Ensure owner/mgmt permission for current user (#3780)

## Changes
Instead of removing current user from permissions and relying on
terraform to add it back, we'll instead add IS_OWNER/CAN_MANAGE
ourselves.

Previous attempt to remove this mutator completely
#3688 failed because backend
complains about "ambiguous" permissions when both CAN_MANAGE and
IS_OWNER are present. Thus we do additional transformation here: we
upgrade CAN_MANAGE to IS_OWNER if we can.

Don't apply this logic to secret scopes resource as it's not implemented
via databricks_permissions resource in terraform and does not have
IS_OWNER/CAN_MANAGE insertion logic. This means we no longer filter out
current user permissions from secret scopes resources.

## Why
- Enables direct implementation which will not do any transformations,
just use whatever in the config. With this PR, the request payload will
match terraform's.
- Final permissions visible in 'bundle validate -o json'.

## Tests

#3781

Author: denik

NEXT_CHANGELOG.md

@@ -9,5 +9,7 @@
 ### Dependency updates
 
 ### Bundles
+* For secret scopes, no longer remove current user's permissions ([#3780](https://github.com/databricks/cli/pull/3780))
+* Automatically add owner permissions during bundle initialization, this makes final permissions visible in 'bundle validate -o json' ([#3780](https://github.com/databricks/cli/pull/3780))
 
 ### API Changes

acceptance/bundle/resources/permissions/apps/current_can_manage/output.txt

@@ -12,6 +12,10 @@
   {
     "level": "CAN_MANAGE",
     "service_principal_name": "[UUID]"
+  },
+  {
+    "level": "CAN_MANAGE",
+    "user_name": "[USERNAME]"
   }
 ]
 

acceptance/bundle/resources/permissions/apps/other_can_manage/output.txt

@@ -12,6 +12,10 @@
   {
     "level": "CAN_MANAGE",
     "service_principal_name": "[UUID]"
+  },
+  {
+    "level": "CAN_MANAGE",
+    "user_name": "[USERNAME]"
   }
 ]
 

acceptance/bundle/resources/permissions/jobs/current_can_manage/databricks.yml

@@ -14,6 +14,9 @@ resources:
           group_name: data-team
         - level: CAN_MANAGE
           service_principal_name: f37d18cd-98a8-4db5-8112-12dd0a6bfe38
-        # job with explicit CAN_MANAGE matching username, will be filtered out by DABs; terraform will add IS_OWNER
+        # job with explicit CAN_MANAGE matching username, we will upgrade CAN_MANAGE to IS_OWNER
+        # If we don't, then terraform will add IS_OWNER and we will end up with both CAN_MANAGE and IS_OWNER
+        # which can lead to
+        #    Error: cannot create permissions: Permissions being set for UserName([USERNAME]) are ambiguous
         - level: CAN_MANAGE
           user_name: [email protected]

acceptance/bundle/resources/permissions/jobs/current_can_manage/output.txt

@@ -12,6 +12,10 @@
   {
     "level": "CAN_MANAGE",
     "service_principal_name": "[UUID]"
+  },
+  {
+    "level": "IS_OWNER",
+    "user_name": "[USERNAME]"
   }
 ]
 

acceptance/bundle/resources/permissions/jobs/current_is_owner/out.requests.deploy.terraform.json

@@ -0,0 +1,12 @@
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/jobs/[NUMID]",
+  "body": {
+    "access_control_list": [
+      {
+        "permission_level": "IS_OWNER",
+        "user_name": "[USERNAME]"
+      }
+    ]
+  }
+}

acceptance/bundle/resources/permissions/jobs/current_is_owner/out.requests.destroy.terraform.json

@@ -0,0 +1,12 @@
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/jobs/[NUMID]",
+  "body": {
+    "access_control_list": [
+      {
+        "permission_level": "IS_OWNER",
+        "user_name": "[USERNAME]"
+      }
+    ]
+  }
+}

acceptance/bundle/resources/permissions/jobs/current_is_owner/output.txt

@@ -1,6 +1,11 @@
 
 >>> [CLI] bundle validate -o json
-[]
+[
+  {
+    "level": "IS_OWNER",
+    "user_name": "[USERNAME]"
+  }
+]
 
 >>> [CLI] bundle deploy
 Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/test-bundle/default/files...

acceptance/bundle/resources/permissions/jobs/other_can_manage/output.txt

@@ -12,6 +12,10 @@
   {
     "level": "CAN_MANAGE",
     "service_principal_name": "[UUID]"
+  },
+  {
+    "level": "IS_OWNER",
+    "user_name": "[USERNAME]"
   }
 ]
 

acceptance/bundle/resources/permissions/jobs/other_is_owner/out.requests.deploy.terraform.json

@@ -6,6 +6,10 @@
       {
         "permission_level": "IS_OWNER",
         "user_name": "[email protected]"
+      },
+      {
+        "permission_level": "IS_OWNER",
+        "user_name": "[USERNAME]"
       }
     ]
   }