Conversation
… flow Remove the code path in _create_datasource_yamls that fetched data source configurations from Soda Cloud when dataset identifiers were provided. This was a security risk: users with only contract execution permissions could access datasource config details (hosts, ports, etc.) that should require MANAGE_DATASOURCES_AND_AGENTS permissions. Local flow (use_agent=False) now always requires a local --data-source config file. Agent flow continues to work as before — the agent provides its own config server-side. Changes: - Remove Cloud datasource config fetch block from _create_datasource_yamls - Tighten validate_verify_arguments to require --data-source in local flow even when --dataset is provided - Remove dead is_using_remote_datasource helper - Update error messages to guide users toward --data-source flag
Remove dataset_identifiers and soda_cloud_client parameters that became unused after removing the Cloud datasource config fetch. Update caller and tests accordingly.
|
LaurenDebruyn
approved these changes
Feb 26, 2026
Comment on lines
+220
to
+229
| """ | ||
| In the local flow (use_agent=False), _create_datasource_yamls | ||
| should NOT call fetch_data_source_configuration_for_dataset on the | ||
| SodaCloud client. Fetching datasource configs from Cloud in the local | ||
| flow is a security risk — it can expose host/connection info to users | ||
| who only have contract execution permissions. | ||
|
|
||
| When no local data source files are provided in local flow, it should | ||
| raise an error instead of fetching from Cloud. | ||
| """ |
There was a problem hiding this comment.
Curious -> is this the new standard in core for writing tests?
Contributor
Author
There was a problem hiding this comment.
new standard in what way? We are aiming for smaller tests, doing more unit testing so in that sense yeah, is that what you meant?
There was a problem hiding this comment.
haha no, I meant the large comments :D
Contributor
Author
There was a problem hiding this comment.
ah ok, that's just Claude explaining it and I kept it in - I kinda like it so that tests are even easier to read by humans 😅
There was a problem hiding this comment.
as long as Claude updates those comments, they are useful indeed ;)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remove the code path in _create_datasource_yamls that fetched data source configurations from Soda Cloud when dataset identifiers were provided. This was a security risk: users with only contract execution permissions could access datasource config details (hosts, ports, etc.) that should require MANAGE_DATASOURCES_AND_AGENTS permissions.
Local flow (use_agent=False) now always requires a local --data-source config file. Agent flow continues to work as before — the agent provides its own config server-side.
Changes:
Description
as per commit message
Checklist