Fixed databricks_permissions for calling user to CAN_MANAGE on databricks_mlflow_model (#1507)

smurching · web-flow · commit e9bf1f76f9dd · 2022-08-02T08:41:15.000Z
Ensure that calling user always has CAN_MANAGE permission on MLflow models. Fixes #1504
diff --git a/permissions/resource_permissions.go b/permissions/resource_permissions.go
@@ -124,18 +124,43 @@ func urlPathForObjectID(objectID string) string {
 	return "/permissions" + objectID
 }
 
-// Helper function to select the correct HTTP method depending on the object types.
+// As described in https://github.com/databricks/terraform-provider-databricks/issues/1504,
+// certain object types require that we explicitly grant the calling user CAN_MANAGE
+// permissions when POSTing permissions changes through the REST API, to avoid accidentally
+// revoking the calling user's ability to manage the current object.
+func (a PermissionsAPI) shouldExplicitlyGrantCallingUserManagePermissions(objectID string) bool {
+	for _, prefix := range [...]string{"/registered-models/"} {
+		if strings.HasPrefix(objectID, prefix) {
+			return true
+		}
+	}
+	return isDbsqlPermissionsWorkaroundNecessary(objectID)
+}
+
+func (a PermissionsAPI) ensureCurrentUserCanManageObject(objectID string, objectACL AccessControlChangeList) (AccessControlChangeList, error) {
+	if !a.shouldExplicitlyGrantCallingUserManagePermissions(objectID) {
+		return objectACL, nil
+	}
+	me, err := scim.NewUsersAPI(a.context, a.client).Me()
+	if err != nil {
+		return objectACL, err
+	}
+	objectACL.AccessControlList = append(objectACL.AccessControlList, AccessControlChange{
+		UserName:        me.UserName,
+		PermissionLevel: "CAN_MANAGE",
+	})
+	return objectACL, nil
+}
+
+// Helper function for applying permissions changes. Ensures that
+// we select the correct HTTP method based on the object type and preserve the calling
+// user's ability to manage the specified object when applying permissions changes.
 func (a PermissionsAPI) put(objectID string, objectACL AccessControlChangeList) error {
+	objectACL, err := a.ensureCurrentUserCanManageObject(objectID, objectACL)
+	if err != nil {
+		return err
+	}
 	if isDbsqlPermissionsWorkaroundNecessary(objectID) {
-		// SQLA entities always have `CAN_MANAGE` permission for the calling user.
-		me, err := scim.NewUsersAPI(a.context, a.client).Me()
-		if err != nil {
-			return err
-		}
-		objectACL.AccessControlList = append(objectACL.AccessControlList, AccessControlChange{
-			UserName:        me.UserName,
-			PermissionLevel: "CAN_MANAGE",
-		})
 		// SQLA entities use POST for permission updates.
 		return a.client.Post(a.context, urlPathForObjectID(objectID), objectACL, nil)
 	}
diff --git a/permissions/resource_permissions_test.go b/permissions/resource_permissions_test.go
@@ -121,6 +121,210 @@ func TestResourcePermissionsRead_RemovedCluster(t *testing.T) {
 	}.ApplyNoError(t)
 }
 
