Added support for top-level permissions #928
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrewnester
requested review from
pietern,
lennartkats-db and
shreyas-goenka
pietern
reviewed
Oct 27, 2023
| func (m *topLevelPermissions) validate(b *bundle.Bundle) error { | ||
| for _, p := range b.Config.Permissions { | ||
| if !slices.Contains(allowedLevels, p.Level) { | ||
| return fmt.Errorf("invalid permission level: %s, allowed values: [%s]", p.Level, strings.Join(allowedLevels, ", ")) |
There was a problem hiding this comment.
When the location annotations work we can figure out exactly where this was defined and emit a diagnostic.
bundle/permissions/utils.go
Outdated
| // If there is permission overlap, show a warning to the user | ||
| if isOverlap { | ||
| for _, d := range diagnostics { | ||
| cmdio.LogString(ctx, d.Summary) |
There was a problem hiding this comment.
Can you leave this one out for now? I'd like for us to collect all diagnostics at the top level and visualize jointly.
| } | ||
|
|
||
| if notifyForPermissionOverlap(ctx, p, resourcePermissions, resourceName) { | ||
| continue |
There was a problem hiding this comment.
We should consider overriding permissions here if bundle permissions are larger in scope than the resource permissions.
Consider the case:
permissions:
user_name: abc
level: CAN_MANAGE
jobs:
foo:
permissions: {
user_name: "abc"
level: CAN_VIEW
},
In this case the correct behavior IMO might be for abc to have CAN_MANAGE access to the job. I guess the intention here is to provide users the ability to downgrade permission scope per resource?
There was a problem hiding this comment.
@shreyas-goenka not really, as per discussuions with Pieter, Lennart and Fabian we agreed that at this momemnt if such overlap occurs we just want to notify customers about to avoid any unambiguity in permissions and potential errors in configurations.
|
I would recommend the ability to have permissions per environment - it's very typical that in prod environments engineers have only |
|
@alexott That is possible with this PR. The permissions at the top level and the top level of the selected target are combined by appending the target level ones to the root ones. |
pietern
reviewed
Nov 8, 2023
pietern
approved these changes
Nov 10, 2023
Merged
pietern
added a commit
that referenced
this pull request
Nov 29, 2023
This release includes the new `databricks labs` command to install, manage, and run Databricks Labs projects. CLI: * Add `--debug` as shortcut for `--log-level debug` ([#964](#964)). * Improved usability of `databricks auth login ... --configure-cluster` ([#956](#956)). * Make `databricks configure` save only explicit fields ([#973](#973)). * Add `databricks labs` command group ([#914](#914)). * Tolerate missing .databrickscfg file during `databricks auth login` ([#1003](#1003)). * Add `--configure-cluster` flag to configure command ([#1005](#1005)). * Fix bug where the account or workspace client could be `nil` ([#1020](#1020)). Bundles: * Do not allow empty descriptions for bundle template inputs ([#967](#967)). * Added support for top-level permissions ([#928](#928)). * Allow jobs to be manually unpaused in development mode ([#885](#885)). * Fix template initialization from current working directory ([#976](#976)). * Add `--tag` and `--branch` options to bundle init command ([#975](#975)). * Work around DLT issue with `$PYTHONPATH` not being set correctly ([#999](#999)). * Enable `spark_jar_task` with local JAR libraries ([#993](#993)). * Pass `USERPROFILE` environment variable to Terraform ([#1001](#1001)). * Improve error message when path is not a bundle template ([#985](#985)). * Correctly overwrite local state if remote state is newer ([#1008](#1008)). * Add mlops-stacks to the default `databricks bundle init` prompt ([#988](#988)). * Do not add wheel content hash in uploaded Python wheel path ([#1015](#1015)). * Do not replace pipeline libraries if there are no matches for pattern ([#1021](#1021)). Internal: * Update CLI version in the VS Code extension during release ([#1014](#1014)). API Changes: * Changed `databricks functions create` command . New request type is . * Changed `databricks metastores create` command with new required argument order. * Removed `databricks metastores enable-optimization` command. * Removed `databricks account o-auth-enrollment` command group. * Removed `databricks apps delete` command. * Removed `databricks apps get` command. * Added `databricks apps delete-app` command. * Added `databricks apps get-app` command. * Added `databricks apps get-app-deployment-status` command. * Added `databricks apps get-apps` command. * Added `databricks apps get-events` command. * Added `databricks account network-connectivity` command group. OpenAPI commit 22f09783eb8a84d52026f856be3b2068f9498db3 (2023-11-23) Dependency updates: * Bump golang.org/x/term from 0.13.0 to 0.14.0 ([#981](#981)). * Bump github.com/hashicorp/terraform-json from 0.17.1 to 0.18.0 ([#979](#979)). * Bump golang.org/x/oauth2 from 0.13.0 to 0.14.0 ([#982](#982)). * Bump github.com/databricks/databricks-sdk-go from 0.24.0 to 0.25.0 ([#980](#980)). * Bump github.com/databricks/databricks-sdk-go from 0.25.0 to 0.26.0 ([#1019](#1019)).
