-
Notifications
You must be signed in to change notification settings - Fork 38
/
interface.go
executable file
·488 lines (418 loc) · 18.9 KB
/
interface.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
// Code generated from OpenAPI specs by Databricks SDK Generator. DO NOT EDIT.
package iam
import (
"context"
)
// These APIs manage access rules on resources in an account. Currently, only
// grant rules are supported. A grant rule specifies a role assigned to a set of
// principals. A list of rules attached to a resource is called a rule set.
type AccountAccessControlService interface {
// Get assignable roles for a resource.
//
// Gets all the roles that can be granted on an account level resource. A
// role is grantable if the rule set on the resource can contain an access
// rule of the role.
GetAssignableRolesForResource(ctx context.Context, request GetAssignableRolesForResourceRequest) (*GetAssignableRolesForResourceResponse, error)
// Get a rule set.
//
// Get a rule set by its name. A rule set is always attached to a resource
// and contains a list of access rules on the said resource. Currently only
// a default rule set for each resource is supported.
GetRuleSet(ctx context.Context, request GetRuleSetRequest) (*RuleSetResponse, error)
// Update a rule set.
//
// Replace the rules of a rule set. First, use get to read the current
// version of the rule set before modifying it. This pattern helps prevent
// conflicts between concurrent updates.
UpdateRuleSet(ctx context.Context, request UpdateRuleSetRequest) (*RuleSetResponse, error)
}
// These APIs manage access rules on resources in an account. Currently, only
// grant rules are supported. A grant rule specifies a role assigned to a set of
// principals. A list of rules attached to a resource is called a rule set. A
// workspace must belong to an account for these APIs to work.
type AccountAccessControlProxyService interface {
// Get assignable roles for a resource.
//
// Gets all the roles that can be granted on an account-level resource. A
// role is grantable if the rule set on the resource can contain an access
// rule of the role.
GetAssignableRolesForResource(ctx context.Context, request GetAssignableRolesForResourceRequest) (*GetAssignableRolesForResourceResponse, error)
// Get a rule set.
//
// Get a rule set by its name. A rule set is always attached to a resource
// and contains a list of access rules on the said resource. Currently only
// a default rule set for each resource is supported.
GetRuleSet(ctx context.Context, request GetRuleSetRequest) (*RuleSetResponse, error)
// Update a rule set.
//
// Replace the rules of a rule set. First, use a GET rule set request to
// read the current version of the rule set before modifying it. This
// pattern helps prevent conflicts between concurrent updates.
UpdateRuleSet(ctx context.Context, request UpdateRuleSetRequest) (*RuleSetResponse, error)
}
// Groups simplify identity management, making it easier to assign access to
// Databricks account, data, and other securable objects.
//
// It is best practice to assign access to workspaces and access-control
// policies in Unity Catalog to groups, instead of to users individually. All
// Databricks account identities can be assigned as members of groups, and
// members inherit permissions that are assigned to their group.
type AccountGroupsService interface {
// Create a new group.
//
// Creates a group in the Databricks account with a unique name, using the
// supplied group details.
Create(ctx context.Context, request Group) (*Group, error)
// Delete a group.
//
// Deletes a group from the Databricks account.
Delete(ctx context.Context, request DeleteAccountGroupRequest) error
// Get group details.
//
// Gets the information for a specific group in the Databricks account.
Get(ctx context.Context, request GetAccountGroupRequest) (*Group, error)
// List group details.
//
// Gets all details of the groups associated with the Databricks account.
//
// Use ListAll() to get all Group instances, which will iterate over every result page.
List(ctx context.Context, request ListAccountGroupsRequest) (*ListGroupsResponse, error)
// Update group details.
//
// Partially updates the details of a group.
Patch(ctx context.Context, request PartialUpdate) error
// Replace a group.
//
// Updates the details of a group by replacing the entire group entity.
Update(ctx context.Context, request Group) error
}
// Identities for use with jobs, automated tools, and systems such as scripts,
// apps, and CI/CD platforms. Databricks recommends creating service principals
// to run production jobs or modify production data. If all processes that act
// on production data run with service principals, interactive users do not need
// any write, delete, or modify privileges in production. This eliminates the
// risk of a user overwriting production data by accident.
type AccountServicePrincipalsService interface {
// Create a service principal.
//
// Creates a new service principal in the Databricks account.
Create(ctx context.Context, request ServicePrincipal) (*ServicePrincipal, error)
// Delete a service principal.
//
// Delete a single service principal in the Databricks account.
Delete(ctx context.Context, request DeleteAccountServicePrincipalRequest) error
// Get service principal details.
//
// Gets the details for a single service principal define in the Databricks
// account.
Get(ctx context.Context, request GetAccountServicePrincipalRequest) (*ServicePrincipal, error)
// List service principals.
