Convert READ_METADATA to UC BROWSE permission for tables, views and database (#3403)

<!-- REMOVE IRRELEVANT COMMENTS BEFORE CREATING A PULL REQUEST -->
## Changes
adds logic to convert READ_METADATA in hms grants to UC BROWSE
<!-- Summary of your changes that are easy to understand. Add
screenshots when necessary -->



Resolves #2023 

### Functionality

- [ ] modified existing workflow: `...`

### Tests
<!-- How is this tested? Please see the checklist below and also
describe any other relevant tests -->

- [ ] manually tested
- [ ] added unit tests
- [ ] added integration tests

Author: HariGS-DB

src/databricks/labs/ucx/hive_metastore/grants.py

@@ -189,14 +189,17 @@ def uc_grant_sql(self, object_type: str | None = None, object_key: str | None =
             ("FUNCTION", "SELECT"): self._uc_action("EXECUTE"),
             ("TABLE", "SELECT"): self._uc_action("SELECT"),
             ("TABLE", "MODIFY"): self._uc_action("MODIFY"),
+            ("TABLE", "READ_METADATA"): self._uc_action("BROWSE"),
             ("TABLE", "ALL PRIVILEGES"): self._uc_action("ALL PRIVILEGES"),
             ("TABLE", "OWN"): self._set_owner_sql,
             ("VIEW", "SELECT"): self._uc_action("SELECT"),
+            ("VIEW", "READ_METADATA"): self._uc_action("BROWSE"),
             ("VIEW", "OWN"): self._set_owner_sql,
             ("DATABASE", "USAGE"): self._uc_action("USE SCHEMA"),
             ("DATABASE", "CREATE"): self._uc_action("CREATE TABLE"),
             ("DATABASE", "CREATE_NAMED_FUNCTION"): self._uc_action("CREATE FUNCTION"),
             ("DATABASE", "SELECT"): self._uc_action("SELECT"),
+            ("DATABASE", "READ_METADATA"): self._uc_action("BROWSE"),
             ("DATABASE", "MODIFY"): self._uc_action("MODIFY"),
             ("DATABASE", "OWN"): self._set_owner_sql,
             ("CATALOG", "OWN"): self._set_owner_sql,

tests/integration/hive_metastore/test_grants.py

@@ -27,34 +27,41 @@ def test_all_grants_in_databases(runtime_ctx, sql_backend, make_group):
     empty_schema = runtime_ctx.make_schema()
     table_a = runtime_ctx.make_table(schema_name=schema_a.name)
     table_b = runtime_ctx.make_table(schema_name=schema_b.name)
+    table_c = runtime_ctx.make_table(schema_name=schema_c.name)
     view_c = runtime_ctx.make_table(schema_name=schema_a.name, view=True, ctas="SELECT id FROM range(10)")
     view_d = runtime_ctx.make_table(schema_name=schema_a.name, view=True, ctas="SELECT id FROM range(10)")
+    view_e = runtime_ctx.make_table(schema_name=schema_c.name, view=True, ctas="SELECT id FROM range(10)")
     table_e = runtime_ctx.make_table(schema_name=schema_c.name)
 
     sql_backend.execute(f"GRANT USAGE ON SCHEMA {schema_c.name} TO `{group_a.display_name}`")
     sql_backend.execute(f"GRANT USAGE ON SCHEMA {schema_c.name} TO `{group_b.display_name}`")
     sql_backend.execute(f"GRANT MODIFY ON TABLE {table_e.full_name} TO `{group_b.display_name}`")
     sql_backend.execute(f"GRANT SELECT ON TABLE {table_a.full_name} TO `{group_a.display_name}`")
     sql_backend.execute(f"GRANT SELECT ON TABLE {table_b.full_name} TO `{group_b.display_name}`")
+    sql_backend.execute(f"GRANT READ_METADATA ON TABLE {table_c.full_name} TO `{group_b.display_name}`")
     sql_backend.execute(f"GRANT MODIFY ON SCHEMA {schema_b.full_name} TO `{group_b.display_name}`")
-    sql_backend.execute(f"GRANT MODIFY ON SCHEMA {empty_schema.full_name} TO `{group_b.display_name}`")
+    sql_backend.execute(f"GRANT READ_METADATA ON SCHEMA {empty_schema.full_name} TO `{group_b.display_name}`")
     sql_backend.execute(f"GRANT MODIFY ON VIEW {view_c.full_name} TO `{group_b.display_name}`")
+    sql_backend.execute(f"GRANT READ_METADATA ON VIEW {view_e.full_name} TO `{group_b.display_name}`")
     sql_backend.execute(f"DENY MODIFY ON TABLE {view_d.full_name} TO `{group_b.display_name}`")
 
     all_grants = {}
     for grant in list(runtime_ctx.grants_crawler.snapshot()):
         logging.info(f"grant:\n{grant}\n  hive: {grant.hive_grant_sql()}\n  uc: {grant.uc_grant_sql()}")
-        object_type, object_key = grant.this_type_and_key()
-        all_grants[f"{grant.principal}.{object_type}.{object_key}"] = grant.action_type
+        all_grants[f"{grant.principal}.{grant.this_type_and_key()[0]}.{grant.this_type_and_key()[1]}"] = (
+            grant.action_type
+        )
 
