feat(playground): add files policy test harness#308
Merged
MarioCadenas merged 2 commits intomainfrom Apr 22, 2026
Merged
Conversation
Turn the dev-playground's single `default` volume into seven logical volumes, each exercising one shape of the new `FilePolicy` system: allow_all, public_read, deny_all, sp_only, admin_only (gated on ADMIN_USER_ID), write_only, and a policy-less `implicit` volume that exercises the new publicRead() default plus its startup warning. All seven keys bind to the same UC volume in app.yaml; policies are evaluated in-process, so a shared physical path is sufficient. Adds a `/policy-matrix` page that probes every (volume × action) pair against the real HTTP routes and classifies each result: - 2xx policy passed, op succeeded - 404 policy passed, probe target missing - 403 policy denied - other error A "Run all" button seeds a probe file via upload on each volume first, so reads return real content where policy allows writes. Also adds three server helpers: - GET /whoami echoes x-forwarded-user + admin status - GET /policy/sp programmatic SP-path smoke test - GET /policy/obo programmatic OBO-path smoke test Both smoke endpoints confirm PolicyDeniedError propagates from the SDK path (not just HTTP 403). Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
First deploy of the playground crashed because three env bindings were
missing from app.yaml, causing appkit's runtime resource validation
to fail:
- DATABRICKS_GENIE_SPACE_ID (genie plugin manifest)
- DATABRICKS_SERVING_ENDPOINT_NAME (serving plugin manifest)
- DATABRICKS_VOLUME_FILES (files plugin static manifest — kept
alongside the dynamic per-volume
bindings added by the test harness)
Also drops DATABRICKS_VS_INDEX_NAME since the vector-search plugin is
commented out in server/index.ts; binding it made the Databricks Apps
runtime spam "resource vs-index not found" errors.
Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
MarioCadenas
force-pushed
the
mario/files-policy-playground
branch
from
87669f6 to
43b2383
Compare
atilafassina
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stacks on top of
files/service-principal-policiesto turn the dev-playground into a live test harness for the newFilePolicysystem. Lets us deploy the app and visually verify every policy shape works end-to-end against a real Databricks workspace — something that's hard to prove in unit tests because HTTP routes always run as the SP while policies readx-forwarded-user.One volume per policy shape, all bound to the same underlying UC volume in
app.yaml(policies are evaluated in-process, so the shared physical path is fine):allow_allallowAll()public_readpublicRead()deny_alldenyAll()sp_onlyany(isServicePrincipal, publicRead())admin_onlyADMIN_USER_IDFilePolicywith real user IDswrite_onlynot(publicRead())implicit/policy-matrixpage probes every (volume × action) pair against the real HTTP routes and classifies each result asallowed(2xx),allowed*(404 — policy passed, probe file missing),denied(403), orerror. A "Run all" button seeds a probe file per volume via upload first, so reads return real content where policy allows writes.Three server helpers:
GET /whoami— echoesx-forwarded-user+ admin status (for debugging the auth proxy in the deployed app)GET /policy/sp— programmatic SP-path smoke test, confirmsPolicyDeniedErrorpropagates from the SDK (not just HTTP 403)GET /policy/obo— same but viaasUser(req), confirms the OBO path sees the user identity and gets denied as expectedTest plan
DATABRICKS_VOLUME_*env vars inapps/dev-playground/.env(all pointing at the same UC volume is fine);pnpm dev; open/policy-matrix; Run all. Expected pattern:deny_allall 403,allow_allall 2xx,write_onlyreads 403 / writes 2xx, etc.pnpm deploy:playground; optionally addADMIN_USER_IDtoapp.yamlto exercise the admin path. Verifyx-forwarded-useris forwarded by hitting/whoami./policy/spreturnsdenied: truewithPolicyDeniedErrormessage fordeny_all/write_onlyentries./policy/oboreturnsdenied: truefordeny_all,allowedforpublic_read.listandsp_only.list.