Skip to content

feat: Refine run_as validation for dashboards to only disallow when… #4408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
iammuntazirali wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Refine run_as validation for dashboards to only disallow when… #4408

iammuntazirali wants to merge 1 commit into from

Conversation

@iammuntazirali
Copy link

@iammuntazirali iammuntazirali commented Jan 30, 2026

Description

Fixes #4394

This PR refines the run_as validation for dashboards. Previously, all dashboards were rejected when the bundle's run_as identity differed from the deployment user. Now, only dashboards with embed_credentials: true are rejected, as those embed the owner's credentials for query execution.

Dashboards with embed_credentials: false (the default) don't embed owner credentials - queries run under the viewer's credentials instead. Therefore, the run_as setting is irrelevant for these dashboards and they should be allowed.

Changes

  • Modified validateRunAs() in run_as.go to iterate over dashboards and only reject those with embed_credentials: true
  • Updated the error message to be more specific about the embed_credentials requirement
  • Added dashboards to the allowList in tests since they're now conditionally allowed
  • Added unit tests for both the error case (embed_credentials: true) and success case (embed_credentials: false)
  • Added acceptance tests in run_as/dashboard_embed_credentials/ and run_as/dashboard_no_embed/

Why

The previous behavior was overly restrictive. According to the run_as documentation, run_as semantics apply to resources that execute code on behalf of a user. Dashboards with embed_credentials: false don't embed the owner's credentials for query execution - they run queries using the viewer's credentials. This means run_as is irrelevant for such dashboards, and blocking deployment was unnecessarily preventing valid use cases.

Tests

  • Added TestRunAsErrorForDashboardsWithEmbedCredentials - verifies dashboards with embed_credentials: true still fail validation
  • Added TestRunAsAllowsDashboardsWithoutEmbedCredentials - verifies dashboards with embed_credentials: false pass validation
  • Added acceptance tests in acceptance/bundle/run_as/dashboard_embed_credentials/ and acceptance/bundle/run_as/dashboard_no_embed/

Run tests with:

@github-actions
Copy link

github-actions bot commented Jan 30, 2026

An authorized user can trigger integration tests manually by following the instructions below:

Trigger:
go/deco-tests-run/cli

Inputs:

  • PR number: 4408
  • Commit SHA: a87e364762680a81ce2d04ebf4d46417c09b0a0c

Checks will be approved automatically on success.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewnester andrewnester Awaiting requested review from andrewnester andrewnester is a code owner

@anton-107 anton-107 Awaiting requested review from anton-107 anton-107 is a code owner

@denik denik Awaiting requested review from denik denik is a code owner

@pietern pietern Awaiting requested review from pietern pietern is a code owner

@shreyas-goenka shreyas-goenka Awaiting requested review from shreyas-goenka shreyas-goenka is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dashboard owner/run_as conflict

1 participant

@iammuntazirali