direct: Add permissions support for dashboards

shreyas-goenka · shreyas-goenka · commit 61d3d79dec2d · 2025-11-05T16:25:49.000+01:00
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/databricks.yml b/acceptance/bundle/resources/permissions/dashboards/create/databricks.yml
@@ -0,0 +1,16 @@
+resources:
+  dashboards:
+    foo:
+      display_name: test-dashboard
+      warehouse_id: 123abc
+      parent_path: /Users/tester@databricks.com
+      serialized_dashboard: '{"pages":[{"name":"page1","displayName":"Page 1"}]}'
+      permissions:
+        - level: CAN_READ
+          user_name: viewer@example.com
+        - level: CAN_MANAGE
+          group_name: data-team
+        - level: CAN_MANAGE
+          service_principal_name: f37d18cd-98a8-4db5-8112-12dd0a6bfe38
+        - level: CAN_MANAGE
+          user_name: tester@databricks.com
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/out.plan.direct.json b/acceptance/bundle/resources/permissions/dashboards/create/out.plan.direct.json
@@ -0,0 +1,49 @@
+{
+  "plan": {
+    "resources.dashboards.foo": {
+      "action": "create",
+      "new_state": {
+        "config": {
+          "display_name": "test-dashboard",
+          "parent_path": "/Users/[USERNAME]",
+          "warehouse_id": "123abc"
+        }
+      }
+    },
+    "resources.dashboards.foo.permissions": {
+      "depends_on": [
+        {
+          "node": "resources.dashboards.foo",
+          "label": "${resources.dashboards.foo.id}"
+        }
+      ],
+      "action": "create",
+      "new_state": {
+        "config": {
+          "object_id": "",
+          "permissions": [
+            {
+              "permission_level": "CAN_READ",
+              "user_name": "viewer@example.com"
+            },
+            {
+              "group_name": "data-team",
+              "permission_level": "CAN_MANAGE"
+            },
+            {
+              "permission_level": "CAN_MANAGE",
+              "service_principal_name": "[UUID]"
+            },
+            {
+              "permission_level": "CAN_MANAGE",
+              "user_name": "[USERNAME]"
+            }
+          ]
+        },
+        "vars": {
+          "object_id": "/dashboards/${resources.dashboards.foo.id}"
+        }
+      }
+    }
+  }
+}
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/out.plan.terraform.json b/acceptance/bundle/resources/permissions/dashboards/create/out.plan.terraform.json
@@ -0,0 +1,7 @@
+{
+  "plan": {
+    "resources.dashboards.foo": {
+      "action": "create"
+    }
+  }
+}
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/out.requests.deploy.direct.json b/acceptance/bundle/resources/permissions/dashboards/create/out.requests.deploy.direct.json
@@ -0,0 +1,24 @@
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/dashboards/[DASHBOARD_ID]",
+  "body": {
+    "access_control_list": [
+      {
+        "permission_level": "CAN_READ",
+        "user_name": "viewer@example.com"
+      },
+      {
+        "group_name": "data-team",
+        "permission_level": "CAN_MANAGE"
+      },
+      {
+        "permission_level": "CAN_MANAGE",
+        "service_principal_name": "[UUID]"
+      },
+      {
+        "permission_level": "CAN_MANAGE",
+        "user_name": "[USERNAME]"
+      }
+    ]
+  }
+}
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/out.requests.deploy.terraform.json b/acceptance/bundle/resources/permissions/dashboards/create/out.requests.deploy.terraform.json
@@ -0,0 +1,24 @@
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/dashboards/[DASHBOARD_ID]",
+  "body": {
+    "access_control_list": [
+      {
+        "permission_level": "CAN_READ",
+        "user_name": "viewer@example.com"
+      },
+      {
+        "permission_level": "CAN_MANAGE",
+        "service_principal_name": "[UUID]"
+      },
+      {
+        "group_name": "data-team",
+        "permission_level": "CAN_MANAGE"
+      },
+      {
+        "permission_level": "CAN_MANAGE",
+        "user_name": "[USERNAME]"
+      }
+    ]
+  }
+}
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/out.requests.destroy.direct.json b/acceptance/bundle/resources/permissions/dashboards/create/out.requests.destroy.direct.json
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/out.requests.destroy.terraform.json b/acceptance/bundle/resources/permissions/dashboards/create/out.requests.destroy.terraform.json
@@ -0,0 +1,5 @@
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/dashboards/[DASHBOARD_ID]",
+  "body": {}
+}
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/out.test.toml b/acceptance/bundle/resources/permissions/dashboards/create/out.test.toml
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/output.txt b/acceptance/bundle/resources/permissions/dashboards/create/output.txt
@@ -0,0 +1,35 @@
+
+>>> [CLI] bundle validate -o json
+[
+  {
+    "level": "CAN_READ",
+    "user_name": "viewer@example.com"
+  },
+  {
+    "group_name": "data-team",
+    "level": "CAN_MANAGE"
+  },
+  {
+    "level": "CAN_MANAGE",
+    "service_principal_name": "[UUID]"
+  },
+  {
+    "level": "CAN_MANAGE",
+    "user_name": "[USERNAME]"
+  }
+]
+
+>>> [CLI] bundle deploy
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/test-bundle/default/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> [CLI] bundle destroy --auto-approve
+The following resources will be deleted:
+  delete dashboard foo
+
+All files and directories at the following location will be deleted: /Workspace/Users/[USERNAME]/.bundle/test-bundle/default
+
+Deleting files...
+Destroy complete!
diff --git a/acceptance/bundle/resources/permissions/dashboards/create/script b/acceptance/bundle/resources/permissions/dashboards/create/script
@@ -0,0 +1,20 @@
+trace $CLI bundle validate -o json | jq .resources.$RESOURCE.foo.permissions
+rm out.requests.txt
+
+$CLI bundle debug plan > out.plan.$DATABRICKS_BUNDLE_ENGINE.json
+
+print_requests() {
+    jq -c < out.requests.txt | jq 'select(.method != "GET" and (.path | contains("permissions")))'
+    rm out.requests.txt
+}
+
+rm out.requests.txt
+trace $CLI bundle deploy
+
+dashboard_id=$($CLI bundle summary --output json | jq -r '.resources.dashboards.foo.id')
+echo "$dashboard_id:DASHBOARD_ID" >> ACC_REPLS
+
+print_requests > out.requests.deploy.$DATABRICKS_BUNDLE_ENGINE.json
+
+trace $CLI bundle destroy --auto-approve
+print_requests > out.requests.destroy.$DATABRICKS_BUNDLE_ENGINE.json
diff --git a/acceptance/bundle/resources/permissions/dashboards/test.toml b/acceptance/bundle/resources/permissions/dashboards/test.toml
@@ -0,0 +1,3 @@
+RequiresWarehouse = true
+
+Env.RESOURCE = "dashboards"  # for ../_script
diff --git a/bundle/direct/dresources/all.go b/bundle/direct/dresources/all.go
@@ -19,14 +19,15 @@ var SupportedResources = map[string]any{
 	"database_catalogs":      (*ResourceDatabaseCatalog)(nil),
 	"synced_database_tables": (*ResourceSyncedDatabaseTable)(nil),
 	"alerts":                 (*ResourceAlert)(nil),
+	"dashboards":             (*ResourceDashboard)(nil),
 	"clusters":               (*ResourceCluster)(nil),
 	"registered_models":      (*ResourceRegisteredModel)(nil),
-	"dashboards":             (*ResourceDashboard)(nil),
 
