Skip to content

Alternative implementation of databricks_permission resource for managing permissions for individual principals. #5186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: feature/resource-permission
Choose a base branch
from
Open

Alternative implementation of databricks_permission resource for managing permissions for individual principals. #5186

wants to merge 1 commit into from

Conversation

@alexott
Copy link
Contributor

@alexott alexott commented Nov 4, 2025

Changes

This resource provides fine-grained control over permissions by managing a single principal's access to a single object, unlike databricks_permissions, which manages all principals' access to an object at once. This is particularly useful for:

  • Managing permissions for different teams independently
  • Token and password authorization permissions that previously required all principals in one resource
  • Avoiding conflicts when multiple configurations manage different principals on the same object

Caveat: Since we cannot remove an individual permission, the Delete operation is performed as Read/Put, so we need to use a lock around each object.

Tests

  • make test run locally
  • relevant change in docs/ folder
  • covered with integration tests in internal/acceptance
  • using Go SDK
  • using TF Plugin Framework
  • has entry in NEXT_CHANGELOG.md file

@alexott
Alternative implementation of databricks_permission resource for ma…
a0e6c1f 
…naging permissions for individual principals.

This resource provides fine-grained control over permissions by managing a single principal's access to a single object, unlike `databricks_permissions`, which manages all principals' access to an object at once. This is particularly useful for:

- Managing permissions for different teams independently
- Token and password authorization permissions that previously required all principals in one resource
- Avoiding conflicts when multiple configurations manage different principals on the same object

Caveat: Since we cannot remove an individual permission, the `Delete` operation is performed as `Read/Put`, so we need to use a lock around each object.
@alexott alexott requested review from a team as code owners November 4, 2025 20:31
@alexott alexott requested review from Tejas-Kochar and removed request for a team November 4, 2025 20:31
@alexott alexott temporarily deployed to test-trigger-is November 4, 2025 20:31 — with GitHub Actions Inactive
@alexott alexott requested a review from mgyucht November 4, 2025 20:32
@alexott alexott temporarily deployed to test-trigger-is November 4, 2025 20:32 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Tejas-Kochar Tejas-Kochar Awaiting requested review from Tejas-Kochar Tejas-Kochar is a code owner automatically assigned from databricks/eng-plat-auto-exp-reviewers

@mgyucht mgyucht Awaiting requested review from mgyucht

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexott