Added MLflow permissions (#1013)

## MLflow Experiment usage

Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-experiment-permissions-1) for [databricks_mlflow_experiment](mlflow_experiment.md) are: `CAN_READ`, `CAN_EDIT`, and `CAN_MANAGE`.

```hcl
data "databricks_current_user" "me" {}

resource "databricks_mlflow_experiment" "this" {
  name              = "${data.databricks_current_user.me.home}/Sample"
  artifact_location = "dbfs:/tmp/my-experiment"
  description       = "My MLflow experiment description"
}

resource "databricks_group" "auto" {
  display_name = "Automation"
}

resource "databricks_group" "eng" {
  display_name = "Engineering"
}

resource "databricks_permissions" "experiment_usage" {
  experiment_id = databricks_mlflow_experiment.this.id

  access_control {
    group_name       = "users"
    permission_level = "CAN_READ"
  }

  access_control {
    group_name       = databricks_group.auto.display_name
    permission_level = "CAN_MANAGE"
  }

  access_control {
    group_name       = databricks_group.eng.display_name
    permission_level = "CAN_EDIT"
  }
}
```

## MLflow Model usage

Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-model-permissions-1) for [databricks_mlflow_model](mlflow_model.md) are: `CAN_READ`, `CAN_EDIT`, `CAN_MANAGE_STAGING_VERSIONS`, `CAN_MANAGE_PRODUCTION_VERSIONS`, and `CAN_MANAGE`.

```hcl
resource "databricks_mlflow_model" "this" {
  name = "SomePredictions"
}

resource "databricks_group" "auto" {
  display_name = "Automation"
}

resource "databricks_group" "eng" {
  display_name = "Engineering"
}

resource "databricks_permissions" "model_usage" {
  registered_model_id = databricks_mlflow_model.this.registered_model_id

  access_control {
    group_name       = "users"
    permission_level = "CAN_READ"
  }

  access_control {
    group_name       = databricks_group.auto.display_name
    permission_level = "CAN_MANAGE_PRODUCTION_VERSIONS"
  }

  access_control {
    group_name       = databricks_group.eng.display_name
    permission_level = "CAN_MANAGE_STAGING_VERSIONS"
  }
}
```

Fixes #1012

Author: nfx

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## 0.4.3
 
+* Added support for `databricks_permissions` for `databricks_mlflow_experiment` and `databricks_mlflow_model` ([#1013](https://github.com/databrickslabs/terraform-provider-databricks/pull/1013)).
 * Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` ([#821](https://github.com/databrickslabs/terraform-provider-databricks/issues/821)).
 * Improved documentation with regards to public subnets in AWS quick start ([#1005](https://github.com/databrickslabs/terraform-provider-databricks/pull/1005)).
 * Added `databricks_mount` code genration for [exporter](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/guides/experimental-exporter) tooling ([#1006](https://github.com/databrickslabs/terraform-provider-databricks/pull/1006)).

docs/resources/mlflow_experiment.md

@@ -8,8 +8,10 @@ This resource allows you to create MLflow experiments in Databricks.
 ## Example Usage
 
 ```hcl
-resource "databricks_mlflow_experiment" "test" {
-  name              = "/Users/myuserid/my-experiment"
+data "databricks_current_user" "me" {}
+
+resource "databricks_mlflow_experiment" "this" {
+  name              = "${data.databricks_current_user.me.home}/Sample"
   artifact_location = "dbfs:/tmp/my-experiment"
   description       = "My MLflow experiment description"
 }
@@ -22,3 +24,7 @@ The following arguments are supported:
 * `name` - (Required) Name of MLflow experiment. It must be an absolute path within the Databricks workspace, e.g. `/Users/<some-username>/my-experiment`. For more information about changes to experiment naming conventions, see [mlflow docs](https://docs.databricks.com/applications/mlflow/experiments.html#experiment-migration).
 * `artifact_location` - Path to dbfs:/ or s3:// artifact location of the MLflow experiment.
 * `description` - The description of the MLflow experiment.
+
+## Access Control
+
+* [databricks_permissions](permissions.md#MLflow-Experiment-usage) can control which groups or individual users can *Read*, *Edit*, or *Manage* individual experiments.

docs/resources/mlflow_model.md

@@ -28,6 +28,10 @@ resource "databricks_mlflow_model" "test" {
 
 The following arguments are supported:
 
-* `name` - (Required) Name of MLflow model.
+* `name` - (Required) Name of MLflow model. Change of name triggers new resource.
 * `description` - The description of the MLflow model.
 * `tags` - Tags for the MLflow model.
+
+## Access Control
+
+* [databricks_permissions](permissions.md#MLflow-Model-usage) can control which groups or individual users can *Read*, *Edit*, *Manage Staging Versions*, *Manage Production Versions*, and *Manage* individual models.

docs/resources/permissions.md

@@ -330,6 +330,84 @@ resource "databricks_permissions" "repo_usage" {
 }
 ```
 