+func TestResourcePermissionsRead_Mlflow_Model(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		// Pass list of API request mocks
+		Fixtures: []qa.HTTPFixture{
+			me,
+			{
+				Method:   http.MethodGet,
+				Resource: "/api/2.0/permissions/registered-models/fakeuuid123",
+				Response: ObjectACL{
+					ObjectID:   "/registered-models/fakeuuid123",
+					ObjectType: "registered-model",
+					AccessControlList: []AccessControl{
+						{
+							UserName:        TestingUser,
+							PermissionLevel: "CAN_READ",
+						},
+						{
+							UserName:        TestingAdminUser,
+							PermissionLevel: "CAN_MANAGE",
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourcePermissions(),
+		Read:     true,
+		New:      true,
+		ID:       "/registered-models/fakeuuid123",
+	}.Apply(t)
+	assert.NoError(t, err, err)
+	assert.Equal(t, "/registered-models/fakeuuid123", d.Id())
+	ac := d.Get("access_control").(*schema.Set)
+	require.Equal(t, 1, len(ac.List()))
+	firstElem := ac.List()[0].(map[string]any)
+	assert.Equal(t, TestingUser, firstElem["user_name"])
+	assert.Equal(t, "CAN_READ", firstElem["permission_level"])
+}
+
+func TestResourcePermissionsCreate_Mlflow_Model(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			me,
+			{
+				Method:   http.MethodPut,
+				Resource: "/api/2.0/permissions/registered-models/fakeuuid123",
+				ExpectedRequest: AccessControlChangeList{
+					AccessControlList: []AccessControlChange{
+						{
+							UserName:        TestingUser,
+							PermissionLevel: "CAN_READ",
+						},
+						{
+							UserName:        TestingAdminUser,
+							PermissionLevel: "CAN_MANAGE",
+						},
+					},
+				},
+			},
+			{
+				Method:   http.MethodGet,
+				Resource: "/api/2.0/permissions/registered-models/fakeuuid123",
+				Response: ObjectACL{
+					ObjectID:   "/registered-models/fakeuuid123",
+					ObjectType: "registered-model",
+					AccessControlList: []AccessControl{
+						{
+							UserName:        TestingUser,
+							PermissionLevel: "CAN_READ",
+						},
+						{
+							UserName:        TestingAdminUser,
+							PermissionLevel: "CAN_MANAGE",
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourcePermissions(),
+		State: map[string]any{
+			"registered_model_id": "fakeuuid123",
+			"access_control": []any{
+				map[string]any{
+					"user_name":        TestingUser,
+					"permission_level": "CAN_READ",
+				},
+			},
+		},
+		Create: true,
+	}.Apply(t)
+	assert.NoError(t, err, err)
+	ac := d.Get("access_control").(*schema.Set)
+	require.Equal(t, 1, len(ac.List()))
+	firstElem := ac.List()[0].(map[string]any)
+	assert.Equal(t, TestingUser, firstElem["user_name"])
+	assert.Equal(t, "CAN_READ", firstElem["permission_level"])
+}
+
+func TestResourcePermissionsUpdate_Mlflow_Model(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			me,
+			{
+				Method:   http.MethodPut,
+				Resource: "/api/2.0/permissions/registered-models/fakeuuid123",
+				ExpectedRequest: AccessControlChangeList{
+					AccessControlList: []AccessControlChange{
+						{
+							UserName:        TestingUser,
+							PermissionLevel: "CAN_READ",
+						},
+						{
+							UserName:        TestingAdminUser,
+							PermissionLevel: "CAN_MANAGE",
+						},
+					},
+				},
+			},
+			{
+				Method:   http.MethodGet,
+				Resource: "/api/2.0/permissions/registered-models/fakeuuid123",
+				Response: ObjectACL{
+					ObjectID:   "/registered-models/fakeuuid123",
+					ObjectType: "registered-model",
+					AccessControlList: []AccessControl{
+						{
+							UserName:        TestingUser,
+							PermissionLevel: "CAN_READ",
+						},
+						{
+							UserName:        TestingAdminUser,
+							PermissionLevel: "CAN_MANAGE",
+						},
+					},
+				},
+			},
+		},
+		InstanceState: map[string]string{
+			"registered_model_id": "fakeuuid123",
+		},
+		HCL: `
+		registered_model_id = "fakeuuid123"
+
+		access_control {
+			user_name = "ben"
+			permission_level = "CAN_READ"
+		}
+		`,
+		Resource: ResourcePermissions(),
+		Update:   true,
+		// Removed:  true,
+		ID: "/registered-models/fakeuuid123",
+	}.Apply(t)
+	assert.NoError(t, err, err)
+	assert.Equal(t, "/registered-models/fakeuuid123", d.Id())
+	ac := d.Get("access_control").(*schema.Set)
+	require.Equal(t, 1, len(ac.List()))
+	firstElem := ac.List()[0].(map[string]any)
+	assert.Equal(t, TestingUser, firstElem["user_name"])
+	assert.Equal(t, "CAN_READ", firstElem["permission_level"])
+}
+
+func TestResourcePermissionsDelete_Mlflow_Model(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			me,
+			{
+				Method:   http.MethodGet,
+				Resource: "/api/2.0/permissions/registered-models/fakeuuid123",
+				Response: ObjectACL{
+					ObjectID:   "/registered-models/fakeuuid123",
+					ObjectType: "registered-model",
+					AccessControlList: []AccessControl{
+						{
+							UserName:        TestingUser,
+							PermissionLevel: "CAN_READ",
+						},
+						{
+							UserName:        TestingAdminUser,
+							PermissionLevel: "CAN_MANAGE",
+						},
+					},
+				},
+			},
+			{
+				Method:   http.MethodPut,
+				Resource: "/api/2.0/permissions/registered-models/fakeuuid123",
+				ExpectedRequest: AccessControlChangeList{
+					AccessControlList: []AccessControlChange{
+						{
+							UserName:        TestingAdminUser,
+							PermissionLevel: "CAN_MANAGE",
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourcePermissions(),
+		Delete:   true,
+		ID:       "/registered-models/fakeuuid123",
+	}.Apply(t)
+	assert.NoError(t, err, err)
+	assert.Equal(t, "/registered-models/fakeuuid123", d.Id())
+}
+
 func TestResourcePermissionsRead_SQLA_Asset(t *testing.T) {
 	d, err := qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{
