Emit permission overlap warnings instead of discarding them

[simonfaltum]

Why

Found during a full-repo review of the CLI. When a bundle defines top-level permissions and a resource already has its own permission entry for the same user, group, or service principal, the bundle-level grant is skipped for that resource. The warnings explaining why the grant was skipped were computed but never shown (a TODO that predates logdiag), so users had no way to tell why a permission they configured did not get applied.

Changes

Before, the overlap warnings built in bundle/config/mutator/resourcemutator/apply_bundle_permissions.go were discarded; now they are logged via logdiag and show up in command output, for example:

Warning: 'jobs' already has permissions set for 'overlap@example.com' user name

The skip behavior itself is unchanged, only the warning is now visible. The stale TODO is replaced by the actual logging, and the existing TestWarningOnOverlapPermission unit test now asserts the warning is emitted.

Test plan

• Extended TestWarningOnOverlapPermission to assert exactly one warning with the expected summary is emitted
• Added acceptance test acceptance/bundle/validate/permissions_overlap with overlapping top-level and resource permissions, covering both the warning and the resulting permissions (both engines)
• Ran go test ./bundle/config/mutator/resourcemutator ./bundle/tests
• Ran permission-related acceptance subtrees (bundle/validate, bundle/resources/permissions, bundle/run_as, bundle/migrate, bundle/apps/job_permissions) to confirm no existing outputs change
• ./task fmt-q, ./task lint-q, ./task checks

This pull request and its description were written by Isaac.

[github-actions]

Approval status: pending

/acceptance/bundle/ - needs approval

4 files changed
Suggested: @janniklasrose
Also eligible: @denik, @andrewnester, @pietern, @anton-107, @shreyas-goenka, @lennartkats-db

/bundle/ - needs approval

Files: bundle/config/mutator/resourcemutator/apply_bundle_permissions.go, bundle/config/mutator/resourcemutator/apply_bundle_permissions_test.go
Suggested: @janniklasrose
Also eligible: @denik, @andrewnester, @pietern, @anton-107, @shreyas-goenka, @lennartkats-db

_{Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @shreyas-goenka, @renaudhartert-db) can approve all areas.
See OWNERS for ownership rules.}

[eng-dev-ecosystem-bot]

Integration test report

Commit: 5687fd9

Run: 27410877777

	Env	❌​FAIL	🔄​flaky	💚​RECOVERED	🙈​SKIP	✅​pass	🙈​skip	Time
💚​	aws linux			7	15	264	974	13:54
💚​	aws windows			7	15	266	972	9:47
💚​	aws-ucws linux			7	15	360	888	25:35
🔄​	aws-ucws windows		4	7	15	358	886	30:59
💚​	azure linux			1	17	267	972	11:38
💚​	azure windows			1	17	269	970	9:55
❌​	azure-ucws linux	3	2	1	17	360	884	27:23
💚​	azure-ucws windows			1	17	367	882	11:38
💚​	gcp linux			1	17	263	975	14:08
💚​	gcp windows			1	17	265	973	10:27

31 interesting tests: 15 SKIP, 7 RECOVERED, 6 flaky, 3 FAIL

	Test Name	aws linux	aws windows	aws-ucws linux	aws-ucws windows	azure linux	azure windows	azure-ucws linux	azure-ucws windows	gcp linux	gcp windows
💚​	TestAccept	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R
🔄​	TestAccept/bundle/deployment/bind/alert/DATABRICKS_BUNDLE_ENGINE=direct					✅​p	✅​p	🔄​f	✅​p	✅​p	✅​p
🔄​	TestAccept/bundle/deployment/bind/alert/DATABRICKS_BUNDLE_ENGINE=terraform					✅​p	✅​p	🔄​f	✅​p	✅​p	✅​p
🙈​	TestAccept/bundle/invariant/no_drift	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🔄​	TestAccept/bundle/resources/apps/inline_config	✅​p	✅​p	✅​p	🔄​f	✅​p	✅​p	✅​p	✅​p	✅​p	✅​p
🔄​	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform	✅​p	✅​p	✅​p	🔄​f	✅​p	✅​p	✅​p	✅​p	✅​p	✅​p
🙈​	TestAccept/bundle/resources/permissions	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
💚​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions	💚​R	💚​R	💚​R	💚​R	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
💚​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct	💚​R	💚​R	💚​R	💚​R
💚​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	💚​R	💚​R	💚​R	💚​R
💚​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions	💚​R	💚​R	💚​R	💚​R	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
💚​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct	💚​R	💚​R	💚​R	💚​R
💚​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	💚​R	💚​R	💚​R	💚​R
🙈​	TestAccept/bundle/resources/postgres_branches/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/recreate	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/replace_existing	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/update_protected	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/without_branch_id	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_endpoints/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_endpoints/recreate	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_projects/update_display_name	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/synced_database_tables/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/vector_search_indexes/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/vector_search_indexes/grants/select	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🔄​	TestAccept/bundle/run_as/job_default	✅​p	✅​p	✅​p	🔄​f	✅​p	✅​p	✅​p	✅​p	✅​p	✅​p
🔄​	TestAccept/bundle/run_as/job_default/DATABRICKS_BUNDLE_ENGINE=direct	✅​p	✅​p	✅​p	🔄​f	✅​p	✅​p	✅​p	✅​p	✅​p	✅​p
🙈​	TestAccept/ssh/connection	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
❌​	TestFetchRepositoryInfoAPI_FromRepo	✅​p	✅​p	✅​p	✅​p	✅​p	✅​p	❌​F	✅​p	✅​p	✅​p
❌​	TestFetchRepositoryInfoAPI_FromRepo/root	✅​p	✅​p	✅​p	✅​p	✅​p	✅​p	❌​F	✅​p	✅​p	✅​p
❌​	TestFetchRepositoryInfoAPI_FromRepo/subdir	✅​p	✅​p	✅​p	✅​p	✅​p	✅​p	❌​F	✅​p	✅​p	✅​p

