle/run_as/out.test.toml @@ -0,0 +1,5 @@ +Local = true +Cloud = false + +[EnvMatrix] + DATABRICKS_CLI_DEPLOYMENT = ["terraform", "direct-exp"] diff --git a/acceptance/bundle/run_as/output.txt b/acceptance/bundle/run_as/output.txt new file mode 100644 index 0000000000..ca8c1b13bc --- /dev/null +++ b/acceptance/bundle/run_as/output.txt @@ -0,0 +1,24 @@ + +>>> [CLI] bundle validate -o json -t no_run_as +jobs.job_one: null +jobs.job_three: {"user_name":"user_override"} +jobs.job_two: {"service_principal_name":"sp_override"} +pipelines.pipeline_one: null +pipelines.pipeline_three: {"user_name":"user_override"} +pipelines.pipeline_two: {"service_principal_name":"sp_override"} + +>>> [CLI] bundle validate -o json -t with_user_run_as +jobs.job_one: {"user_name":"user_base"} +jobs.job_three: {"user_name":"user_override"} +jobs.job_two: {"service_principal_name":"sp_override"} +pipelines.pipeline_one: {"user_name":"user_base"} +pipelines.pipeline_three: {"user_name":"user_override"} +pipelines.pipeline_two: {"service_principal_name":"sp_override"} + +>>> [CLI] bundle validate -o json -t with_sp_run_as +jobs.job_one: {"service_principal_name":"sp_base"} +jobs.job_three: {"user_name":"user_override"} +jobs.job_two: {"service_principal_name":"sp_override"} +pipelines.pipeline_one: {"service_principal_name":"sp_base"} +pipelines.pipeline_three: {"user_name":"user_override"} +pipelines.pipeline_two: {"service_principal_name":"sp_override"} diff --git a/acceptance/bundle/run_as/script b/acceptance/bundle/run_as/script new file mode 100644 index 0000000000..5921ec6e28 --- /dev/null +++ b/acceptance/bundle/run_as/script @@ -0,0 +1,3 @@ +trace $CLI bundle validate -o json -t no_run_as | jq -r '.resources | to_entries[] | .key as $resource_type | .value | to_entries[] | "\($resource_type).\(.key): \(.value.run_as)"' +trace $CLI bundle validate -o json -t with_user_run_as | jq -r '.resources | to_entries[] | .key as $resource_type | .value | to_entries[] | "\($resource_type).\(.key): \(.value.run_as)"' +trace $CLI bundle validate -o json -t with_sp_run_as | jq -r '.resources | to_entries[] | .key as $resource_type | .value | to_entries[] | "\($resource_type).\(.key): \(.value.run_as)"' diff --git a/bundle/config/mutator/resourcemutator/run_as.go b/bundle/config/mutator/resourcemutator/run_as.go index fb5408bfbd..e537158f25 100644 --- a/bundle/config/mutator/resourcemutator/run_as.go +++ b/bundle/config/mutator/resourcemutator/run_as.go @@ -10,6 +10,7 @@ import ( "github.com/databricks/cli/libs/diag" "github.com/databricks/cli/libs/dyn" "github.com/databricks/databricks-sdk-go/service/jobs" + "github.com/databricks/databricks-sdk-go/service/pipelines" ) type setRunAs struct{} @@ -79,16 +80,6 @@ func validateRunAs(b *bundle.Bundle) diag.Diagnostics { return diags } - // DLT pipelines do not support run_as in the API. - if len(b.Config.Resources.Pipelines) > 0 { - diags = diags.Extend(reportRunAsNotSupported( - "pipelines", - b.Config.GetLocation("resources.pipelines"), - b.Config.Workspace.CurrentUser.UserName, - identity, - )) - } - // Model serving endpoints do not support run_as in the API. if len(b.Config.Resources.ModelServingEndpoints) > 0 { diags = diags.Extend(reportRunAsNotSupported( @@ -150,6 +141,24 @@ func setRunAsForJobs(b *bundle.Bundle) { } } +func setRunAsForPipelines(b *bundle.Bundle) { + runAs := b.Config.RunAs + if runAs == nil { + return + } + + for i := range b.Config.Resources.Pipelines { + pipeline := b.Config.Resources.Pipelines[i] + if pipeline.RunAs != nil { + continue + } + pipeline.RunAs = &pipelines.RunAs{ + ServicePrincipalName: runAs.ServicePrincipalName, + UserName: runAs.UserName, + } + } +} + // Legacy behavior of run_as for DLT pipelines. Available under the experimental.use_run_as_legacy flag. // Only available to unblock customers stuck due to breaking