Add a test for deleting already deleted job without permissions (#3922)

denik · web-flow · commit 269ec8294348 · 2025-11-14T10:36:37.000Z
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/databricks.yml.tmpl b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/databricks.yml.tmpl
@@ -0,0 +1,9 @@
+bundle:
+  name: test-bundle-$UNIQUE_NAME
+
+resources:
+  jobs:
+    foo:
+      permissions:
+        - service_principal_name: $CURRENT_USER_NAME
+          level: CAN_MANAGE
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.destroy1.direct.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.destroy1.direct.txt
@@ -0,0 +1,16 @@
+
+>>> musterr as-test-sp [CLI] bundle destroy --auto-approve
+Warn: cannot read resources.jobs.foo id="[NUMID]": User [UUID] does not have View or Admin or Manage Run or Owner permissions on job [NUMID]
+Warn: cannot read resources.jobs.foo.permissions id="/jobs/[NUMID]": [UUID] does not have Manage permissions on Job with ID: ElasticJobId([NUMID]). Please contact the owner or an administrator for access.
+The following resources will be deleted:
+  delete job foo
+
+All files and directories at the following location will be deleted: /Workspace/Users/[UUID]/.bundle/test-bundle-[UNIQUE_NAME]/default
+
+Error: cannot delete resources.jobs.foo: deleting id=[NUMID]: User [UUID] does not have Admin or Owner permissions on job [NUMID] (403 PERMISSION_DENIED)
+
+Endpoint: POST [DATABRICKS_URL]/api/2.2/jobs/delete
+HTTP Status: 403 Forbidden
+API error_code: PERMISSION_DENIED
+API message: User [UUID] does not have Admin or Owner permissions on job [NUMID]
+
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.destroy1.terraform.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.destroy1.terraform.txt
@@ -0,0 +1,12 @@
+
+>>> musterr as-test-sp [CLI] bundle destroy --auto-approve
+Error: exit status 1
+
+Error: cannot read job: User [UUID] does not have View or Admin or Manage Run or Owner permissions on job [NUMID]
+
+  with databricks_job.foo,
+  on bundle.tf.json line 27, in resource.databricks_job.foo:
+  27:       }
+
+
+
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.destroy2.direct.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.destroy2.direct.txt
@@ -0,0 +1,17 @@
+
+>>> errcode as-test-sp [CLI] bundle destroy --auto-approve
+Warn: cannot read resources.jobs.foo id="[NUMID]": User [UUID] does not have View or Admin or Manage Run or Owner permissions on job [NUMID]
+The following resources will be deleted:
+  delete job foo
+
+All files and directories at the following location will be deleted: /Workspace/Users/[UUID]/.bundle/test-bundle-[UNIQUE_NAME]/default
+
+Error: cannot delete resources.jobs.foo: deleting id=[NUMID]: User [UUID] does not have Admin or Owner permissions on job [NUMID] (403 PERMISSION_DENIED)
+
+Endpoint: POST [DATABRICKS_URL]/api/2.2/jobs/delete
+HTTP Status: 403 Forbidden
+API error_code: PERMISSION_DENIED
+API message: User [UUID] does not have Admin or Owner permissions on job [NUMID]
+
+
+Exit code: 1
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.destroy2.terraform.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.destroy2.terraform.txt
@@ -0,0 +1,14 @@
+
+>>> errcode as-test-sp [CLI] bundle destroy --auto-approve
+Error: exit status 1
+
+Error: cannot read job: User [UUID] does not have View or Admin or Manage Run or Owner permissions on job [NUMID]
+
+  with databricks_job.foo,
+  on bundle.tf.json line 27, in resource.databricks_job.foo:
+  27:       }
+
+
+
+
+Exit code: 1
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.test.toml b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/out.test.toml
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/output.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/output.txt
@@ -0,0 +1,24 @@
+
+>>> cat take_ownership.json
+{
+  "access_control_list": [{"permission_level": "IS_OWNER", "service_principal_name": "[USERNAME]"}]
+}
+
+>>> as-test-sp [CLI] current-user me
+"deco-test-spn"
+
+>>> [CLI] bundle destroy --auto-approve
+No active deployment found to destroy!
+
+>>> as-test-sp [CLI] bundle deploy
+Uploading bundle files to /Workspace/Users/[UUID]/.bundle/test-bundle-[UNIQUE_NAME]/default/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> [CLI] permissions set jobs [NUMID] --json @take_ownership.json
+
+>>> [CLI] jobs delete [NUMID]
+
+>>> musterr [CLI] jobs get [NUMID]
+Error: Job [NUMID] does not exist.
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/script b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/script
@@ -0,0 +1,24 @@
+envsubst < databricks.yml.tmpl > databricks.yml
+envsubst < take_ownership.json.tmpl > take_ownership.json
+trace cat take_ownership.json
+
+trace as-test-sp $CLI current-user me | jq .displayName
+
+cleanup() {
+    trace $CLI bundle destroy --auto-approve
+}
+cleanup EXIT
+
+trace as-test-sp $CLI bundle deploy
+
+job_id=$($CLI bundle summary --output json | jq -r '.resources.jobs.foo.id')
+
+trace $CLI permissions set jobs $job_id --json @take_ownership.json > /dev/null
+
+trace musterr as-test-sp $CLI bundle destroy --auto-approve &> out.destroy1.$DATABRICKS_BUNDLE_ENGINE.txt
+
+trace $CLI jobs delete $job_id
+trace musterr $CLI jobs get $job_id
+
+# This shows that even if job is deleted, you still get permission error when trying to delete it.
+trace errcode as-test-sp $CLI bundle destroy --auto-approve &> out.destroy2.$DATABRICKS_BUNDLE_ENGINE.txt
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/take_ownership.json.tmpl b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/take_ownership.json.tmpl
@@ -0,0 +1,3 @@
+{
+  "access_control_list": [{"permission_level": "IS_OWNER", "service_principal_name": "$DATABRICKS_CLIENT_ID"}]
+}
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/test.toml b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/test.toml
@@ -0,0 +1,7 @@
+Local = false
+Cloud = true
+RecordRequests = false
+CloudEnvs.gcp = false
+CloudEnvs.azure = false
+
+Ignore = ["take_ownership.json", "databricks.yml"]
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/databricks.yml.tmpl b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/databricks.yml.tmpl
@@ -0,0 +1,6 @@
+bundle:
+  name: test-bundle-$UNIQUE_NAME
+
+resources:
+  jobs:
+    foo: {}
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.destroy1.direct.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.destroy1.direct.txt
@@ -0,0 +1,15 @@
+
+>>> musterr as-test-sp [CLI] bundle destroy --auto-approve
+Warn: cannot read resources.jobs.foo id="[NUMID]": User [UUID] does not have View or Admin or Manage Run or Owner permissions on job [NUMID]
+The following resources will be deleted:
+  delete job foo
+
+All files and directories at the following location will be deleted: /Workspace/Users/[UUID]/.bundle/test-bundle-[UNIQUE_NAME]/default
+
+Error: cannot delete resources.jobs.foo: deleting id=[NUMID]: User [UUID] does not have Admin or Owner permissions on job [NUMID] (403 PERMISSION_DENIED)
+
+Endpoint: POST [DATABRICKS_URL]/api/2.2/jobs/delete
+HTTP Status: 403 Forbidden
+API error_code: PERMISSION_DENIED
+API message: User [UUID] does not have Admin or Owner permissions on job [NUMID]
+
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.destroy1.terraform.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.destroy1.terraform.txt
@@ -0,0 +1,12 @@
+
+>>> musterr as-test-sp [CLI] bundle destroy --auto-approve
+Error: exit status 1
+
+Error: cannot read job: User [UUID] does not have View or Admin or Manage Run or Owner permissions on job [NUMID]
+
+  with databricks_job.foo,
+  on bundle.tf.json line 27, in resource.databricks_job.foo:
+  27:       }
+
+
+
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.destroy2.direct.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.destroy2.direct.txt
@@ -0,0 +1,17 @@
+
+>>> errcode as-test-sp [CLI] bundle destroy --auto-approve
+Warn: cannot read resources.jobs.foo id="[NUMID]": User [UUID] does not have View or Admin or Manage Run or Owner permissions on job [NUMID]
+The following resources will be deleted:
+  delete job foo
+
+All files and directories at the following location will be deleted: /Workspace/Users/[UUID]/.bundle/test-bundle-[UNIQUE_NAME]/default
