[BB-1771]Fix Grants (#33)

FeliLucero1 · web-flow · commit 86e1faaa1081 · 2025-11-28T10:48:58.000-03:00
diff --git a/pkg/connector/groups.go b/pkg/connector/groups.go
@@ -189,58 +189,65 @@ func (g *groupBuilder) Grants(ctx context.Context, resource *v2.Resource, pToken
 		return nil, "", nil, fmt.Errorf("databricks-connector: failed to parse group resource id: %w", err)
 	}
 
-	groupTrait, err := rs.GetGroupTrait(resource)
-	if err != nil {
-		return nil, "", nil, err
-	}
-
 	var workspaceId string
 	isWorkspaceGroup := parentId.ResourceType == workspaceResourceType.Id
 	if isWorkspaceGroup {
 		workspaceId = parentId.Resource
 	}
 
 	// membership grants
-	membersPayload, ok := rs.GetProfileStringValue(groupTrait.Profile, "members")
-	if ok {
-		members := strings.Split(membersPayload, ",")
-
-		for _, m := range members {
-			pp := strings.Split(m, "/")
-			if len(pp) != 2 {
-				return nil, "", nil, fmt.Errorf("databricks-connector: invalid member format of %s: %w", m, err)
-			}
+	// Always fetch the group with members attribute to ensure we get the members
+	// regardless of authentication type (OAuth vs personal access token)
+	group, rateLimitData, err := g.client.GetGroup(ctx, workspaceId, groupId.Resource, databricks.NewGroupAttrVars())
+	if err != nil {
+		return nil, "", nil, fmt.Errorf("databricks-connector: failed to get group %s: %w", groupId.Resource, err)
+	}
 
-			memberType, memberID := pp[0], pp[1]
-			var resourceId *v2.ResourceId
-			var anns []protoreflect.ProtoMessage
+	annos := annotations.Annotations{}
+	if rateLimitData != nil {
+		annos.WithRateLimiting(rateLimitData)
+	}
 
-			switch memberType {
-			case "Users":
-				resourceId = &v2.ResourceId{ResourceType: userResourceType.Id, Resource: memberID}
-			case "Groups":
-				rid, expandAnnotation, err := groupGrantExpansion(ctx, memberID, parentId)
-				if err != nil {
-					return rv, "", nil, err
-				}
-				resourceId = rid
-				anns = append(anns, expandAnnotation)
-			case "ServicePrincipals":
-				resourceId = &v2.ResourceId{ResourceType: servicePrincipalResourceType.Id, Resource: memberID}
-			default:
-				return nil, "", nil, fmt.Errorf("databricks-connector: invalid member type: %s", memberType)
-			}
+	for _, member := range group.Members {
+		// member.Ref contains the type and ID separated by "/", e.g., "Users/123" or "Groups/456"
+		pp := strings.Split(member.Ref, "/")
+		if len(pp) != 2 {
+			return nil, "", nil, fmt.Errorf("databricks-connector: invalid member format of %s", member.Ref)
+		}
+
+		memberType, memberID := pp[0], pp[1]
+		var resourceId *v2.ResourceId
+		var anns []protoreflect.ProtoMessage
 
-			rv = append(rv, grant.NewGrant(resource, groupMemberEntitlement, resourceId, grant.WithAnnotation(anns...)))
+		switch memberType {
+		case "Users":
+			resourceId = &v2.ResourceId{ResourceType: userResourceType.Id, Resource: memberID}
+		case "Groups":
+			rid, expandAnnotation, err := groupGrantExpansion(ctx, memberID, parentId)
+			if err != nil {
+				return rv, "", nil, err
+			}
+			resourceId = rid
+			anns = append(anns, expandAnnotation)
+		case "ServicePrincipals":
+			resourceId = &v2.ResourceId{ResourceType: servicePrincipalResourceType.Id, Resource: memberID}
+		default:
+			return nil, "", nil, fmt.Errorf("databricks-connector: invalid member type: %s", memberType)
 		}
+
+		rv = append(rv, grant.NewGrant(resource, groupMemberEntitlement, resourceId, grant.WithAnnotation(anns...)))
 	}
 
 	// role permissions grants
-	ruleSets, _, err := g.client.ListRuleSets(ctx, workspaceId, GroupsType, groupId.Resource)
+	ruleSets, rateLimitDataRuleSets, err := g.client.ListRuleSets(ctx, workspaceId, GroupsType, groupId.Resource)
 	if err != nil {
 		return nil, "", nil, fmt.Errorf("databricks-connector: failed to list role rule sets for group %s: %w", resource.Id.Resource, err)
 	}
 
+	if rateLimitDataRuleSets != nil {
+		annos.WithRateLimiting(rateLimitDataRuleSets)
+	}
+
 	for _, ruleSet := range ruleSets {
 		for _, p := range ruleSet.Principals {
 			resourceId, err := prepareResourceId(ctx, g.client, workspaceId, p)
@@ -261,7 +268,7 @@ func (g *groupBuilder) Grants(ctx context.Context, resource *v2.Resource, pToken
 		}
 	}
 
