SNOW-2161716: Fix config file permissions check and skip warning using env variable (#2488)

Co-authored-by: Maxim Mishchenko <[email protected]>

Author: sfc-gh-gmerticariu

DESCRIPTION.md

@@ -7,6 +7,10 @@ https://docs.snowflake.com/
 Source code is also available at: https://github.com/snowflakedb/snowflake-connector-python
 
 # Release Notes
+- v3.18(TBD)
+  - Enhanced configuration file permission warning messages.
+    - Improved warning messages for readable permission issues to include clear instructions on how to skip warnings using the `SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE` environment variable.
+
 - v3.17.2(August 23,2025)
   - Fixed a bug where platform_detection was retrying failed requests with warnings to non-existent endpoints.
   - Added disabling endpoint-based platform detection by setting `platform_detection_timeout_seconds` to zero.

src/snowflake/connector/config_manager.py

@@ -29,6 +29,14 @@
 READABLE_BY_OTHERS = stat.S_IRGRP | stat.S_IROTH
 
 
+SKIP_WARNING_ENV_VAR = "SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE"
+
+
+def _should_skip_warning_for_read_permissions_on_config_file() -> bool:
+    """Check if the warning should be skipped based on environment variable."""
+    return os.getenv(SKIP_WARNING_ENV_VAR, "false").lower() == "true"
+
+
 class ConfigSliceOptions(NamedTuple):
     """Class that defines settings individual configuration files."""
 
@@ -329,6 +337,7 @@ def read_config(
                 )
                 continue
 
+            # Check for readable by others or wrong ownership - this should warn
             if (
                 not IS_WINDOWS  # Skip checking on Windows
                 and sliceoptions.check_permissions  # Skip checking if this file couldn't hold sensitive information
@@ -342,9 +351,10 @@ def read_config(
                     and filep.stat().st_uid != os.getuid()
                 )
             ):
-                chmod_message = f'.\n * To change owner, run `chown $USER "{str(filep)}"`.\n * To restrict permissions, run `chmod 0600 "{str(filep)}"`.\n'
+                chmod_message = f'.\n * To change owner, run `chown $USER "{str(filep)}"`.\n * To restrict permissions, run `chmod 0600 "{str(filep)}"`.\n * To skip this warning, set environment variable {SKIP_WARNING_ENV_VAR}=true.\n'
 
-                warn(f"Bad owner or permissions on {str(filep)}{chmod_message}")
+                if not _should_skip_warning_for_read_permissions_on_config_file():
+                    warn(f"Bad owner or permissions on {str(filep)}{chmod_message}")
             LOGGER.debug(f"reading configuration file from {str(filep)}")
             try:
                 read_config_piece = tomlkit.parse(filep.read_text())

test/unit/test_configmanager.py

@@ -567,7 +567,7 @@ def test_warn_config_file_owner(tmp_path, monkeypatch):
         assert (
             str(c[0].message)
             == f"Bad owner or permissions on {str(c_file)}"
-            + f'.\n * To change owner, run `chown $USER "{str(c_file)}"`.\n * To restrict permissions, run `chmod 0600 "{str(c_file)}"`.\n'
+            + f'.\n * To change owner, run `chown $USER "{str(c_file)}"`.\n * To restrict permissions, run `chmod 0600 "{str(c_file)}"`.\n * To skip this warning, set environment variable SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE=true.\n'
         )
 
 
@@ -587,7 +587,7 @@ def test_warn_config_file_permissions(tmp_path):
     with warnings.catch_warnings(record=True) as c:
         assert c1["b"] is True
     assert len(c) == 1
-    chmod_message = f'.\n * To change owner, run `chown $USER "{str(c_file)}"`.\n * To restrict permissions, run `chmod 0600 "{str(c_file)}"`.\n'
+    chmod_message = f'.\n * To change owner, run `chown $USER "{str(c_file)}"`.\n * To restrict permissions, run `chmod 0600 "{str(c_file)}"`.\n * To skip this warning, set environment variable SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE=true.\n'
     assert (
         str(c[0].message)
         == f"Bad owner or permissions on {str(c_file)}" + chmod_message
@@ -639,6 +639,30 @@ def test_log_debug_config_file_parent_dir_permissions(tmp_path, caplog):
     shutil.rmtree(tmp_dir)
 
 
+@pytest.mark.skipif(IS_WINDOWS, reason="chmod doesn't work on Windows")
+def test_skip_warning_config_file_permissions(tmp_path, monkeypatch):
+    c_file = tmp_path / "config.toml"
+    c1 = ConfigManager(file_path=c_file, name="root_parser")
+    c1.add_option(name="b", parse_str=lambda e: e.lower() == "true")
+    c_file.write_text(
+        dedent(
+            """\
+            b = true
+            """
+        )
+    )
+    # Make file readable by others (would normally trigger warning)
+    c_file.chmod(stat.S_IMODE(c_file.stat().st_mode) | stat.S_IROTH)
+
+    with monkeypatch.context() as m:
+        # Set environment variable to skip warning
+        m.setenv("SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE", "true")
+        with warnings.catch_warnings(record=True) as c:
+            assert c1["b"] is True
+        # Should have no warnings when skip is enabled
+        assert len(c) == 0
+
+
 def test_configoption_missing_root_manager():
     with pytest.raises(
         TypeError,