//
// Gets the set of service principals associated with a Databricks account.
//
// Use ListAll() to get all ServicePrincipal instances, which will iterate over every result page.
List(ctx context.Context, request ListAccountServicePrincipalsRequest) (*ListServicePrincipalResponse, error)
// Update service principal details.
//
// Partially updates the details of a single service principal in the
// Databricks account.
Patch(ctx context.Context, request PartialUpdate) error
// Replace service principal.
//
// Updates the details of a single service principal.
//
// This action replaces the existing service principal with the same name.
Update(ctx context.Context, request ServicePrincipal) error
}
// User identities recognized by Databricks and represented by email addresses.
//
// Databricks recommends using SCIM provisioning to sync users and groups
// automatically from your identity provider to your Databricks account. SCIM
// streamlines onboarding a new employee or team by using your identity provider
// to create users and groups in Databricks account and give them the proper
// level of access. When a user leaves your organization or no longer needs
// access to Databricks account, admins can terminate the user in your identity
// provider and that user’s account will also be removed from Databricks
// account. This ensures a consistent offboarding process and prevents
// unauthorized users from accessing sensitive data.
type AccountUsersService interface {
// Create a new user.
//
// Creates a new user in the Databricks account. This new user will also be
// added to the Databricks account.
Create(ctx context.Context, request User) (*User, error)
// Delete a user.
//
// Deletes a user. Deleting a user from a Databricks account also removes
// objects associated with the user.
Delete(ctx context.Context, request DeleteAccountUserRequest) error
// Get user details.
//
// Gets information for a specific user in Databricks account.
Get(ctx context.Context, request GetAccountUserRequest) (*User, error)
// List users.
//
// Gets details for all the users associated with a Databricks account.
//
// Use ListAll() to get all User instances, which will iterate over every result page.
List(ctx context.Context, request ListAccountUsersRequest) (*ListUsersResponse, error)
// Update user details.
//
// Partially updates a user resource by applying the supplied operations on
// specific user attributes.
Patch(ctx context.Context, request PartialUpdate) error
// Replace a user.
//
// Replaces a user's information with the data supplied in request.
Update(ctx context.Context, request User) error
}
// This API allows retrieving information about currently authenticated user or
// service principal.
type CurrentUserService interface {
// Get current user info.
//
// Get details about the current method caller's identity.
Me(ctx context.Context) (*User, error)
}
// Groups simplify identity management, making it easier to assign access to
// Databricks workspace, data, and other securable objects.
//
// It is best practice to assign access to workspaces and access-control
// policies in Unity Catalog to groups, instead of to users individually. All
// Databricks workspace identities can be assigned as members of groups, and
// members inherit permissions that are assigned to their group.
type GroupsService interface {
// Create a new group.
//
// Creates a group in the Databricks workspace with a unique name, using the
// supplied group details.
Create(ctx context.Context, request Group) (*Group, error)
// Delete a group.
//
// Deletes a group from the Databricks workspace.
Delete(ctx context.Context, request DeleteGroupRequest) error
// Get group details.
//
// Gets the information for a specific group in the Databricks workspace.
Get(ctx context.Context, request GetGroupRequest) (*Group, error)
// List group details.
//
// Gets all details of the groups associated with the Databricks workspace.
//
// Use ListAll() to get all Group instances, which will iterate over every result page.
List(ctx context.Context, request ListGroupsRequest) (*ListGroupsResponse, error)
// Update group details.
//
// Partially updates the details of a group.
Patch(ctx context.Context, request PartialUpdate) error
// Replace a group.
//
// Updates the details of a group by replacing the entire group entity.
Update(ctx context.Context, request Group) error
}
// This spec contains undocumented permission migration APIs used in
// https://github.com/databrickslabs/ucx.
type PermissionMigrationService interface {
// Migrate Permissions.
//
// Migrate a batch of permissions from a workspace local group to an account
// group.
MigratePermissions(ctx context.Context, request PermissionMigrationRequest) (*PermissionMigrationResponse, error)
}
// Permissions API are used to create read, write, edit, update and manage
// access for various users on different objects and endpoints.
//
// * **[Cluster permissions](:service:clusters)** — Manage which users can
// manage, restart, or attach to clusters.
//
// * **[Cluster policy permissions](:service:clusterpolicies)** — Manage which
// users can use cluster policies.
//
// * **[Delta Live Tables pipeline permissions](:service:pipelines)** — Manage
// which users can view, manage, run, cancel, or own a Delta Live Tables
// pipeline.
//
// * **[Job permissions](:service:jobs)** — Manage which users can view,
// manage, trigger, cancel, or own a job.
//
// * **[MLflow experiment permissions](:service:experiments)** — Manage which
// users can read, edit, or manage MLflow experiments.
