direct: grants support (#3883)

## Changes
Add grants support for all resources that have Grants in the schema
(schemas, models, registered_models).

The approach is different from terraform, rather than doing get +
update, we do a single update where we clear all existing permissions.

## Tests
Acceptance cloud tests. Since we cannot compare requests between direct
and terraform (but still record them), we test by fetching final grants
after deploy from the backend.

Extended testserver to support grants. Added a bunch of fields to
schemas and volumes to make it looks more like real API.

Author: denik

acceptance/bundle/refschema/out.fields.txt

@@ -2932,6 +2932,13 @@ resources.registered_models.*.storage_location	string	ALL
 resources.registered_models.*.updated_at	int64	ALL
 resources.registered_models.*.updated_by	string	ALL
 resources.registered_models.*.url	string	INPUT
+resources.registered_models.*.grants.full_name	string	ALL
+resources.registered_models.*.grants.grants	[]dresources.GrantAssignment	ALL
+resources.registered_models.*.grants.grants[*]	dresources.GrantAssignment	ALL
+resources.registered_models.*.grants.grants[*].principal	string	ALL
+resources.registered_models.*.grants.grants[*].privileges	[]catalog.Privilege	ALL
+resources.registered_models.*.grants.grants[*].privileges[*]	catalog.Privilege	ALL
+resources.registered_models.*.grants.securable_type	string	ALL
 resources.schemas.*.browse_only	bool	REMOTE
 resources.schemas.*.catalog_name	string	ALL
 resources.schemas.*.catalog_type	catalog.CatalogType	REMOTE
@@ -2964,6 +2971,13 @@ resources.schemas.*.storage_root	string	ALL
 resources.schemas.*.updated_at	int64	REMOTE
 resources.schemas.*.updated_by	string	REMOTE
 resources.schemas.*.url	string	INPUT
+resources.schemas.*.grants.full_name	string	ALL
+resources.schemas.*.grants.grants	[]dresources.GrantAssignment	ALL
+resources.schemas.*.grants.grants[*]	dresources.GrantAssignment	ALL
+resources.schemas.*.grants.grants[*].principal	string	ALL
+resources.schemas.*.grants.grants[*].privileges	[]catalog.Privilege	ALL
+resources.schemas.*.grants.grants[*].privileges[*]	catalog.Privilege	ALL
+resources.schemas.*.grants.securable_type	string	ALL
 resources.sql_warehouses.*.auto_stop_mins	int	ALL
 resources.sql_warehouses.*.channel	*sql.Channel	ALL
 resources.sql_warehouses.*.channel.dbsql_version	string	ALL
@@ -3114,3 +3128,10 @@ resources.volumes.*.updated_by	string	REMOTE
 resources.volumes.*.url	string	INPUT
 resources.volumes.*.volume_id	string	REMOTE
 resources.volumes.*.volume_type	catalog.VolumeType	ALL
+resources.volumes.*.grants.full_name	string	ALL
+resources.volumes.*.grants.grants	[]dresources.GrantAssignment	ALL
+resources.volumes.*.grants.grants[*]	dresources.GrantAssignment	ALL
+resources.volumes.*.grants.grants[*].principal	string	ALL
+resources.volumes.*.grants.grants[*].privileges	[]catalog.Privilege	ALL
+resources.volumes.*.grants.grants[*].privileges[*]	catalog.Privilege	ALL
+resources.volumes.*.grants.securable_type	string	ALL

acceptance/bundle/resources/grants/registered_models/databricks.yml.tmpl

@@ -0,0 +1,19 @@
+bundle:
+  name: deploy-registered-models-basic-$UNIQUE_NAME
+
+resources:
+  schemas:
+    my_schema:
+      catalog_name: main
+      name: myschema_$UNIQUE_NAME
+  registered_models:
+    my_registered_model:
+      name: mymodel
+      comment: mycomment
+      catalog_name: main
+      # this does not work because we don't create implicit dependency like we do with volumes:
+      #schema_name: myschema_$UNIQUE_NAME
+      schema_name: ${resources.schemas.my_schema.name}
+      grants:
+        - principal: [email protected]
+          privileges: ["APPLY_TAG"]

acceptance/bundle/resources/grants/registered_models/out.deploy1.requests.direct.json

