Skip to content

Commit 41f4d20

Browse files
nfxnfx
authored
Allow configuring permissions for all MLflow models (#1070)
Fixes #1044
1 parent 0633258 commit 41f4d20

File tree

3 files changed

+4
-3
lines changed

3 files changed

+4
-3
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22

33
## 0.4.7
44
* Added optional `force` argument to `databricks_group` resource to ignore `cannot create group: Group with name X already exists.` errors and implicitly import the specific group into Terraform state, enforcing entitlements defined in the instance of resource ([#1066](https://github.com/databrickslabs/terraform-provider-databricks/pull/1066)).
5+
* Added support to configure permissions for all MLflow models ([#1044](https://github.com/databrickslabs/terraform-provider-databricks/issues/1044)).
56
* Fixed `databricks_service_principal` `display_name` update ([#1065](https://github.com/databrickslabs/terraform-provider-databricks/issues/1065)).
67
* Added documentation for Unity Catalog resources.
78

docs/resources/permissions.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -373,7 +373,7 @@ resource "databricks_permissions" "experiment_usage" {
373373

374374
## MLflow Model usage
375375

376-
Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-model-permissions-1) for [databricks_mlflow_model](mlflow_model.md) are: `CAN_READ`, `CAN_EDIT`, `CAN_MANAGE_STAGING_VERSIONS`, `CAN_MANAGE_PRODUCTION_VERSIONS`, and `CAN_MANAGE`.
376+
Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-model-permissions-1) for [databricks_mlflow_model](mlflow_model.md) are: `CAN_READ`, `CAN_EDIT`, `CAN_MANAGE_STAGING_VERSIONS`, `CAN_MANAGE_PRODUCTION_VERSIONS`, and `CAN_MANAGE`. You can also manage permissions for all MLflow models by `registered_model_id = "root"`.
377377

378378
```hcl
379379
resource "databricks_mlflow_model" "this" {

permissions/resource_permissions.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -145,8 +145,8 @@ func (a PermissionsAPI) put(objectID string, objectACL AccessControlChangeList)
145145

146146
// Update updates object permissions. Technically, it's using method named SetOrDelete, but here we do more
147147
func (a PermissionsAPI) Update(objectID string, objectACL AccessControlChangeList) error {
148-
if objectID == "/authorization/tokens" {
149-
// Cannot remove admins's CAN_MANAGE permission on tokens
148+
if objectID == "/authorization/tokens" || objectID == "/registered-models/root" {
149+
// Prevent "Cannot change permissions for group 'admins' to None."
150150
objectACL.AccessControlList = append(objectACL.AccessControlList, AccessControlChange{
151151
GroupName: "admins",
152152
PermissionLevel: "CAN_MANAGE",

0 commit comments

Comments
 (0)