fix: Add project_id filter to SnowflakeRegistry UPDATE path#6243
Merged
ntkathole merged 3 commits intoApr 11, 2026
Merged
Conversation
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Abhishek8108
force-pushed
the
fix/snowflake-registry-update-project-id-filter
branch
from
d1458cf to
7a9cf1f
Compare
ntkathole
force-pushed
the
fix/snowflake-registry-update-project-id-filter
branch
from
7a9cf1f to
13f6fc0
Compare
ntkathole
changed the title
Member
|
@Abhishek8108 please fix linting and if possible, consider adding test case for a cross-project isolation scenario. |
ntkathole
force-pushed
the
fix/snowflake-registry-update-project-id-filter
branch
from
51d24e1 to
97265a5
Compare
ntkathole
reviewed
Apr 11, 2026
| schema="PUBLIC", | ||
| account="test_account", | ||
| user="test_user", | ||
| password="test_password", |
Member
There was a problem hiding this comment.
Suggested change
| password="test_password", | |
| password="test_password", #pragma: allowlist secret |
to fix the ci
Contributor
Author
|
The Just pushed a fix for the |
ntkathole
approved these changes
Apr 11, 2026
_apply_object had a missing project_id clause in the UPDATE branch's WHERE condition. In a shared Snowflake registry, this allowed a feast apply in one project to silently overwrite a same-named object belonging to a different project. The SELECT path already scoped correctly by project_id. The DELETE path (_delete_object) also scoped correctly. This commit brings the UPDATE path in line with both. Fixes feast-dev#6208 Signed-off-by: Abhishek8108 <[email protected]>
…stry UPDATE - Reformat with-statement blocks to parenthesized form (ruff format) - Add test_apply_object_does_not_overwrite_sibling_project: simulates two projects sharing a registry, applies an object to project_b, and asserts the UPDATE WHERE clause is scoped to project_b and does not reference project_a — direct regression coverage for feast-dev#6208 Signed-off-by: Abhishek8108 <[email protected]>
Signed-off-by: Abhishek8108 <[email protected]>
ntkathole
force-pushed
the
fix/snowflake-registry-update-project-id-filter
branch
from
917148a to
2d7913a
Compare
franciscojavierarceo
pushed a commit
that referenced
this pull request
May 4, 2026
# [0.63.0](v0.62.0...v0.63.0) (2026-05-04) ### Bug Fixes * Add project filter to apply_data_source and delete_data_source (closes [#6206](#6206)) ([#6322](#6322)) ([96562c4](96562c4)) * Add project_id filter to SnowflakeRegistry UPDATE path ([#6243](#6243)) ([6658b71](6658b71)), closes [#6208](#6208) [#6208](#6208) * Add subprocess timeouts to prevent test_e2e_local hanging on Dask atexit handler ([3de6556](3de6556)) * Ambiguous truth value of array during materialization ([#6259](#6259)) ([d0c8984](d0c8984)) * Auto-detect GCS/S3 registry store when registry is passed as string ([#6260](#6260)) ([7ebcf03](7ebcf03)) * **bigquery:** Prefer query over table in get_table_query_string ([#6360](#6360)) ([77ed779](77ed779)), closes [#6200](#6200) * correct project_id scoping in get_user_metadata and delete_project ([0c469a7](0c469a7)) * disable Redis RDB persistence in test deployments ([44cd682](44cd682)) * Disable snowflake tests temporarily in CI ([#6356](#6356)) ([31d5a98](31d5a98)) * Filter empty SQL commands at execute_snowflake_statement call sites ([#6249](#6249)) ([92ffbb9](92ffbb9)) * Fix five bugs in milvus online store ([#6275](#6275)) ([212504b](212504b)) * Fix issue with apply feature view ([835cda8](835cda8)) * Fix streaming materialization for exotic sources with lazy UDF pipelines ([c07972d](c07972d)) * Handle missing features gracefully instead of panicking ([7d00b3a](7d00b3a)) * Harden informer cache with label selectors and memory optimizations ([#6242](#6242)) ([3f11356](3f11356)) * **helm:** Avoid nil pointer for metrics.enabled inside podAnnotations ([#6251](#6251)) ([c833f1a](c833f1a)) * Include git in feast server image ([fb03c46](fb03c46)) * Include StreamFeatureView