direct: Fix drift in grants resource due to principal reordering (#4794)

denik · claude · web-flow · commit 7ab81c29483c · 2026-03-19T16:23:36.000+01:00
When the remote API returns grants in a different order than configured,
the index-based comparison detected false drift. Key grants by
`principal` so comparison is order-independent, matching permissions
behavior.

Also modernize sortPriviliges to use slices.Sort.

---------

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -7,6 +7,7 @@
 ### CLI
 
 ### Bundles
+* engine/direct: Fix drift in grants resource due to privilege reordering ([#4794](https://github.com/databricks/cli/pull/4794))
 
 ### Dependency updates
 
diff --git a/acceptance/bundle/invariant/configs/schema_grant_ref.yml.tmpl b/acceptance/bundle/invariant/configs/schema_grant_ref.yml.tmpl
@@ -7,13 +7,17 @@ resources:
       catalog_name: main
       name: test-schema-b-$UNIQUE_NAME
       grants:
-        - principal: account users
+        # make sure principals are not sorted, to better detect drift
+        - principal: $CURRENT_USER_NAME
           privileges:
             - USE_SCHEMA
-        - principal: admins
-          privileges:
             - CREATE_TABLE
+        - principal: account users
+          privileges:
+            # make sure privileges are not sorted, to better detect drift
             - USE_SCHEMA
+            - APPLY_TAG
+            - CREATE_VOLUME
 
     schema_a:
       catalog_name: main
@@ -23,6 +27,9 @@ resources:
         - principal: ${resources.schemas.schema_b.grants[0].principal}
           privileges:
             - USE_SCHEMA
+            - APPLY_TAG
         - principal: ${resources.schemas.schema_b.grants[1].principal}
           privileges:
             - CREATE_TABLE
+            - USE_SCHEMA
+            - APPLY_TAG
diff --git a/acceptance/bundle/resources/grants/catalogs/out.plan2.direct.json b/acceptance/bundle/resources/grants/catalogs/out.plan2.direct.json
@@ -49,13 +49,13 @@
         ]
       },
       "changes": {
-        "[0].privileges[0]": {
+        "[principal='deco-test-user@databricks.com'].privileges[0]": {
           "action": "update",
           "old": "CREATE_SCHEMA",
           "new": "USE_CATALOG",
           "remote": "CREATE_SCHEMA"
         },
-        "[0].privileges[1]": {
+        "[principal='deco-test-user@databricks.com'].privileges[1]": {
           "action": "update",
           "old": "USE_CATALOG",
           "new": "USE_SCHEMA",
diff --git a/acceptance/bundle/resources/grants/schemas/change_privilege/out.plan2.direct.json b/acceptance/bundle/resources/grants/schemas/change_privilege/out.plan2.direct.json
@@ -54,13 +54,13 @@
         ]
       },
       "changes": {
-        "[0].privileges[0]": {
+        "[principal='deco-test-user@databricks.com'].privileges[0]": {
           "action": "update",
           "old": "CREATE_TABLE",
           "new": "APPLY_TAG",
           "remote": "CREATE_TABLE"
         },
-        "[0].privileges[1]": {
+        "[principal='deco-test-user@databricks.com'].privileges[1]": {
           "action": "update",
           "old": "USE_SCHEMA",
           "new": "CREATE_TABLE",
diff --git a/acceptance/bundle/resources/grants/volumes/out.plan2.direct.json b/acceptance/bundle/resources/grants/volumes/out.plan2.direct.json
@@ -81,13 +81,13 @@
         ]
       },
       "changes": {
-        "[0].privileges[0]": {
+        "[principal='deco-test-user@databricks.com'].privileges[0]": {
           "action": "update",
           "old": "READ_VOLUME",
           "new": "MANAGE",
           "remote": "READ_VOLUME"
         },
-        "[0].privileges[1]": {
+        "[principal='deco-test-user@databricks.com'].privileges[1]": {
           "action": "update",
           "old": "WRITE_VOLUME",
           "new": "READ_VOLUME",
diff --git a/bundle/direct/dresources/grants.go b/bundle/direct/dresources/grants.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"sort"
+	"slices"
 	"strings"
 
 	"github.com/databricks/cli/libs/structs/structvar"
@@ -76,6 +76,18 @@ func (*ResourceGrants) PrepareState(state *GrantsState) *GrantsState {
 	return state
 }
 
+func grantKey(x catalog.PrivilegeAssignment) (string, string) {
+	return "principal", x.Principal
+}
+
+func (*ResourceGrants) KeyedSlices() map[string]any {
+	// Empty key because EmbeddedSlice appears at the root path of
+	// GrantsState (no "grants" prefix in struct walker paths).
+	return map[string]any{
+		"": grantKey,
+	}
+}
+
 func (r *ResourceGrants) DoRead(ctx context.Context, id string) (*GrantsState, error) {
 	securableType, fullName, err := parseGrantsID(id)
 	if err != nil {
@@ -174,9 +186,7 @@ func (r *ResourceGrants) listGrants(ctx context.Context, securableType, fullName
 }
 
 func sortPriviliges(privileges []catalog.Privilege) {
-	sort.Slice(privileges, func(i, j int) bool {
-		return privileges[i] < privileges[j]
-	})
+	slices.Sort(privileges)
 }
 
 func extractGrantResourceType(node string) (string, error) {