github-merge-queue bot
pushed a commit
that referenced
this pull request
Nov 29, 2023
This release includes the new `databricks labs` command to install, manage, and run Databricks Labs projects. CLI: * Add `--debug` as shortcut for `--log-level debug` ([#964](#964)). * Improved usability of `databricks auth login ... --configure-cluster` ([#956](#956)). * Make `databricks configure` save only explicit fields ([#973](#973)). * Add `databricks labs` command group ([#914](#914)). * Tolerate missing .databrickscfg file during `databricks auth login` ([#1003](#1003)). * Add `--configure-cluster` flag to configure command ([#1005](#1005)). * Fix bug where the account or workspace client could be `nil` ([#1020](#1020)). Bundles: * Do not allow empty descriptions for bundle template inputs ([#967](#967)). * Added support for top-level permissions ([#928](#928)). * Allow jobs to be manually unpaused in development mode ([#885](#885)). * Fix template initialization from current working directory ([#976](#976)). * Add `--tag` and `--branch` options to bundle init command ([#975](#975)). * Work around DLT issue with `$PYTHONPATH` not being set correctly ([#999](#999)). * Enable `spark_jar_task` with local JAR libraries ([#993](#993)). * Pass `USERPROFILE` environment variable to Terraform ([#1001](#1001)). * Improve error message when path is not a bundle template ([#985](#985)). * Correctly overwrite local state if remote state is newer ([#1008](#1008)). * Add mlops-stacks to the default `databricks bundle init` prompt ([#988](#988)). * Do not add wheel content hash in uploaded Python wheel path ([#1015](#1015)). * Do not replace pipeline libraries if there are no matches for pattern ([#1021](#1021)). Internal: * Update CLI version in the VS Code extension during release ([#1014](#1014)). API Changes: * Changed `databricks functions create` command. * Changed `databricks metastores create` command with new required argument order. * Removed `databricks metastores enable-optimization` command. * Removed `databricks account o-auth-enrollment` command group. * Removed `databricks apps delete` command. * Removed `databricks apps get` command. * Added `databricks apps delete-app` command. * Added `databricks apps get-app` command. * Added `databricks apps get-app-deployment-status` command. * Added `databricks apps get-apps` command. * Added `databricks apps get-events` command. * Added `databricks account network-connectivity` command group. OpenAPI commit 22f09783eb8a84d52026f856be3b2068f9498db3 (2023-11-23) Dependency updates: * Bump golang.org/x/term from 0.13.0 to 0.14.0 ([#981](#981)). * Bump github.com/hashicorp/terraform-json from 0.17.1 to 0.18.0 ([#979](#979)). * Bump golang.org/x/oauth2 from 0.13.0 to 0.14.0 ([#982](#982)). * Bump github.com/databricks/databricks-sdk-go from 0.24.0 to 0.25.0 ([#980](#980)). * Bump github.com/databricks/databricks-sdk-go from 0.25.0 to 0.26.0 ([#1019](#1019)).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
Now it's possible to define top level
permissionssection in bundle configuration and permissions defined there will be applied to all resources defined in the bundle.Supported top-level permission levels: CAN_MANAGE, CAN_VIEW, CAN_RUN.
Permissions are applied to: Jobs, DLT Pipelines, ML Models, ML Experiments and Model Service Endpoints
Tests
Added corresponding unit tests + ran
bundle validateandbundle deploymanually