+## MLflow Experiment usage
+
+Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-experiment-permissions-1) for [databricks_mlflow_experiment](mlflow_experiment.md) are: `CAN_READ`, `CAN_EDIT`, and `CAN_MANAGE`.
+
+```hcl
+data "databricks_current_user" "me" {}
+
+resource "databricks_mlflow_experiment" "this" {
+  name              = "${data.databricks_current_user.me.home}/Sample"
+  artifact_location = "dbfs:/tmp/my-experiment"
+  description       = "My MLflow experiment description"
+}
+
+resource "databricks_group" "auto" {
+  display_name = "Automation"
+}
+
+resource "databricks_group" "eng" {
+  display_name = "Engineering"
+}
+
+resource "databricks_permissions" "experiment_usage" {
+  experiment_id = databricks_mlflow_experiment.this.id
+
+  access_control {
+    group_name       = "users"
+    permission_level = "CAN_READ"
+  }
+
+  access_control {
+    group_name       = databricks_group.auto.display_name
+    permission_level = "CAN_MANAGE"
+  }
+
+  access_control {
+    group_name       = databricks_group.eng.display_name
+    permission_level = "CAN_EDIT"
+  }
+}
+```
+
+## MLflow Model usage
+
+Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-model-permissions-1) for [databricks_mlflow_model](mlflow_model.md) are: `CAN_READ`, `CAN_EDIT`, `CAN_MANAGE_STAGING_VERSIONS`, `CAN_MANAGE_PRODUCTION_VERSIONS`, and `CAN_MANAGE`.
+
+```hcl
+resource "databricks_mlflow_model" "this" {
+  name = "SomePredictions"
+}
+
+resource "databricks_group" "auto" {
+  display_name = "Automation"
+}
+
+resource "databricks_group" "eng" {
+  display_name = "Engineering"
+}
+
+resource "databricks_permissions" "model_usage" {
+  registered_model_id = databricks_mlflow_model.this.registered_model_id
+
+  access_control {
+    group_name       = "users"
+    permission_level = "CAN_READ"
+  }
+
+  access_control {
+    group_name       = databricks_group.auto.display_name
+    permission_level = "CAN_MANAGE_PRODUCTION_VERSIONS"
+  }
+
+  access_control {
+    group_name       = databricks_group.eng.display_name
+    permission_level = "CAN_MANAGE_STAGING_VERSIONS"
+  }
+}
+```
+
 ## Passwords usage
 
 By default on AWS deployments, all admin users can sign in to Databricks using either SSO or their username and password, and all API users can authenticate to the Databricks REST APIs using their username and password. As an admin, you [can limit](https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#optional-configure-password-access-control) admin users’ and API users’ ability to authenticate with their username and password by configuring `CAN_USE` permissions using password access control.

mlflow/resource_model.go

@@ -7,10 +7,9 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
-// Tag ...
 type Tag struct {
-	Key   string `json:"key" tf:"force_new"`
-	Value string `json:"value" tf:"force_new"`
+	Key   string `json:"key"`
+	Value string `json:"value"`
 }
 
 // Model defines the response object from the API
@@ -21,50 +20,49 @@ type Model struct {
 	UserID               string   `json:"user_id,omitempty" tf:"computed"`
 	LatestVersions       []string `json:"latest_versions,omitempty" tf:"computed"`
 	Description          string   `json:"description,omitempty"`
-	Tags                 []Tag    `json:"tags,omitempty" tf:"force_new"`
+	Tags                 []Tag    `json:"tags,omitempty"`
+	RegisteredModelID    string   `json:"id,omitempty" tf:"computed,alias:registered_model_id"`
 }
 
 // registeredModel defines response from GET API op
 type registeredModel struct {
-	RegisteredModel Model `json:"registered_model"`
+	RegisteredModelDatabricks Model `json:"registered_model_databricks"`
 }
 
-// ModelsAPI ...
 type ModelsAPI struct {
 	client  *common.DatabricksClient
 	context context.Context
 }
 
-// NewModelsAPI ...
 func NewModelsAPI(ctx context.Context, m interface{}) ModelsAPI {
 	return ModelsAPI{m.(*common.DatabricksClient), ctx}
 }
 
-// Create ...
 func (a ModelsAPI) Create(m *Model) error {
 	return a.client.Post(a.context, "/mlflow/registered-models/create", m, m)
 }
 
-// Read ...
 func (a ModelsAPI) Read(name string) (*Model, error) {
 	var m registeredModel
-	err := a.client.Get(a.context, "/mlflow/registered-models/get", map[string]string{
+	err := a.client.Get(a.context, "/mlflow/databricks/registered-models/get", map[string]string{
 		"name": name,
 	}, &m)
 	if err != nil {
 		return nil, err
 	}
-	return &m.RegisteredModel, nil
+	return &m.RegisteredModelDatabricks, nil
 }
 
-// Update ...
+// Update the model entity
 func (a ModelsAPI) Update(m *Model) error {
 	return a.client.Patch(a.context, "/mlflow/registered-models/update", m)
 }
 
-// Delete ...
-func (a ModelsAPI) Delete(m *Model) error {
-	return a.client.Delete(a.context, "/mlflow/registered-models/delete", m)
+// Delete removes the model by it's name
+func (a ModelsAPI) Delete(name string) error {
+	return a.client.Delete(a.context, "/mlflow/registered-models/delete", map[string]string{
+		"name": name,
+	})
 }
 
 func ResourceMLFlowModel() *schema.Resource {
@@ -98,9 +96,7 @@ func ResourceMLFlowModel() *schema.Resource {
 			return NewModelsAPI(ctx, c).Update(&m)
 		},
 		Delete: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
-			var m Model
-			common.DataToStructPointer(d, s, &m)
-			return NewModelsAPI(ctx, c).Delete(&m)
+			return NewModelsAPI(ctx, c).Delete(d.Id())
 		},
 		Schema: s,
 	}.ToResource()

mlflow/resource_model_test.go

@@ -28,9 +28,9 @@ func TestModelCreate(t *testing.T) {
 			},
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/mlflow/registered-models/get?name=xyz",
+				Resource: "/api/2.0/mlflow/databricks/registered-models/get?name=xyz",
 				Response: registeredModel{
-					RegisteredModel: m(),
+					RegisteredModelDatabricks: m(),
 				},
 			},
 		},
@@ -89,9 +89,9 @@ func TestModelRead(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/mlflow/registered-models/get?name=xyz",
+				Resource: "/api/2.0/mlflow/databricks/registered-models/get?name=xyz",
 				Response: registeredModel{
-					RegisteredModel: m(),
+					RegisteredModelDatabricks: m(),
 				},
 			},
 		},
@@ -109,9 +109,9 @@ func TestModelReadGetError(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/mlflow/registered-models/get?name=xyz",
+				Resource: "/api/2.0/mlflow/databricks/registered-models/get?name=xyz",
 				Response: registeredModel{
-					RegisteredModel: m(),
+					RegisteredModelDatabricks: m(),
 				},
 				Status: 400,
 			},
@@ -138,9 +138,9 @@ func TestModelUpdate(t *testing.T) {
 			},
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/mlflow/registered-models/get?name=xyz",
+				Resource: "/api/2.0/mlflow/databricks/registered-models/get?name=xyz",
 				Response: registeredModel{
-					RegisteredModel: gm,
+					RegisteredModelDatabricks: gm,
 				},
 			},
 		},

permissions/resource_permissions.go

@@ -246,6 +246,9 @@ func permissionsResourceIDFields() []permissionsIDFieldMapping {
 		{"sql_dashboard_id", "dashboard", "sql/dashboards", []string{"CAN_EDIT", "CAN_RUN", "CAN_MANAGE"}, SIMPLE},
 		{"sql_alert_id", "alert", "sql/alerts", []string{"CAN_EDIT", "CAN_RUN", "CAN_MANAGE"}, SIMPLE},
 		{"sql_query_id", "query", "sql/queries", []string{"CAN_EDIT", "CAN_RUN", "CAN_MANAGE"}, SIMPLE},
+		{"experiment_id", "mlflowExperiment", "experiments", []string{"CAN_READ", "CAN_EDIT", "CAN_MANAGE"}, SIMPLE},
+		{"registered_model_id", "registered-model", "registered-models", []string{
+			"CAN_READ", "CAN_EDIT", "CAN_MANAGE_STAGING_VERSIONS", "CAN_MANAGE_PRODUCTION_VERSIONS", "CAN_MANAGE"}, SIMPLE},
 	}
 }