-	return rv, "", nil, nil
+	return rv, "", annos, nil
 }
 
 func (g *groupBuilder) Grant(ctx context.Context, principal *v2.Resource, entitlement *v2.Entitlement) (annotations.Annotations, error) {
@@ -306,7 +313,7 @@ func (g *groupBuilder) Grant(ctx context.Context, principal *v2.Resource, entitl
 	membershipEntitlementID := ent.NewEntitlementID(entitlement.Resource, groupMemberEntitlement)
 	managerEntitlementID := ent.NewEntitlementID(entitlement.Resource, groupManagerEntitlement)
 	if entitlement.Id == membershipEntitlementID {
-		group, _, err := g.client.GetGroup(ctx, workspaceId, groupId.Resource)
+		group, _, err := g.client.GetGroup(ctx, workspaceId, groupId.Resource, databricks.NewGroupAttrVars())
 		if err != nil {
 			return nil, fmt.Errorf("databricks-connector: failed to get group %s: %w", groupId.Resource, err)
 		}
@@ -449,7 +456,7 @@ func (g *groupBuilder) Revoke(ctx context.Context, grant *v2.Grant) (annotations
 	membershipEntitlementID := ent.NewEntitlementID(entitlement.Resource, groupMemberEntitlement)
 	managerEntitlementID := ent.NewEntitlementID(entitlement.Resource, groupManagerEntitlement)
 	if entitlement.Id == membershipEntitlementID {
-		group, _, err := g.client.GetGroup(ctx, workspaceId, groupId.Resource)
+		group, _, err := g.client.GetGroup(ctx, workspaceId, groupId.Resource, databricks.NewGroupAttrVars())
 		if err != nil {
 			return nil, fmt.Errorf("databricks-connector: failed to get group %s: %w", groupId.Resource, err)
 		}
diff --git a/pkg/connector/roles.go b/pkg/connector/roles.go
@@ -347,7 +347,7 @@ func (r *roleBuilder) Grant(ctx context.Context, principal *v2.Resource, entitle
 		}
 
 	case groupResourceType.Id:
-		g, _, err := r.client.GetGroup(ctx, workspaceId, principal.Id.Resource)
+		g, _, err := r.client.GetGroup(ctx, workspaceId, principal.Id.Resource, databricks.NewGroupRolesAttrVars())
 		if err != nil {
 			return nil, fmt.Errorf("databricks-connector: failed to get group: %w", err)
 		}
@@ -428,7 +428,7 @@ func (r *roleBuilder) Revoke(ctx context.Context, grant *v2.Grant) (annotations.
 		}
 
 	case groupResourceType.Id:
-		g, _, err := r.client.GetGroup(ctx, workspaceId, principal.Id.Resource)
+		g, _, err := r.client.GetGroup(ctx, workspaceId, principal.Id.Resource, databricks.NewGroupRolesAttrVars())
 		if err != nil {
 			return nil, fmt.Errorf("databricks-connector: failed to get group: %w", err)
 		}
diff --git a/pkg/databricks/client.go b/pkg/databricks/client.go
@@ -254,7 +254,7 @@ func (c *Client) ListGroups(
 	return res.Resources, res.Total, ratelimitData, nil
 }
 
-func (c *Client) GetGroup(ctx context.Context, workspaceId, groupId string) (
+func (c *Client) GetGroup(ctx context.Context, workspaceId, groupId string, vars ...Vars) (
 	*Group,
 	*v2.RateLimitDescription,
 	error,
@@ -267,7 +267,7 @@ func (c *Client) GetGroup(ctx context.Context, workspaceId, groupId string) (
 	}
 
 	var res *Group
-	ratelimitData, err := c.Get(ctx, u, &res)
+	ratelimitData, err := c.Get(ctx, u, &res, vars...)
 	if err != nil {
 		return nil, ratelimitData, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -347,7 +347,7 @@ func (r roleBuilder) Grant(ctx context.Context, principal v2.Resource, entitle`
`347`	`347`	`}`
`348`	`348`
`349`	`349`	`case groupResourceType.Id:`
`350`		`- g, _, err := r.client.GetGroup(ctx, workspaceId, principal.Id.Resource)`
	`350`	`+ g, _, err := r.client.GetGroup(ctx, workspaceId, principal.Id.Resource, databricks.NewGroupRolesAttrVars())`
`351`	`351`	`if err != nil {`
`352`	`352`	`return nil, fmt.Errorf("databricks-connector: failed to get group: %w", err)`
`353`	`353`	`}`
`@@ -428,7 +428,7 @@ func (r roleBuilder) Revoke(ctx context.Context, grant v2.Grant) (annotations.`
`428`	`428`	`}`
`429`	`429`
`430`	`430`	`case groupResourceType.Id:`
`431`		`- g, _, err := r.client.GetGroup(ctx, workspaceId, principal.Id.Resource)`
	`431`	`+ g, _, err := r.client.GetGroup(ctx, workspaceId, principal.Id.Resource, databricks.NewGroupRolesAttrVars())`
`432`	`432`	`if err != nil {`
`433`	`433`	`return nil, fmt.Errorf("databricks-connector: failed to get group: %w", err)`
`434`	`434`	`}`
Original file line number	Diff line number	Diff line change
`@@ -254,7 +254,7 @@ func (c *Client) ListGroups(`
`254`	`254`	`return res.Resources, res.Total, ratelimitData, nil`
`255`	`255`	`}`
`256`	`256`
`257`		`-func (c *Client) GetGroup(ctx context.Context, workspaceId, groupId string) (`
	`257`	`+func (c *Client) GetGroup(ctx context.Context, workspaceId, groupId string, vars ...Vars) (`
`258`	`258`	`*Group,`
`259`	`259`	`*v2.RateLimitDescription,`
`260`	`260`	`error,`
`@@ -267,7 +267,7 @@ func (c *Client) GetGroup(ctx context.Context, workspaceId, groupId string) (`
`267`	`267`	`}`
`268`	`268`
`269`	`269`	`var res *Group`
`270`		`- ratelimitData, err := c.Get(ctx, u, &res)`
	`270`	`+ ratelimitData, err := c.Get(ctx, u, &res, vars...)`
`271`	`271`	`if err != nil {`
`272`	`272`	`return nil, ratelimitData, err`
`273`	`273`	`}`