 	// Permissions
 	"jobs.permissions":               (*ResourcePermissions)(nil),
 	"pipelines.permissions":          (*ResourcePermissions)(nil),
 	"apps.permissions":               (*ResourcePermissions)(nil),
+	"dashboards.permissions":         (*ResourcePermissions)(nil),
 	"clusters.permissions":           (*ResourcePermissions)(nil),
 	"database_instances.permissions": (*ResourcePermissions)(nil),
 	"experiments.permissions":        (*ResourcePermissions)(nil),
diff --git a/bundle/direct/dresources/all_test.go b/bundle/direct/dresources/all_test.go
@@ -19,6 +19,7 @@ import (
 	"github.com/databricks/databricks-sdk-go"
 	"github.com/databricks/databricks-sdk-go/service/apps"
 	"github.com/databricks/databricks-sdk-go/service/catalog"
+	"github.com/databricks/databricks-sdk-go/service/dashboards"
 	"github.com/databricks/databricks-sdk-go/service/database"
 	"github.com/databricks/databricks-sdk-go/service/iam"
 	"github.com/databricks/databricks-sdk-go/service/jobs"
@@ -97,6 +98,16 @@ var testConfig map[string]any = map[string]any{
 			},
 		},
 	},
+
+	"dashboards": &resources.Dashboard{
+		DashboardConfig: resources.DashboardConfig{
+			Dashboard: dashboards.Dashboard{
+				DisplayName:         "my_dashboard",
+				SerializedDashboard: `{"pages":[{"name":"page1","displayName":"Page 1"}]}`,
+				WarehouseId:         "warehouse123",
+			},
+		},
+	},
 }
 