changes in https://github.com/databricks/cli/pull/1233 func setPipelineOwnersToRunAsIdentity(b *bundle.Bundle) { @@ -186,6 +195,8 @@ func (m *setRunAs) Apply(_ context.Context, b *bundle.Bundle) diag.Diagnostics { return nil } + // User has opted to use the legacy behavior of run_as with the + // experimental.use_legacy_run_as flag. if b.Config.Experimental != nil && b.Config.Experimental.UseLegacyRunAs { setPipelineOwnersToRunAsIdentity(b) setRunAsForJobs(b) @@ -206,5 +217,6 @@ func (m *setRunAs) Apply(_ context.Context, b *bundle.Bundle) diag.Diagnostics { } setRunAsForJobs(b) + setRunAsForPipelines(b) return nil } diff --git a/bundle/config/mutator/resourcemutator/run_as_test.go b/bundle/config/mutator/resourcemutator/run_as_test.go index 5d2d175313..f5bdcbc5e1 100644 --- a/bundle/config/mutator/resourcemutator/run_as_test.go +++ b/bundle/config/mutator/resourcemutator/run_as_test.go @@ -92,6 +92,9 @@ func TestRunAsWorksForAllowedResources(t *testing.T) { Experiments: map[string]*resources.MlflowExperiment{ "experiment_one": {}, }, + Pipelines: map[string]*resources.Pipeline{ + "pipeline_one": {}, + }, }, } @@ -140,6 +143,7 @@ func TestRunAsWorksForAllowedResources(t *testing.T) { var allowList = []string{ "clusters", "jobs", + "pipelines", "models", "registered_models", "experiments", From ce64f2481627a1ee8752242a9d8f3793f2afbd52 Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Mon, 28 Jul 2025 14:24:52 +0200 Subject: [PATCH 2/4] remove old tests --- .../not_allowed/pipelines/databricks.yml | 25 ------------ bundle/tests/run_as_test.go | 38 ------------------- 2 files changed, 63 deletions(-) delete mode 100644 bundle/tests/run_as/not_allowed/pipelines/databricks.yml diff --git a/bundle/tests/run_as/not_allowed/pipelines/databricks.yml b/bundle/tests/run_as/not_allowed/pipelines/databricks.yml deleted file mode 100644 index d59c34ab63..0000000000 --- a/bundle/tests/run_as/not_allowed/pipelines/databricks.yml +++ /dev/null @@ -1,25 +0,0 @@ -bundle: - name: "run_as" - -run_as: - service_principal_name: "my_service_principal" - -targets: - development: - run_as: - user_name: "my_user_name" - -resources: - pipelines: - nyc_taxi_pipeline: - name: "nyc taxi loader" - - permissions: - - level: CAN_VIEW - service_principal_name: my_service_principal - - level: CAN_VIEW - user_name: my_user_name - - libraries: - - notebook: - path: ./dlt/nyc_taxi_loader diff --git a/bundle/tests/run_as_test.go b/bundle/tests/run_as_test.go index d7b0e73311..8fa0729dbd 100644 --- a/bundle/tests/run_as_test.go +++ b/bundle/tests/run_as_test.go @@ -94,44 +94,6 @@ func TestRunAsForAllowedWithTargetOverride(t *testing.T) { assert.Equal(t, ml.Experiment{Name: "experiment_one"}, b.Config.Resources.Experiments["experiment_one"].Experiment) } -func TestRunAsErrorForPipelines(t *testing.T) { - b := load(t, "./run_as/not_allowed/pipelines") - - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "jane@doe.com", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - err := diags.Error() - - assert.ErrorContains(t, err, "pipelines do not support a setting a run_as user that is different from the owner.\n"+ - "Current identity: jane@doe.com. Run as identity: my_service_principal.\n"+ - "See https://docs") -} - -func TestRunAsNoErrorForPipelines(t *testing.T) { - b := load(t, "./run_as/not_allowed/pipelines") - - // We should not error because the pipeline is being deployed with the same - // identity as the bundle run_as identity. - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "my_service_principal", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - assert.NoError(t, diags.Error()) -} - func TestRunAsErrorForModelServing(t *testing.T) { b := load(t, "./run_as/not_allowed/model_serving") From 6de93869be3521aaf880224bd62bd81915665c02 Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Mon, 