Support clusters in bundle-level permissions (#3916)

## Why
Seems like a gap - users expect at least CAN_MANAGE at target level to
apply to clusters as well.

## Tests
New acceptance test.

Author: denik

acceptance/bundle/resources/permissions/clusters/target/databricks.yml

@@ -0,0 +1,21 @@
+targets:
+  dev:
+    mode: development
+    default: true
+    permissions:
+      - level: CAN_VIEW
+        service_principal_name: 6a6ffa73-af58-4f47-94cd-bed9ffcc1234
+      - level: CAN_RUN
+        service_principal_name: 6a6ffa73-af58-4f47-94cd-bed9ffcc3456
+      - level: CAN_MANAGE
+        service_principal_name: 6a6ffa73-af58-4f47-94cd-bed9ffcc4567
+      - level: CAN_RUN
+        user_name: [email protected]
+
+resources:
+  clusters:
+    cluster1:
+      cluster_name: test-cluster
+      spark_version: 15.4.x-scala2.12
+      node_type_id: i3.xlarge
+      num_workers: 1

acceptance/bundle/resources/permissions/clusters/target/out.requests.direct.json

@@ -0,0 +1,38 @@
+{
+  "method": "POST",
+  "path": "/api/2.1/clusters/create",
+  "body": {
+    "autotermination_minutes": 60,
+    "cluster_name": "[dev [USERNAME]] test-cluster",
+    "custom_tags": {
+      "dev": "[USERNAME]"
+    },
+    "node_type_id": "[NODE_TYPE_ID]",
+    "num_workers": 1,
+    "spark_version": "15.4.x-scala2.12"
+  }
+}
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/clusters/[UUID]",
+  "body": {
+    "access_control_list": [
+      {
+        "permission_level": "CAN_ATTACH_TO",
+        "service_principal_name": "[UUID]"
+      },
+      {
+        "permission_level": "CAN_RESTART",
+        "service_principal_name": "[UUID]"
+      },
+      {
+        "permission_level": "CAN_MANAGE",
+        "service_principal_name": "[UUID]"
+      },
+      {
+        "permission_level": "CAN_MANAGE",
+        "user_name": "[USERNAME]"
+      }
+    ]
+  }
+}

acceptance/bundle/resources/permissions/clusters/target/out.requests.terraform.json

@@ -0,0 +1,38 @@
+{
+  "method": "POST",
+  "path": "/api/2.1/clusters/create",
+  "body": {
+    "autotermination_minutes": 60,
+    "cluster_name": "[dev [USERNAME]] test-cluster",
+    "custom_tags": {
+      "dev": "[USERNAME]"
+    },
+    "node_type_id": "[NODE_TYPE_ID]",
+    "num_workers": 1,
+    "spark_version": "15.4.x-scala2.12"
+  }
+}
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/clusters/[UUID]",
+  "body": {
+    "access_control_list": [
+      {
+        "permission_level": "CAN_MANAGE",
+        "service_principal_name": "[UUID]"
+      },
+      {
+        "permission_level": "CAN_ATTACH_TO",
+        "service_principal_name": "[UUID]"
+      },
+      {
+        "permission_level": "CAN_RESTART",
+        "service_principal_name": "[UUID]"
+      },
+      {
+        "permission_level": "CAN_MANAGE",
+        "user_name": "[USERNAME]"
+      }
+    ]
+  }
+}

