Adding safe return on grants (#246)

Adding a safe return for grants to handle corner cases

Author: william-conti

src/databricks/labs/ucx/hive_metastore/grants.py

@@ -1,3 +1,4 @@
+import logging
 from collections.abc import Iterator
 from dataclasses import dataclass
 from functools import partial
@@ -6,6 +7,8 @@
 from databricks.labs.ucx.framework.parallel import ThreadedExecution
 from databricks.labs.ucx.hive_metastore.tables import TablesCrawler
 
+logger = logging.getLogger(__name__)
+
 
 @dataclass(frozen=True)
 class Grant:
@@ -219,20 +222,24 @@ def _grants(
             any_file=any_file,
             anonymous_function=anonymous_function,
         )
-        object_type_normalization = {"SCHEMA": "DATABASE", "CATALOG$": "CATALOG"}
-        for row in self._fetch(f"SHOW GRANTS ON {on_type} {key}"):
-            (principal, action_type, object_type, _) = row
-            if object_type in object_type_normalization:
-                object_type = object_type_normalization[object_type]
-            if on_type != object_type:
-                continue
-            yield Grant(
-                principal=principal,
-                action_type=action_type,
-                table=table,
-                view=view,
-                database=database,
-                catalog=catalog,
-                any_file=any_file,
-                anonymous_function=anonymous_function,
-            )
+        try:
+            object_type_normalization = {"SCHEMA": "DATABASE", "CATALOG$": "CATALOG"}
+            for row in self._fetch(f"SHOW GRANTS ON {on_type} {key}"):
+                (principal, action_type, object_type, _) = row
+                if object_type in object_type_normalization:
+                    object_type = object_type_normalization[object_type]
+                if on_type != object_type:
+                    continue
+                yield Grant(
+                    principal=principal,
+                    action_type=action_type,
+                    table=table,
+                    view=view,
+                    database=database,
+                    catalog=catalog,
+                    any_file=any_file,
+                    anonymous_function=anonymous_function,
+                )
+        except RuntimeError as e:
+            logger.error(f"Couldn't fetch grants for object {on_type} {key}: {e}")
+            return []

tests/unit/hive_metastore/test_grants.py

@@ -165,3 +165,31 @@ def test_crawler_snapshot():
     crawler = GrantsCrawler(table)
     snapshot = crawler.snapshot("hive_metastore", "schema")
     assert len(snapshot) == 3
+
+
+def test_grants_returning_error_when_describing():
+    errors = {"SHOW GRANTS ON TABLE hive_metastore.test_database.table1": "error"}
+    rows = {
+        "SHOW TABLES FROM hive_metastore.test": [("dummy", "table1", False), ("dummy", "table2", False)],
+        "SHOW GRANTS ON TABLE hive_metastore.test_database.table2": [("principal1", "OWNER", "TABLE", "")],
+        "DESCRIBE *": [
+            ("Catalog", "catalog", ""),
+            ("Type", "delta", ""),
+        ],
+    }
+
+    tc = TablesCrawler(MockBackend(fails_on_first=errors, rows=rows), "main", "default")
+    crawler = GrantsCrawler(tc)
+
+    results = crawler._crawl(catalog="hive_metastore", database="test_database")
+    assert results == [
+        Grant(
+            principal="principal1",
+            action_type="OWNER",
+            catalog="hive_metastore",
+            database="test_database",
+            table="table2",
+            any_file=False,
+            anonymous_function=False,
+        )
+    ]