 type prepareWorkspace func(client *databricks.WorkspaceClient) (any, error)
@@ -252,6 +263,27 @@ var testDeps = map[string]prepareWorkspace{
 			}},
 		}, nil
 	},
+
+	"dashboards.permissions": func(client *databricks.WorkspaceClient) (any, error) {
+		resp, err := client.Lakeview.Create(context.Background(), dashboards.CreateDashboardRequest{
+			Dashboard: dashboards.Dashboard{
+				DisplayName:         "dashboard-permissions",
+				SerializedDashboard: `{"pages":[{"name":"page1","displayName":"Page 1"}]}`,
+				WarehouseId:         "warehouse123",
+			},
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		return &PermissionsState{
+			ObjectID: "/dashboards/" + resp.DashboardId,
+			Permissions: []iam.AccessControlRequest{{
+				PermissionLevel: "CAN_MANAGE",
+				UserName:        "user@example.com",
+			}},
+		}, nil
+	},
 }
 
 func TestAll(t *testing.T) {
@@ -340,7 +372,13 @@ func testCRUD(t *testing.T, group string, adapter *Adapter, client *databricks.W
 		var relevantChanges []structdiff.Change
 		for _, change := range changes {
 			fieldName := change.Path.String()
-			if fieldName != "updated_at" {
+			// Filter out fields that are expected to change between DoRefresh and DoUpdate
+			// - updated_at, update_time: timestamps that change on updates
+			// - etag: version field that changes on updates
+			// - path: computed field for dashboards
+			// - serialized_dashboard: test server adds pageType and formatting
+			if fieldName != "updated_at" && fieldName != "update_time" && fieldName != "etag" &&
+				fieldName != "path" && fieldName != "serialized_dashboard" {
 				relevantChanges = append(relevantChanges, change)
 			}
 		}
@@ -373,6 +411,12 @@ func testCRUD(t *testing.T, group string, adapter *Adapter, client *databricks.W
 		// t.Logf("Testing %s v=%#v, remoteValue=%#v", path.String(), val, remoteValue)
 		// We expect fields set explicitly to be preserved by testserver, which is true for all resources as of today.
 		// If not true for your resource, add exception here:
+
+		// Dashboard serialized_dashboard is modified by the server (adds pageType, reorders keys, adds newline)
+		if path.String() == "serialized_dashboard" {
+			return
+		}
+
 		assert.Equal(t, val, remoteValue, "path=%q\nnewState=%s\nremappedState=%s", path.String(), jsonDump(newState), jsonDump(remappedState))
 	}))
 
diff --git a/libs/testserver/dashboards.go b/libs/testserver/dashboards.go
@@ -4,7 +4,6 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"encoding/json"
-	"fmt"
 	"path"
 	"strconv"
 	"strings"
@@ -60,12 +59,16 @@ func (s *FakeWorkspace) DashboardCreate(req Request) Response {
 		}
 	}
 
+	// Auto-create parent directory if it doesn't exist (matching WorkspaceFilesImportFile behavior)
 	if _, ok := s.directories[dashboard.ParentPath]; !ok {
-		return Response{
-			StatusCode: 404,
-			Body: map[string]string{
-				"message": fmt.Sprintf("Path (%s) doesn't exist.", dashboard.ParentPath),
-			},
+		for dir := dashboard.ParentPath; dir != "/" && dir != ""; dir = path.Dir(dir) {
+			if _, exists := s.directories[dir]; !exists {
+				s.directories[dir] = workspace.ObjectInfo{
+					ObjectType: "DIRECTORY",
+					Path:       dir,
+					ObjectId:   nextID(),
+				}
+			}
 		}
 	}
 