acceptance/bundle/resources/permissions/clusters/target/out.test.toml

@@ -0,0 +1,66 @@
+
+>>> [CLI] bundle validate -o json
+Recommendation: permissions section should explicitly include the current deployment identity '[USERNAME]' or one of its groups
+If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.
+
+Consider using a adding a top-level permissions section such as the following:
+
+  permissions:
+    - user_name: [USERNAME]
+      level: CAN_MANAGE
+
+See https://docs.databricks.com/dev-tools/bundles/permissions.html to learn more about permission configuration.
+  in databricks.yml:15:7
+
+{
+  "clusters": {
+    "cluster1": {
+      "autotermination_minutes": 60,
+      "cluster_name": "[dev [USERNAME]] test-cluster",
+      "custom_tags": {
+        "dev": "[USERNAME]"
+      },
+      "node_type_id": "[NODE_TYPE_ID]",
+      "num_workers": 1,
+      "permissions": [
+        {
+          "level": "CAN_ATTACH_TO",
+          "service_principal_name": "[UUID]"
+        },
+        {
+          "level": "CAN_RESTART",
+          "service_principal_name": "[UUID]"
+        },
+        {
+          "level": "CAN_MANAGE",
+          "service_principal_name": "[UUID]"
+        },
+        {
+          "level": "CAN_MANAGE",
+          "user_name": "[USERNAME]"
+        }
+      ],
+      "spark_version": "15.4.x-scala2.12"
+    }
+  }
+}
+
+>>> [CLI] bundle deploy
+Recommendation: permissions section should explicitly include the current deployment identity '[USERNAME]' or one of its groups
+If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.
+
+Consider using a adding a top-level permissions section such as the following:
+
+  permissions:
+    - user_name: [USERNAME]
+      level: CAN_MANAGE
+
+See https://docs.databricks.com/dev-tools/bundles/permissions.html to learn more about permission configuration.
+  in databricks.yml:15:7
+
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/test-bundle/dev/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> print_requests.py //clusters

acceptance/bundle/resources/permissions/clusters/target/output.txt

@@ -0,0 +1,3 @@
+trace $CLI bundle validate -o json | jq .resources
+trace $CLI bundle deploy
+trace print_requests.py //clusters > out.requests.$DATABRICKS_BUNDLE_ENGINE.json

acceptance/bundle/resources/permissions/clusters/target/script

@@ -55,6 +55,7 @@ DIFF  clusters/current_can_manage/out.requests.destroy.direct.json
 +    "path": "/api/2.0/permissions/clusters/[UUID]"
 +  }
 +]
+MATCH clusters/target/out.requests.direct.json
 MATCH database_instances/current_can_manage/out.requests.deploy.direct.json
 DIFF  database_instances/current_can_manage/out.requests.destroy.direct.json
 --- database_instances/current_can_manage/out.requests.destroy.direct.json

acceptance/bundle/resources/permissions/output.txt

@@ -134,13 +134,7 @@ Warning: required field "schema_name" is not set
 {
   "clusters": {
     "rname": {
-      "autotermination_minutes": 60,
-      "permissions": [
-        {
-          "level": "CAN_MANAGE",
-          "user_name": "[USERNAME]"
-        }
-      ]
+      "autotermination_minutes": 60
     }
   }
 }

acceptance/bundle/validate/empty_resources/with_permissions/output.txt

@@ -15,8 +15,6 @@ import (
 	"github.com/databricks/cli/libs/dyn/convert"
 )
 
-var unsupportedResources = []string{"clusters", "volumes", "schemas", "quality_monitors", "registered_models", "database_catalogs", "synced_database_tables"}
-
 var (
 	allowedLevels = []string{permissions.CAN_MANAGE, permissions.CAN_VIEW, permissions.CAN_RUN}
 	levelsMap     = map[string](map[string]string){
@@ -69,6 +67,12 @@ var (
 			permissions.CAN_MANAGE: "CAN_MANAGE",
 			permissions.CAN_VIEW:   "CAN_USE",
 		},
+		"clusters": {
+			// https://docs.databricks.com/aws/en/security/auth/access-control/#compute-acls
+			permissions.CAN_MANAGE: "CAN_MANAGE",
+			permissions.CAN_VIEW:   "CAN_ATTACH_TO",
+			permissions.CAN_RUN:    "CAN_RESTART",
+		},
 	}
 )
 

bundle/config/mutator/resourcemutator/apply_bundle_permissions.go

@@ -16,6 +16,17 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+// This list exists to ensure that this mutator is updated when new resource is added.
+// These resources are there because they use grants, not permissions:
+var unsupportedResources = []string{
+	"volumes",
+	"schemas",
+	"quality_monitors",
+	"registered_models",
+	"database_catalogs",
+	"synced_database_tables",
+}
+
 func TestApplyBundlePermissions(t *testing.T) {
 	b := &bundle.Bundle{
 		Config: config.Root{