-    assert len(all_grants) >= 9, "must have at least nine grants"
+    assert len(all_grants) >= 12, "must have at least twelve grants"
     assert all_grants[f"{group_a.display_name}.DATABASE.hive_metastore.{schema_c.name}"] == "USAGE"
     assert all_grants[f"{group_b.display_name}.DATABASE.hive_metastore.{schema_c.name}"] == "USAGE"
     assert all_grants[f"{group_a.display_name}.TABLE.{table_a.full_name}"] == "SELECT"
     assert all_grants[f"{group_b.display_name}.TABLE.{table_b.full_name}"] == "SELECT"
+    assert all_grants[f"{group_b.display_name}.TABLE.{table_c.full_name}"] == "READ_METADATA"
     assert all_grants[f"{group_b.display_name}.DATABASE.{schema_b.full_name}"] == "MODIFY"
-    assert all_grants[f"{group_b.display_name}.DATABASE.{empty_schema.full_name}"] == "MODIFY"
+    assert all_grants[f"{group_b.display_name}.DATABASE.{empty_schema.full_name}"] == "READ_METADATA"
     assert all_grants[f"{group_b.display_name}.VIEW.{view_c.full_name}"] == "MODIFY"
+    assert all_grants[f"{group_b.display_name}.VIEW.{view_e.full_name}"] == "READ_METADATA"
     assert all_grants[f"{group_b.display_name}.VIEW.{view_d.full_name}"] == "DENIED_MODIFY"
     assert all_grants[f"{group_b.display_name}.TABLE.{table_e.full_name}"] == "MODIFY"
 

tests/unit/hive_metastore/test_grants.py

@@ -129,7 +129,7 @@ def test_hive_deny_sql() -> None:
     [
         (
             Grant("user", "READ_METADATA", catalog="hive_metastore", database="mydb", table="mytable"),
-            None,
+            "GRANT BROWSE ON TABLE `hive_metastore`.`mydb`.`mytable` TO `user`",
         ),
         (
             Grant("me", "OWN", catalog="hive_metastore", database="mydb", table="mytable"),
@@ -139,6 +139,10 @@ def test_hive_deny_sql() -> None:
             Grant("me", "USAGE", catalog="hive_metastore", database="mydb"),
             "GRANT USE SCHEMA ON DATABASE `hive_metastore`.`mydb` TO `me`",
         ),
+        (
+            Grant("me", "READ_METADATA", catalog="hive_metastore", database="mydb"),
+            "GRANT BROWSE ON DATABASE `hive_metastore`.`mydb` TO `me`",
+        ),
         (
             Grant("me", "INVALID", catalog="hive_metastore", database="mydb"),
             None,
@@ -718,7 +722,7 @@ def grant_loader() -> list[Grant]:
         return [
             Grant(
                 principal="user",
-                action_type="READ_METADATA",
+                action_type="EXECUTE",
                 catalog=table.catalog,
                 database=table.database,
                 table=table.name,
@@ -737,7 +741,7 @@ def no_owner() -> list[Grant]:
     with caplog.at_level(logging.WARNING, logger="databricks.labs.ucx.hive_metastore.grants"):
         migrate_grants.apply(table, dataclasses.replace(table, catalog="catalog"))
     assert (
-        "failed-to-migrate: Hive metastore grant 'READ_METADATA' cannot be mapped to UC grant for TABLE 'catalog.database.table'"
+        "failed-to-migrate: Hive metastore grant 'EXECUTE' cannot be mapped to UC grant for TABLE 'catalog.database.table'"
         in caplog.text
     )
     group_manager.assert_not_called()

tests/unit/progress/test_grants.py

@@ -44,8 +44,8 @@ def test_grant_progress_encoder_no_failures(mock_backend, grant: Grant) -> None:
             "Action 'DENY' on DATABASE 'hive_metastore.schema' unmappable to Unity Catalog",
         ),
         (
-            Grant("principal", "READ_METADATA", "hive_metastore", "schema", "table"),
-            "Action 'READ_METADATA' on TABLE 'hive_metastore.schema.table' unmappable to Unity Catalog",
+            Grant("principal", "READ_METADATA", "hive_metastore", "schema", udf="function"),
+            "Action 'READ_METADATA' on FUNCTION 'hive_metastore.schema.function' unmappable to Unity Catalog",
         ),
     ],
 )