1 Sep 2025 10:13:11 +0200 Subject: [PATCH 3/4] - --- bundle/tests/run_as_test.go | 266 ------------------------------------ 1 file changed, 266 deletions(-) delete mode 100644 bundle/tests/run_as_test.go diff --git a/bundle/tests/run_as_test.go b/bundle/tests/run_as_test.go deleted file mode 100644 index 8fa0729dbd..0000000000 --- a/bundle/tests/run_as_test.go +++ /dev/null @@ -1,266 +0,0 @@ -package config_tests - -import ( - "context" - "testing" - - "github.com/databricks/cli/bundle/config/resources" - - "github.com/databricks/cli/bundle/config/mutator/resourcemutator" - - "github.com/databricks/cli/bundle" - "github.com/databricks/cli/bundle/config" - "github.com/databricks/databricks-sdk-go/service/catalog" - "github.com/databricks/databricks-sdk-go/service/iam" - "github.com/databricks/databricks-sdk-go/service/ml" - "github.com/databricks/databricks-sdk-go/service/serving" - "github.com/stretchr/testify/assert" -) - -func TestRunAsForAllowed(t *testing.T) { - b := load(t, "./run_as/allowed") - - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "jane@doe.com", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - assert.NoError(t, diags.Error()) - - assert.Len(t, b.Config.Resources.Jobs, 3) - jobs := b.Config.Resources.Jobs - - // job_one and job_two should have the same run_as identity as the bundle. - assert.NotNil(t, jobs["job_one"].RunAs) - assert.Equal(t, "my_service_principal", jobs["job_one"].RunAs.ServicePrincipalName) - assert.Equal(t, "", jobs["job_one"].RunAs.UserName) - - assert.NotNil(t, jobs["job_two"].RunAs) - assert.Equal(t, "my_service_principal", jobs["job_two"].RunAs.ServicePrincipalName) - assert.Equal(t, "", jobs["job_two"].RunAs.UserName) - - // job_three should retain the job level run_as identity. - assert.NotNil(t, jobs["job_three"].RunAs) - assert.Equal(t, "my_service_principal_for_job", jobs["job_three"].RunAs.ServicePrincipalName) - assert.Equal(t, "", jobs["job_three"].RunAs.UserName) - - // Assert other resources are not affected. - assert.Equal(t, ml.CreateModelRequest{Name: "skynet"}, b.Config.Resources.Models["model_one"].CreateModelRequest) - assert.Equal(t, catalog.CreateRegisteredModelRequest{Name: "skynet (in UC)"}, b.Config.Resources.RegisteredModels["model_two"].CreateRegisteredModelRequest) - assert.Equal(t, ml.Experiment{Name: "experiment_one"}, b.Config.Resources.Experiments["experiment_one"].Experiment) -} - -func TestRunAsForAllowedWithTargetOverride(t *testing.T) { - b := loadTarget(t, "./run_as/allowed", "development") - - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "jane@doe.com", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - assert.NoError(t, diags.Error()) - - assert.Len(t, b.Config.Resources.Jobs, 3) - jobs := b.Config.Resources.Jobs - - // job_one and job_two should have the same run_as identity as the bundle's - // development target. - assert.NotNil(t, jobs["job_one"].RunAs) - assert.Equal(t, "", jobs["job_one"].RunAs.ServicePrincipalName) - assert.Equal(t, "my_user_name", jobs["job_one"].RunAs.UserName) - - assert.NotNil(t, jobs["job_two"].RunAs) - assert.Equal(t, "", jobs["job_two"].RunAs.ServicePrincipalName) - assert.Equal(t, "my_user_name", jobs["job_two"].RunAs.UserName) - - // job_three should retain the job level run_as identity. - assert.NotNil(t, jobs["job_three"].RunAs) - assert.Equal(t, "my_service_principal_for_job", jobs["job_three"].RunAs.ServicePrincipalName) - assert.Equal(t, "", jobs["job_three"].RunAs.UserName) - - // Assert other resources are not affected. - assert.Equal(t, ml.CreateModelRequest{Name: "skynet"}, b.Config.Resources.Models["model_one"].CreateModelRequest) - assert.Equal(t, catalog.CreateRegisteredModelRequest{Name: "skynet (in UC)"}, b.Config.Resources.RegisteredModels["model_two"].CreateRegisteredModelRequest) - assert.Equal(t, ml.Experiment{Name: "experiment_one"}, b.Config.Resources.Experiments["experiment_one"].Experiment) -} - -func TestRunAsErrorForModelServing(t *testing.T) { - b := load(t, "./run_as/not_allowed/model_serving") - - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "jane@doe.com", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - err := diags.Error() - - assert.ErrorContains(t, err, "model_serving_endpoints do not support a setting a run_as user that is different from the owner.