Top 50 slowest tests (at least 2 minutes):

duration	env	testname
5:09	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
5:01	azure windows	TestAccept
4:59	gcp windows	TestAccept
4:56	azure-ucws windows	TestAccept
4:49	aws windows	TestAccept
4:35	aws-ucws linux	TestAccept/bundle/resources/alerts/with_file/DATABRICKS_BUNDLE_ENGINE=direct
4:34	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
4:26	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:24	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
4:21	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:17	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:09	aws-ucws linux	TestAccept/bundle/deploy/files/no-snapshot-sync/DATABRICKS_BUNDLE_ENGINE=terraform
4:00	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:52	aws-ucws windows	TestAccept/bundle/resources/jobs/check-metadata/DATABRICKS_BUNDLE_ENGINE=terraform
3:47	aws-ucws linux	TestAccept/bundle/deploy/files/no-snapshot-sync/DATABRICKS_BUNDLE_ENGINE=direct
3:40	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:39	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:39	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:39	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:32	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:26	azure-ucws linux	TestAccept/bundle/resources/model_serving_endpoints/basic/DATABRICKS_BUNDLE_ENGINE=terraform
3:19	azure-ucws linux	TestAccept/bundle/resources/jobs/check-metadata/DATABRICKS_BUNDLE_ENGINE=direct
3:18	azure-ucws linux	TestAccept/bundle/resources/model_serving_endpoints/basic/DATABRICKS_BUNDLE_ENGINE=direct
3:17	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:17	aws-ucws windows	TestAccept/bundle/resources/jobs/shared-root-path/DATABRICKS_BUNDLE_ENGINE=direct
3:15	azure-ucws linux	TestAccept/bundle/deploy/files/no-snapshot-sync/DATABRICKS_BUNDLE_ENGINE=terraform
3:05	aws-ucws windows	TestAccept/bundle/resources/model_serving_endpoints/basic/DATABRICKS_BUNDLE_ENGINE=terraform
3:02	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:00	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:55	aws-ucws linux	TestAccept/bundle/generate/auto-bind/DATABRICKS_BUNDLE_ENGINE=terraform
2:55	azure-ucws linux	TestLock
2:55	azure linux	TestAccept
2:54	aws-ucws windows	TestAccept/bundle/deploy/files/no-snapshot-sync/DATABRICKS_BUNDLE_ENGINE=terraform
2:52	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:51	aws-ucws linux	TestAccept/bundle/deployment/bind/job/generate-and-bind/DATABRICKS_BUNDLE_ENGINE=terraform
2:50	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:49	gcp linux	TestAccept
2:47	aws-ucws linux	TestAccept
2:45	azure-ucws linux	TestAccept/bundle/resources/volumes/recreate/DATABRICKS_BUNDLE_ENGINE=terraform
2:43	aws linux	TestAccept
2:41	aws-ucws windows	TestAccept/bundle/resources/volumes/recreate/DATABRICKS_BUNDLE_ENGINE=terraform
2:40	aws-ucws linux	TestAccept/bundle/destroy/jobs-and-pipeline/DATABRICKS_BUNDLE_ENGINE=direct
2:39	aws-ucws windows	TestFilerWorkspaceFilesExtensionsDelete
2:38	azure-ucws linux	TestFilerWorkspaceFilesExtensionsDelete
2:37	aws-ucws linux	TestFsCpDir/dbfs_to_dbfs
2:35	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:34	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:33	aws-ucws windows	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform
2:32	aws-ucws windows	TestAccept/bundle/run_as/job_default/DATABRICKS_BUNDLE_ENGINE=direct
2:30	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct