Do not update permissions for pipelines on delete (#5096)

Logging requests, I see that it tries to set IS_OWNER to run_as service
principal instead of actual owner.

Mitigating
https://community.databricks.com/t5/data-engineering/dab-dlt-destroy-fails-due-to-ownership-permissions-mismatch/td-p/132101

Author: denik

NEXT_CHANGELOG.md

@@ -5,6 +5,8 @@
 ### Breaking Changes
 
 * Remove stale resources/datasources/documentation related to Clean Room services.
+* databricks\_permissions resource no longer updates permissions on delete. This is to mitigate an issue with incorrect IS\_OWNER being set ([#5096](https://github.com/databricks/terraform-provider-databricks/pull/5096))
+
 ### New Features and Improvements
 
 * Add `arm` option to `databricks_node_type` instead of `graviton` ([#5028](https://github.com/databricks/terraform-provider-databricks/pull/5028))

permissions/resource_permissions.go

@@ -92,6 +92,13 @@ func (a PermissionsAPI) Update(objectID string, entity entity.PermissionsEntity,
 // by the current user and admin group. If the resource has IS_OWNER permissions, they are reset to the
 // object creator, if it can be determined.
 func (a PermissionsAPI) Delete(objectID string, mapping resourcePermissions) error {
+	if mapping.objectType == "pipelines" {
+		// There is a bug which causes the code below send IS_OWNER with run_as identity
+		// Which is of course wrong thing to do.
+		// For non-admin users this results in the error: https://community.databricks.com/t5/data-engineering/dab-dlt-destroy-fails-due-to-ownership-permissions-mismatch/td-p/132101
+		// For admin users situation is worse but there is no error, it silently changes owner to wrong identity.
+		return nil
+	}
 	objectACL, err := a.readRaw(objectID, mapping)
 	if err != nil {
 		return err

permissions/resource_permissions_test.go

@@ -12,7 +12,6 @@ import (
 	"github.com/databricks/databricks-sdk-go/experimental/mocks"
 	"github.com/databricks/databricks-sdk-go/service/iam"
 	"github.com/databricks/databricks-sdk-go/service/jobs"
-	"github.com/databricks/databricks-sdk-go/service/pipelines"
 	"github.com/databricks/databricks-sdk-go/service/workspace"
 	"github.com/databricks/terraform-provider-databricks/common"
 	"github.com/databricks/terraform-provider-databricks/permissions/entity"
@@ -1464,46 +1463,6 @@ func TestShouldDeleteNonExistentJob(t *testing.T) {
 
 func TestShouldKeepAdminsOnAnythingExceptPasswordsAndAssignsOwnerForPipeline(t *testing.T) {
 	qa.MockWorkspaceApply(t, func(mwc *mocks.MockWorkspaceClient) {
-		mwc.GetMockPipelinesAPI().EXPECT().GetByPipelineId(mock.Anything, "123").Return(&pipelines.GetPipelineResponse{
-			CreatorUserName: "[email protected]",
-		}, nil)
-		e := mwc.GetMockPermissionsAPI().EXPECT()
-		e.Get(mock.Anything, iam.GetPermissionRequest{
-			RequestObjectId:   "123",
-			RequestObjectType: "pipelines",
-		}).Return(&iam.ObjectPermissions{
-			ObjectId:   "/pipelines/123",
-			ObjectType: "pipeline",
-			AccessControlList: []iam.AccessControlResponse{
-				{
-					GroupName: "admins",
-					AllPermissions: []iam.Permission{
-						{
-							PermissionLevel: "CAN_DO_EVERYTHING",
-							Inherited:       true,
-						},
-						{
-							PermissionLevel: "CAN_MANAGE",
-							Inherited:       false,
-						},
-					},
-				},
-			},
-		}, nil)
-		e.Set(mock.Anything, iam.SetObjectPermissions{
-			RequestObjectId:   "123",
-			RequestObjectType: "pipelines",
-			AccessControlList: []iam.AccessControlRequest{
-				{
-					GroupName:       "admins",
-					PermissionLevel: "CAN_MANAGE",
-				},
-				{
-					UserName:        "[email protected]",
-					PermissionLevel: "IS_OWNER",
-				},
-			},
-		}).Return(nil, nil)
 	}, func(ctx context.Context, client *common.DatabricksClient) {
 		p := NewPermissionsAPI(ctx, client)
 		mapping := getResourcePermissions("pipeline_id", "pipelines")