in freshness metric ([#6269](#6269)) ([463f16c](463f16c)) * Pre-create S3A event log dir before SparkContext init ([#6317](#6317)) ([9feca77](9feca77)) * Remote Online Store Type Inference Error with All-NULL Columns ([#6063](#6063)) ([de67bdd](de67bdd)) * Remove selector with kustomize overlay using a JSON 6902 patch ([9107a43](9107a43)) * Resolve multiple bugs in SnowflakeRegistry and Snowflake connection handling ([#6315](#6315)) ([7e66a2e](7e66a2e)) * **spark:** BatchFeatureView with TransformationMode.PYTHON now reads all source columns ([a310eaf](a310eaf)) * **spark:** Use SELECT * when feature_name_columns is empty in pull_all_from_table_or_query ([e1b1d2d](e1b1d2d)) * Support pandas mode in feature builder and fix dask column extraction ([863315e](863315e)) * support SQL string as entity_df in RemoteOfflineStore.get_historical_features ([c559889](c559889)) * Wrap LocalOutputNode return value in ArrowTableValue for consist… ([#6286](#6286)) ([a16cd55](a16cd55)) ### Features * Add agent skills and Cursor/Claude rules for Feast development ([312eea3](312eea3)) * Add feature view versioning support to FAISS online store ([b36acb7](b36acb7)) * Add feature view versioning support to Redis and DynamoDB online stores ([#6257](#6257)) ([edf25af](edf25af)), closes [#6164](#6164) [#6163](#6163) * Add optional 'org' in feature view ([#6288](#6288)) ([#6301](#6301)) ([608b105](608b105)) * Add RaySource, to_ray_dataset first-class method, docs, and tests ([1c98157](1c98157)) * Add TLS support for Go Feature Server ([#6229](#6229)) ([28a58d0](28a58d0)) * Add Vector Search support to MongoDBOnlineStore ([#6344](#6344)) ([c102738](c102738)) * Add versioning support to Milvus online store ([#6330](#6330)) ([3268ced](3268ced)) * Addresses performance issues in the Redis online store ([2e50da0](2e50da0)) * Allow to set gpu for ray ([5580ab4](5580ab4)) * Bump redis-py version cap from <5 to <8 ([#6339](#6339)) ([9538180](9538180)) * Expose feature_server, materialization, and openlineage configuration via FeatureStore CRD ([ec6ecfd](ec6ecfd)) * Make online_write_batch_size configurable in MaterializationConfig ([#6268](#6268)) ([d41becf](d41becf)) * Make udf optional if agg defined ([#5689](#5689)) ([#6328](#6328)) ([f630056](f630056)) * MongoDB offline store ([#6138](#6138)) ([8eebad7](8eebad7)) * Optional input_schema for ODFV ([#6308](#6308)) ([#6312](#6312)) ([f08b4e8](f08b4e8)) * Provision minimal TokenReview RBAC for OIDC auth and add SSL error logging in token parser ([#6240](#6240)) ([dca57e8](dca57e8)) * **spark:** Add compute-on-read support for BatchFeatureView in get_… ([#6357](#6357)) ([630d9f8](630d9f8))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #6208.
SnowflakeRegistry._apply_objecthad a missingproject_idclause in the UPDATE branch's WHERE condition. In a shared Snowflake registry, this allowed afeast applyin one project to silently overwrite a same-named object belonging to a different project.Root cause: The helper has two SQL branches:
WHERE project_id = '{project}' AND {id_field} = '{name}'project_id:WHERE {id_field} = '{name}'The fix brings the UPDATE path in line with the SELECT and DELETE paths, which already scoped by
project_idcorrectly.Impact: Affects all resource types routed through
_apply_object— entities, data sources, feature views, feature services, saved datasets, validation references, permissions, and infrastructure objects.Changes
sdk/python/feast/infra/registry/snowflake.py— addproject_id = '{project}' ANDto the UPDATE WHERE clause (one line)sdk/python/tests/unit/infra/registry/test_snowflake_registry.py— new regression test; mocks the Snowflake connection, drives_apply_objectinto the UPDATE path, and assertsproject_idappears in the WHERE clauseTest plan
pytest sdk/python/tests/unit/infra/registry/test_snowflake_registry.py -vpytest sdk/python/tests/unit/infra/registry/ -vWHERE project_id = '{project}' AND {id_field} = '{name}'