Add per-engine grants request logging to duplicate grant tests

denik · denik · commit cbfc4d38409d · 2026-03-20T18:54:13.000+01:00
Show the actual PATCH requests to the permissions endpoint for each engine,
making the differences visible (e.g. direct sends ALL_PRIVILEGES in both
Add and Remove, terraform sends clean requests).

Co-authored-by: Isaac
diff --git a/acceptance/bundle/resources/grants/schemas/all_privileges/out.requests.direct.txt b/acceptance/bundle/resources/grants/schemas/all_privileges/out.requests.direct.txt
@@ -0,0 +1,17 @@
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "ALL_PRIVILEGES"
+        ],
+        "principal": "deco-test-user@databricks.com",
+        "remove": [
+          "ALL_PRIVILEGES"
+        ]
+      }
+    ]
+  }
+}
diff --git a/acceptance/bundle/resources/grants/schemas/all_privileges/out.requests.terraform.txt b/acceptance/bundle/resources/grants/schemas/all_privileges/out.requests.terraform.txt
@@ -0,0 +1,26 @@
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "ALL_PRIVILEGES"
+        ],
+        "principal": "deco-test-user@databricks.com"
+      }
+    ]
+  }
+}
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
diff --git a/acceptance/bundle/resources/grants/schemas/all_privileges/script b/acceptance/bundle/resources/grants/schemas/all_privileges/script
@@ -2,9 +2,11 @@ envsubst < databricks.yml.tmpl > databricks.yml
 
 cleanup() {
     trace $CLI bundle destroy --auto-approve
+    rm -f out.requests.txt
 }
 trap cleanup EXIT
 
 # The direct engine puts ALL_PRIVILEGES in both the Add and Remove lists in the PATCH request,
 # which the backend rejects with "Duplicate privileges to add and delete".
 $CLI bundle deploy > out.deploy.$DATABRICKS_BUNDLE_ENGINE.txt 2>&1 || true
+print_requests.py --get //permissions --keep > out.requests.$DATABRICKS_BUNDLE_ENGINE.txt
diff --git a/acceptance/bundle/resources/grants/schemas/all_privileges/test.toml b/acceptance/bundle/resources/grants/schemas/all_privileges/test.toml
@@ -1,2 +1,2 @@
 Badness = "direct engine fails: applyGrants() puts ALL_PRIVILEGES in both Add and Remove lists"
-RecordRequests = false
+RecordRequests = true
diff --git a/acceptance/bundle/resources/grants/schemas/duplicate_principals/out.requests.direct.txt b/acceptance/bundle/resources/grants/schemas/duplicate_principals/out.requests.direct.txt
@@ -0,0 +1,26 @@
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "CREATE_TABLE"
+        ],
+        "principal": "deco-test-user@databricks.com",
+        "remove": [
+          "ALL_PRIVILEGES"
+        ]
+      },
+      {
+        "add": [
+          "CREATE_TABLE"
+        ],
+        "principal": "deco-test-user@databricks.com",
+        "remove": [
+          "ALL_PRIVILEGES"
+        ]
+      }
+    ]
+  }
+}
diff --git a/acceptance/bundle/resources/grants/schemas/duplicate_principals/out.requests.terraform.txt b/acceptance/bundle/resources/grants/schemas/duplicate_principals/out.requests.terraform.txt
@@ -0,0 +1,26 @@
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "CREATE_TABLE"
+        ],
+        "principal": "deco-test-user@databricks.com"
+      }
+    ]
+  }
+}
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
diff --git a/acceptance/bundle/resources/grants/schemas/duplicate_principals/script b/acceptance/bundle/resources/grants/schemas/duplicate_principals/script
@@ -2,9 +2,11 @@ envsubst < databricks.yml.tmpl > databricks.yml
 
 cleanup() {
     trace $CLI bundle destroy --auto-approve
+    rm -f out.requests.txt
 }
 trap cleanup EXIT
 
 # Same principal listed twice with the same privilege.
 trace $CLI bundle deploy
+print_requests.py --get //permissions --keep > out.requests.$DATABRICKS_BUNDLE_ENGINE.txt
 trace $CLI bundle plan > out.plan.$DATABRICKS_BUNDLE_ENGINE.txt 2>&1
diff --git a/acceptance/bundle/resources/grants/schemas/duplicate_principals/test.toml b/acceptance/bundle/resources/grants/schemas/duplicate_principals/test.toml
@@ -1,2 +1,2 @@
 Badness = "direct engine shows drift after deploy when same principal is listed twice with same privilege"
-RecordRequests = false
+RecordRequests = true
diff --git a/acceptance/bundle/resources/grants/schemas/duplicate_privileges/out.requests.direct.txt b/acceptance/bundle/resources/grants/schemas/duplicate_privileges/out.requests.direct.txt
@@ -0,0 +1,18 @@
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "CREATE_TABLE",
+          "CREATE_TABLE"
+        ],
+        "principal": "deco-test-user@databricks.com",
+        "remove": [
+          "ALL_PRIVILEGES"
+        ]
+      }
+    ]
+  }
+}
diff --git a/acceptance/bundle/resources/grants/schemas/duplicate_privileges/out.requests.terraform.txt b/acceptance/bundle/resources/grants/schemas/duplicate_privileges/out.requests.terraform.txt
@@ -0,0 +1,26 @@
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "CREATE_TABLE"
+        ],
+        "principal": "deco-test-user@databricks.com"
+      }
+    ]
+  }
+}
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
diff --git a/acceptance/bundle/resources/grants/schemas/duplicate_privileges/script b/acceptance/bundle/resources/grants/schemas/duplicate_privileges/script
@@ -2,9 +2,11 @@ envsubst < databricks.yml.tmpl > databricks.yml
 
 cleanup() {
     trace $CLI bundle destroy --auto-approve
+    rm -f out.requests.txt
 }
 trap cleanup EXIT
 
 # Same privilege listed twice for the same principal in a single entry.
 trace $CLI bundle deploy
+print_requests.py --get //permissions --keep > out.requests.$DATABRICKS_BUNDLE_ENGINE.txt
 trace $CLI bundle plan > out.plan.$DATABRICKS_BUNDLE_ENGINE.txt 2>&1
diff --git a/acceptance/bundle/resources/grants/schemas/duplicate_privileges/test.toml b/acceptance/bundle/resources/grants/schemas/duplicate_privileges/test.toml
@@ -1,2 +1,2 @@
 Badness = "direct engine shows drift after deploy when same privilege is listed twice for same principal"
-RecordRequests = false
+RecordRequests = true

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`Badness = "direct engine fails: applyGrants() puts ALL_PRIVILEGES in both Add and Remove lists"`
`2`		`-RecordRequests = false`
	`2`	`+RecordRequests = true`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`Badness = "direct engine shows drift after deploy when same principal is listed twice with same privilege"`
`2`		`-RecordRequests = false`
	`2`	`+RecordRequests = true`