Skip to content

Commit 60246c7

Browse files
denikdenik
authored
Select single permissions level per principal (#3904)
## Changes When multiple permissions are present, select one per principal (highest of all available), ## Why Backend only stores one permission level per principal, whatever is latest in the request. So if users define multiple levels for the same principal, arbitrary level is going to be send to the backend, just whatever happens to be last in request. In some case, terraform will reject multiple levels and error. Why we select max level: The intent is usually to have some default permissions applied broadly (e.g., CAN_VIEW) and then grant higher permission (e.g. CAN_MANAGE) to selected principal, in which case principal has both CAN_VIEW and CAN_MANAGE which is the same as just CAN_MANAGE. Should fix #3864 ## Tests New acceptance test. Fix testserver to match real backend as tested by #3900
1 parent 3a21c11 commit 60246c7

35 files changed

+798
-50
lines changed

acceptance/bundle/resources/permissions/factcheck/out.test.toml

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

acceptance/bundle/resources/permissions/factcheck/test.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
Local = false
2-
Cloud = true
1+
Local = true
2+
CloudSlow = true
33
RecordRequests = false
44

55
# I get this error, not sure why:

acceptance/bundle/resources/permissions/jobs/current_can_manage_run/databricks.yml.tmpl

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# https://github.com/databricks/cli/issues/3864
2+
bundle:
3+
name: test-bundle-$UNIQUE_NAME
4+
5+
targets:
6+
green:
7+
resources:
8+
jobs:
9+
interim_gold_layer_job:
10+
permissions:
11+
- service_principal_name: $CURRENT_USER_NAME
12+
level: CAN_MANAGE_RUN

acceptance/bundle/resources/permissions/jobs/current_can_manage_run/out.deploy.requests.json

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"method": "POST",
3+
"path": "/api/2.2/jobs/create",
4+
"body": {
5+
"deployment": {
6+
"kind": "BUNDLE",
7+
"metadata_file_path": "/Workspace/Users/[USERNAME]/.bundle/test-bundle-[UNIQUE_NAME]/green/state/metadata.json"
8+
},
9+
"edit_mode": "UI_LOCKED",
10+
"format": "MULTI_TASK",
11+
"max_concurrent_runs": 1,
12+
"name": "Untitled",
13+
"queue": {
14+
"enabled": true
15+
}
16+
}
17+
}
18+
{
19+
"method": "PUT",
20+
"path": "/api/2.0/permissions/jobs/[NUMID]",
21+
"body": {
22+
"access_control_list": [
23+
{
24+
"permission_level": "IS_OWNER",
25+
"service_principal_name": "[USERNAME]"
26+
}
27+
]
28+
}
29+
}

acceptance/bundle/resources/permissions/jobs/current_can_manage_run/out.destroy.requests.direct.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
{
2+
"method": "POST",
3+
"path": "/api/2.2/jobs/delete",
4+
"body": {
5+
"job_id": [NUMID]
6+
}
7+
}

acceptance/bundle/resources/permissions/jobs/current_can_manage_run/out.destroy.requests.terraform.json

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{
2+
"method": "PUT",
3+
"path": "/api/2.0/permissions/jobs/[NUMID]",
4+
"body": {
5+
"access_control_list": [
6+
{
7+
"permission_level": "IS_OWNER",
8+
"user_name": "[USERNAME]"
9+
}
10+
]
11+
}
12+
}
13+
{
14+
"method": "POST",
15+
"path": "/api/2.2/jobs/delete",
16+
"body": {
17+
"job_id": [NUMID]
18+
}
19+
}

acceptance/bundle/resources/permissions/jobs/current_can_manage_run/out.plan.direct.txt

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
{
2+
"plan": {
3+
"resources.jobs.interim_gold_layer_job": {
4+
"action": "skip",
5+
"remote_state": {
6+
"created_time": [UNIX_TIME_MILLIS],
7+
"creator_user_name": "[USERNAME]",
8+
"job_id": [NUMID],
9+
"run_as_user_name": "[USERNAME]",
10+
"settings": {
11+
"deployment": {
12+
"kind": "BUNDLE",
13+
"metadata_file_path": "/Workspace/Users/[USERNAME]/.bundle/test-bundle-[UNIQUE_NAME]/green/state/metadata.json"
14+
},
15+
"edit_mode": "UI_LOCKED",
16+
"email_notifications": {},
17+
"format": "MULTI_TASK",
18+
"max_concurrent_runs": 1,
19+
"name": "Untitled",
20+
"queue": {
21+
"enabled": true
22+
},
23+
"timeout_seconds": 0,
24+
"webhook_notifications": {}
25+
}
26+
},
27+
"changes": {
28+
"remote": {
29+
"email_notifications": {
30+
"action": "skip",
31+
"reason": "server_side_default"
32+
},
33+
"timeout_seconds": {
34+
"action": "skip",
35+
"reason": "server_side_default"
36+
},
37+
"webhook_notifications": {
38+
"action": "skip",
39+
"reason": "server_side_default"
40+
}
41+
}
42+
}
43+
},
44+
"resources.jobs.interim_gold_layer_job.permissions": {
45+
"depends_on": [
46+
{
47+
"node": "resources.jobs.interim_gold_layer_job",
48+
"label": "${resources.jobs.interim_gold_layer_job.id}"
49+
}
50+
],
51+
"action": "skip",
52+
"remote_state": {
53+
"object_id": "/jobs/[NUMID]",
54+
"permissions": [
55+
{
56+
"permission_level": "IS_OWNER",
57+
"service_principal_name": "[USERNAME]"
58+
}
59+
]
60+
}
61+
}
62+
}
63+
}

acceptance/bundle/resources/permissions/jobs/current_can_manage_run/out.plan.terraform.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
{
2+
"plan": {
3+
"resources.jobs.interim_gold_layer_job": {
4+
"action": "skip"
5+
}
6+
}
7+
}

acceptance/bundle/resources/permissions/jobs/current_can_manage_run/out.test.toml

Lines changed: 8 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

acceptance/bundle/resources/permissions/jobs/current_can_manage_run/output.txt

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
2+
>>> [CLI] bundle validate -t green -o json
3+
{
4+
"jobs": {
5+
"interim_gold_layer_job": {
6+
"deployment": {
7+
"kind": "BUNDLE",
8+
"metadata_file_path": "/Workspace/Users/[USERNAME]/.bundle/test-bundle-[UNIQUE_NAME]/green/state/metadata.json"
9+
},
10+
"edit_mode": "UI_LOCKED",
11+
"format": "MULTI_TASK",
12+
"max_concurrent_runs": 1,
13+
"name": "Untitled",
14+
"permissions": [
15+
{
16+
"level": "IS_OWNER",
17+
"service_principal_name": "[USERNAME]"
18+
}
19+
],
20+
"queue": {
21+
"enabled": true
22+
}
23+
}
24+
}
25+
}
26+
27+
>>> errcode [CLI] bundle deploy -t green
28+
Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/test-bundle-[UNIQUE_NAME]/green/files...
29+
Deploying resources...
30+
Updating deployment state...
31+
Deployment complete!
32+
33+
>>> [CLI] bundle debug plan -t green
34+
35+
>>> errcode [CLI] bundle destroy -t green --auto-approve
36+
The following resources will be deleted:
37+
delete job interim_gold_layer_job
38+
39+
All files and directories at the following location will be deleted: /Workspace/Users/[USERNAME]/.bundle/test-bundle-[UNIQUE_NAME]/green
40+
41+
Deleting files...
42+
Destroy complete!

0 commit comments

Comments
 (0)