\n"+ - "Current identity: jane@doe.com. Run as identity: my_service_principal.\n"+ - "See https://docs") -} - -func TestRunAsNoErrorForModelServingEndpoints(t *testing.T) { - b := load(t, "./run_as/not_allowed/model_serving") - - // We should not error because the model serving endpoint is being deployed - // with the same identity as the bundle run_as identity. - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "my_service_principal", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - assert.NoError(t, diags.Error()) -} - -func TestRunAsErrorWhenBothUserAndSpSpecified(t *testing.T) { - b := load(t, "./run_as/not_allowed/both_sp_and_user") - - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "my_service_principal", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - err := diags.Error() - - assert.ErrorContains(t, err, "run_as section cannot specify both user_name and service_principal_name") -} - -func TestRunAsErrorNeitherUserOrSpSpecified(t *testing.T) { - tcases := []struct { - name string - err string - }{ - { - name: "empty_run_as", - err: "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified", - }, - { - name: "empty_sp", - err: "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified", - }, - { - name: "empty_user", - err: "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified", - }, - { - name: "empty_user_and_sp", - err: "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified", - }, - } - - for _, tc := range tcases { - t.Run(tc.name, func(t *testing.T) { - bundlePath := "./run_as/not_allowed/neither_sp_nor_user/" + tc.name - b := load(t, bundlePath) - - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "my_service_principal", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - err := diags.Error() - assert.EqualError(t, err, tc.err) - }) - } -} - -func TestRunAsErrorNeitherUserOrSpSpecifiedAtTargetOverride(t *testing.T) { - b := loadTarget(t, "./run_as/not_allowed/neither_sp_nor_user/override", "development") - - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "my_service_principal", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - err := diags.Error() - - assert.EqualError(t, err, "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified") -} - -func TestLegacyRunAs(t *testing.T) { - b := load(t, "./run_as/legacy") - - ctx := context.Background() - bundle.ApplyFuncContext(ctx, b, func(ctx context.Context, b *bundle.Bundle) { - b.Config.Workspace.CurrentUser = &config.User{ - User: &iam.User{ - UserName: "jane@doe.com", - }, - } - }) - - diags := bundle.Apply(ctx, b, resourcemutator.SetRunAs()) - assert.NoError(t, diags.Error()) - - assert.Len(t, b.Config.Resources.Jobs, 3) - jobs := b.Config.Resources.Jobs - - // job_one and job_two should have the same run_as identity as the bundle. - assert.NotNil(t, jobs["job_one"].RunAs) - assert.Equal(t, "my_service_principal", jobs["job_one"].RunAs.ServicePrincipalName) - assert.Equal(t, "", jobs["job_one"].RunAs.UserName) - - assert.NotNil(t, jobs["job_two"].RunAs) - assert.Equal(t, "my_service_principal", jobs["job_two"].RunAs.ServicePrincipalName) - assert.Equal(t, "", jobs["job_two"].RunAs.UserName) - - // job_three should retain it's run_as identity. - assert.NotNil(t, jobs["job_three"].RunAs) - assert.Equal(t, "my_service_principal_for_job", jobs["job_three"].RunAs.ServicePrincipalName) - assert.Equal(t, "", jobs["job_three"].RunAs.UserName) - - // Assert