@@ -0,0 +1,17 @@
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/function/main.myschema_[UNIQUE_NAME].mymodel",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "APPLY_TAG"
+        ],
+        "principal": "[email protected]",
+        "remove": [
+          "ALL_PRIVILEGES"
+        ]
+      }
+    ]
+  }
+}

acceptance/bundle/resources/grants/registered_models/out.deploy1.requests.terraform.json

@@ -0,0 +1,14 @@
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/function/main.myschema_[UNIQUE_NAME].mymodel",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "APPLY_TAG"
+        ],
+        "principal": "[email protected]"
+      }
+    ]
+  }
+}

acceptance/bundle/resources/grants/registered_models/out.destroy.requests.direct.json

@@ -0,0 +1,14 @@
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/function/main.myschema_[UNIQUE_NAME].mymodel",
+  "body": {
+    "changes": [
+      {
+        "principal": "[email protected]",
+        "remove": [
+          "APPLY_TAG"
+        ]
+      }
+    ]
+  }
+}

acceptance/bundle/resources/grants/registered_models/out.destroy.requests.terraform.json

@@ -0,0 +1,56 @@
+{
+  "plan": {
+    "resources.registered_models.my_registered_model": {
+      "depends_on": [
+        {
+          "node": "resources.schemas.my_schema",
+          "label": "${resources.schemas.my_schema.name}"
+        }
+      ],
+      "action": "create",
+      "new_state": {
+        "config": {
+          "catalog_name": "main",
+          "comment": "mycomment",
+          "name": "mymodel",
+          "schema_name": "myschema_[UNIQUE_NAME]"
+        }
+      }
+    },
+    "resources.registered_models.my_registered_model.grants": {
+      "depends_on": [
+        {
+          "node": "resources.registered_models.my_registered_model",
+          "label": "${resources.registered_models.my_registered_model.id}"
+        }
+      ],
+      "action": "create",
+      "new_state": {
+        "config": {
+          "securable_type": "function",
+          "full_name": "",
+          "grants": [
+            {
+              "principal": "[email protected]",
+              "privileges": [
+                "APPLY_TAG"
+              ]
+            }
+          ]
+        },
+        "vars": {
+          "full_name": "${resources.registered_models.my_registered_model.id}"
+        }
+      }
+    },
+    "resources.schemas.my_schema": {
+      "action": "create",
+      "new_state": {
+        "config": {
+          "catalog_name": "main",
+          "name": "myschema_[UNIQUE_NAME]"
+        }
+      }
+    }
+  }
+}

acceptance/bundle/resources/grants/registered_models/out.plan1.direct.json

@@ -0,0 +1,10 @@
+{
+  "plan": {
+    "resources.registered_models.my_registered_model": {
+      "action": "create"
+    },
+    "resources.schemas.my_schema": {
+      "action": "create"
+    }
+  }
+}

acceptance/bundle/resources/grants/registered_models/out.plan1.terraform.json

@@ -0,0 +1,39 @@
+
+>>> [CLI] bundle debug plan
+
+>>> print_requests.py --get //permissions
+
+>>> [CLI] bundle deploy
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/deploy-registered-models-basic-[UNIQUE_NAME]/default/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> print_requests.py //permissions
+
+>>> [CLI] grants get function main.myschema_[UNIQUE_NAME].mymodel
+{
+  "privilege_assignments": [
+    {
+      "principal": "[email protected]",
+      "privileges": [
+        "APPLY_TAG"
+      ]
+    }
+  ]
+}
+
+>>> [CLI] bundle destroy --auto-approve
+The following resources will be deleted:
+  delete registered_model my_registered_model
+  delete schema my_schema
+
+This action will result in the deletion of the following UC schemas. Any underlying data may be lost:
+  delete schema my_schema
+
+All files and directories at the following location will be deleted: /Workspace/Users/[USERNAME]/.bundle/deploy-registered-models-basic-[UNIQUE_NAME]/default
+
+Deleting files...
+Destroy complete!
+
+>>> print_requests.py //permissions