+
+Error: cannot delete resources.jobs.foo: deleting id=[NUMID]: User [UUID] does not have Admin or Owner permissions on job [NUMID] (403 PERMISSION_DENIED)
+
+Endpoint: POST [DATABRICKS_URL]/api/2.2/jobs/delete
+HTTP Status: 403 Forbidden
+API error_code: PERMISSION_DENIED
+API message: User [UUID] does not have Admin or Owner permissions on job [NUMID]
+
+
+Exit code: 1
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.destroy2.terraform.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.destroy2.terraform.txt
@@ -0,0 +1,14 @@
+
+>>> errcode as-test-sp [CLI] bundle destroy --auto-approve
+Error: exit status 1
+
+Error: cannot read job: User [UUID] does not have View or Admin or Manage Run or Owner permissions on job [NUMID]
+
+  with databricks_job.foo,
+  on bundle.tf.json line 27, in resource.databricks_job.foo:
+  27:       }
+
+
+
+
+Exit code: 1
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.test.toml b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/out.test.toml
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/output.txt b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/output.txt
@@ -0,0 +1,24 @@
+
+>>> cat take_ownership.json
+{
+  "access_control_list": [{"permission_level": "IS_OWNER", "service_principal_name": "[USERNAME]"}]
+}
+
+>>> as-test-sp [CLI] current-user me
+"deco-test-spn"
+
+>>> [CLI] bundle destroy --auto-approve
+No active deployment found to destroy!
+
+>>> as-test-sp [CLI] bundle deploy
+Uploading bundle files to /Workspace/Users/[UUID]/.bundle/test-bundle-[UNIQUE_NAME]/default/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> [CLI] permissions set jobs [NUMID] --json @take_ownership.json
+
+>>> [CLI] jobs delete [NUMID]
+
+>>> musterr [CLI] jobs get [NUMID]
+Error: Job [NUMID] does not exist.
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/script b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/script
@@ -0,0 +1,24 @@
+envsubst < databricks.yml.tmpl > databricks.yml
+envsubst < take_ownership.json.tmpl > take_ownership.json
+trace cat take_ownership.json
+
+trace as-test-sp $CLI current-user me | jq .displayName
+
+cleanup() {
+    trace $CLI bundle destroy --auto-approve
+}
+cleanup EXIT
+
+trace as-test-sp $CLI bundle deploy
+
+job_id=$($CLI bundle summary --output json | jq -r '.resources.jobs.foo.id')
+
+trace $CLI permissions set jobs $job_id --json @take_ownership.json > /dev/null
+
+trace musterr as-test-sp $CLI bundle destroy --auto-approve &> out.destroy1.$DATABRICKS_BUNDLE_ENGINE.txt
+
+trace $CLI jobs delete $job_id
+trace musterr $CLI jobs get $job_id
+
+# This shows that even if job is deleted, you still get permission error when trying to delete it.
+trace errcode as-test-sp $CLI bundle destroy --auto-approve &> out.destroy2.$DATABRICKS_BUNDLE_ENGINE.txt
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/take_ownership.json.tmpl b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/take_ownership.json.tmpl
@@ -0,0 +1,3 @@
+{
+  "access_control_list": [{"permission_level": "IS_OWNER", "service_principal_name": "$DATABRICKS_CLIENT_ID"}]
+}
diff --git a/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/test.toml b/acceptance/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/test.toml
@@ -0,0 +1,7 @@
+Local = false
+Cloud = true
+RecordRequests = false
+CloudEnvs.gcp = false
+CloudEnvs.azure = false
+
+Ignore = ["take_ownership.json", "databricks.yml"]
diff --git a/acceptance/script.prepare b/acceptance/script.prepare
@@ -107,3 +107,16 @@ sethome() {
     # For Windows, use USERPROFILE.
     export USERPROFILE="$home"
 }
+
+as-test-sp() {
+    if [[ -z "$TEST_SP_TOKEN" ]]; then
+        echo "Error: TEST_SP_TOKEN is not set." >&2
+        return 1
+    fi
+
+    DATABRICKS_TOKEN="$TEST_SP_TOKEN" \
+    DATABRICKS_CLIENT_SECRET="" \
+    DATABRICKS_CLIENT_ID="" \
+    DATABRICKS_AUTH_TYPE="" \
+    "$@"
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	`+ "access_control_list": [{"permission_level": "IS_OWNER", "service_principal_name": "$DATABRICKS_CLIENT_ID"}]`
	`3`	`+}`