owner permissions for pipelines are set. - pipelines := b.Config.Resources.Pipelines - assert.Len(t, pipelines["nyc_taxi_pipeline"].Permissions, 2) - - assert.Equal(t, resources.PipelinePermission{ - Level: "CAN_VIEW", - UserName: "my_user_name", - }, pipelines["nyc_taxi_pipeline"].Permissions[0]) - - assert.Equal(t, resources.PipelinePermission{ - Level: "IS_OWNER", - ServicePrincipalName: "my_service_principal", - }, pipelines["nyc_taxi_pipeline"].Permissions[1]) - - // Assert other resources are not affected. - assert.Equal(t, ml.CreateModelRequest{Name: "skynet"}, b.Config.Resources.Models["model_one"].CreateModelRequest) - assert.Equal(t, catalog.CreateRegisteredModelRequest{Name: "skynet (in UC)"}, b.Config.Resources.RegisteredModels["model_two"].CreateRegisteredModelRequest) - assert.Equal(t, ml.Experiment{Name: "experiment_one"}, b.Config.Resources.Experiments["experiment_one"].Experiment) - assert.Equal(t, serving.CreateServingEndpoint{Name: "skynet"}, b.Config.Resources.ModelServingEndpoints["model_serving_one"].CreateServingEndpoint) -} From b26711a3c7b8ce5e54645b50c54b8f11f13a864f Mon Sep 17 00:00:00 2001 From: Shreyas Goenka Date: Mon, 1 Sep 2025 11:18:25 +0200 Subject: [PATCH 4/4] update existing tests --- acceptance/bundle/run_as/pipelines/_script | 4 +-- .../run_as/pipelines/regular_user/output.txt | 33 ++++--------------- .../run_as/pipelines/regular_user/script | 2 +- .../pipelines/service_principal/output.txt | 33 ++++--------------- .../run_as/pipelines/service_principal/script | 2 +- 5 files changed, 16 insertions(+), 58 deletions(-) diff --git a/acceptance/bundle/run_as/pipelines/_script b/acceptance/bundle/run_as/pipelines/_script index 75a56b6364..2396eaa88d 100644 --- a/acceptance/bundle/run_as/pipelines/_script +++ b/acceptance/bundle/run_as/pipelines/_script @@ -1,4 +1,4 @@ trace errcode $CLI bundle validate -t t_user_name -trace musterr $CLI bundle validate -t t_user_name_different +trace errcode $CLI bundle validate -t t_user_name_different trace errcode $CLI bundle validate -t t_service_principal_name -trace musterr $CLI bundle validate -t t_service_principal_name_different +trace errcode $CLI bundle validate -t t_service_principal_name_different diff --git a/acceptance/bundle/run_as/pipelines/regular_user/output.txt b/acceptance/bundle/run_as/pipelines/regular_user/output.txt index 725d7ab8a0..8f5a1a4adf 100644 --- a/acceptance/bundle/run_as/pipelines/regular_user/output.txt +++ b/acceptance/bundle/run_as/pipelines/regular_user/output.txt @@ -1,5 +1,5 @@ -=== t_user_name target must succeed, the rest must fail +=== run_as should succeed in all cases >>> errcode [CLI] bundle validate -t t_user_name Name: run_as Target: t_user_name @@ -9,50 +9,29 @@ Workspace: Validation OK! ->>> musterr [CLI] bundle validate -t t_user_name_different -Error: pipelines do not support a setting a run_as user that is different from the owner. -Current identity: [USERNAME]. Run as identity: different@databricks.com. -See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property. - in databricks.yml:20:5 - +>>> errcode [CLI] bundle validate -t t_user_name_different Name: run_as Target: t_user_name_different Workspace: User: [USERNAME] Path: /Workspace/Users/[USERNAME]/.bundle/run_as/t_user_name_different -Found 1 error - -Exit code (musterr): 1 +Validation OK! >>> errcode [CLI] bundle validate -t t_service_principal_name -Error: pipelines do not support a setting a run_as user that is different from the owner. -Current identity: [USERNAME]. Run as identity: [UUID]. -See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property. - in databricks.yml:20:5 - Name: run_as Target: t_service_principal_name Workspace: User: [USERNAME] Path: /Workspace/Users/[USERNAME]/.bundle/run_as/t_service_principal_name -Found 1 error - -Exit code: 1 - ->>> musterr [CLI] bundle validate -t t_service_principal_name_different -Error: pipelines do not support a setting a run_as user that is different from the owner. -Current identity: [USERNAME]. Run as identity: [UUID]. -See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property. - in databricks.yml:20:5 +Validation OK! +>>> errcode [CLI] bundle validate -t t_service_principal_name_different Name: run_as Target: t_service_principal_name_different Workspace: User: [USERNAME] Path: /Workspace/Users/[USERNAME]/.bundle/run_as/t_service_principal_name_different -Found 1 error - -Exit code (musterr): 1 +Validation OK! diff --git a/acceptance/bundle/run_as/pipelines/regular_user/script b/acceptance/bundle/run_as/pipelines/regular_user/script index 2110198b94..b02e9b33a0 100644 --- a/acceptance/bundle/run_as/pipelines/regular_user/script +++ b/acceptance/bundle/run_as/pipelines/regular_user/script @@ -1,3 +1,3 @@ cp -r $TESTDIR/../{databricks.yml,dlt} . -title "t_user_name target must succeed, the rest must fail" +title "run_as should succeed in all cases" source $TESTDIR/../_script diff --git a/acceptance/bundle/run_as/pipelines/service_principal/output.txt b/acceptance/bundle/run_as/pipelines/service_principal/output.txt index cf1adfc985..8f5a1a4adf 100644 --- a/acceptance/bundle/run_as/pipelines/service_principal/output.txt +++ b/acceptance/bundle/run_as/pipelines/service_principal/output.txt @@ -1,36 +1,22 @@ -=== t_service_principal_name must succeed, the rest must fail +=== run_as should succeed in all cases >>> errcode [CLI] bundle validate -t t_user_name -Error: pipelines do not support a setting a run_as user that is different from the owner. -Current identity: [USERNAME]. Run as identity: tester@databricks.com. -See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property. - in databricks.yml:20:5 - Name: run_as Target: t_user_name Workspace: User: [USERNAME] Path: /Workspace/Users/[USERNAME]/.bundle/run_as/t_user_name -Found 1 error - -Exit code: 1 - ->>> musterr [CLI] bundle validate -t t_user_name_different -Error: pipelines do not support a setting a run_as user that is different from the owner. -Current identity: [USERNAME]. Run as identity: different@databricks.com. -See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property. - in databricks.yml:20:5 +Validation OK! +>>> errcode [CLI] bundle validate -t t_user_name_different Name: run_as Target: t_user_name_different Workspace: User: [USERNAME] Path: /Workspace/Users/[USERNAME]/.bundle/run_as/t_user_name_different -Found 1 error - -Exit code (musterr): 1 +Validation OK! >>> errcode [CLI] bundle validate -t t_service_principal_name Name: run_as @@ -41,18 +27,11 @@ Workspace: Validation OK! ->>> musterr [CLI] bundle validate -t t_service_principal_name_different -Error: pipelines do not support a setting a run_as user that is different from the owner. -Current identity: [USERNAME]. Run as identity: [UUID]. -See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property. - in databricks.yml:20:5 - +>>> errcode [CLI] bundle validate -t t_service_principal_name_different Name: run_as Target: t_service_principal_name_different Workspace: User: [USERNAME] Path: /Workspace/Users/[USERNAME]/.bundle/run_as/t_service_principal_name_different -Found 1 error - -Exit code (musterr): 1 +Validation OK! diff --git a/acceptance/bundle/run_as/pipelines/service_principal/script b/acceptance/bundle/run_as/pipelines/service_principal/script index 01b5302f87..b02e9b33a0 100644 --- a/acceptance/bundle/run_as/pipelines/service_principal/script +++ b/acceptance/bundle/run_as/pipelines/service_principal/script @@ -1,3 +1,3 @@ cp -r $TESTDIR/../{databricks.yml,dlt} . -title "t_service_principal_name must succeed, the rest must fail" +title "run_as should succeed in all cases" source $TESTDIR/../_script