//
// * **[MLflow registered model permissions](:service:modelregistry)** —
// Manage which users can read, edit, or manage MLflow registered models.
//
// * **[Password permissions](:service:users)** — Manage which users can use
// password login when SSO is enabled.
//
// * **[Instance Pool permissions](:service:instancepools)** — Manage which
// users can manage or attach to pools.
//
// * **[Repo permissions](repos)** — Manage which users can read, run, edit,
// or manage a repo.
//
// * **[Serving endpoint permissions](:service:servingendpoints)** — Manage
// which users can view, query, or manage a serving endpoint.
//
// * **[SQL warehouse permissions](:service:warehouses)** — Manage which users
// can use or manage SQL warehouses.
//
// * **[Token permissions](:service:tokenmanagement)** — Manage which users
// can create or use tokens.
//
// * **[Workspace object permissions](:service:workspace)** — Manage which
// users can read, run, edit, or manage directories, files, and notebooks.
//
// For the mapping of the required permissions for specific actions or abilities
// and other important information, see [Access Control].
//
// Note that to manage access control on service principals, use **[Account
// Access Control Proxy](:service:accountaccesscontrolproxy)**.
//
// [Access Control]: https://docs.databricks.com/security/auth-authz/access-control/index.html
type PermissionsService interface {
// Get object permissions.
//
// Gets the permissions of an object. Objects can inherit permissions from
// their parent objects or root object.
Get(ctx context.Context, request GetPermissionRequest) (*ObjectPermissions, error)
// Get object permission levels.
//
// Gets the permission levels that a user can have on an object.
GetPermissionLevels(ctx context.Context, request GetPermissionLevelsRequest) (*GetPermissionLevelsResponse, error)
// Set object permissions.
//
// Sets permissions on an object. Objects can inherit permissions from their
// parent objects or root object.
Set(ctx context.Context, request PermissionsRequest) (*ObjectPermissions, error)
// Update object permissions.
//
// Updates the permissions on an object. Objects can inherit permissions
// from their parent objects or root object.
Update(ctx context.Context, request PermissionsRequest) (*ObjectPermissions, error)
}
// Identities for use with jobs, automated tools, and systems such as scripts,
// apps, and CI/CD platforms. Databricks recommends creating service principals
// to run production jobs or modify production data. If all processes that act
// on production data run with service principals, interactive users do not need
// any write, delete, or modify privileges in production. This eliminates the
// risk of a user overwriting production data by accident.
type ServicePrincipalsService interface {
// Create a service principal.
//
// Creates a new service principal in the Databricks workspace.
Create(ctx context.Context, request ServicePrincipal) (*ServicePrincipal, error)
// Delete a service principal.
//
// Delete a single service principal in the Databricks workspace.
Delete(ctx context.Context, request DeleteServicePrincipalRequest) error
// Get service principal details.
//
// Gets the details for a single service principal define in the Databricks
// workspace.
Get(ctx context.Context, request GetServicePrincipalRequest) (*ServicePrincipal, error)
// List service principals.
//
// Gets the set of service principals associated with a Databricks
// workspace.
//
// Use ListAll() to get all ServicePrincipal instances, which will iterate over every result page.
List(ctx context.Context, request ListServicePrincipalsRequest) (*ListServicePrincipalResponse, error)
// Update service principal details.
//
// Partially updates the details of a single service principal in the
// Databricks workspace.
Patch(ctx context.Context, request PartialUpdate) error
// Replace service principal.
//
// Updates the details of a single service principal.
//
// This action replaces the existing service principal with the same name.
Update(ctx context.Context, request ServicePrincipal) error
}
// User identities recognized by Databricks and represented by email addresses.
//
// Databricks recommends using SCIM provisioning to sync users and groups
// automatically from your identity provider to your Databricks workspace. SCIM
// streamlines onboarding a new employee or team by using your identity provider
// to create users and groups in Databricks workspace and give them the proper
// level of access. When a user leaves your organization or no longer needs
// access to Databricks workspace, admins can terminate the user in your
// identity provider and that user’s account will also be removed from
// Databricks workspace. This ensures a consistent offboarding process and
// prevents unauthorized users from accessing sensitive data.
type UsersService interface {
// Create a new user.
//
// Creates a new user in the Databricks workspace. This new user will also
// be added to the Databricks account.
Create(ctx context.Context, request User) (*User, error)
// Delete a user.
//
// Deletes a user. Deleting a user from a Databricks workspace also removes
// objects associated with the user.
Delete(ctx context.Context, request DeleteUserRequest) error
// Get user details.
//
// Gets information for a specific user in Databricks workspace.
Get(ctx context.Context, request GetUserRequest) (*User, error)
// Get password permission levels.
//
// Gets the permission levels that a user can have on an object.
GetPermissionLevels(ctx context.Context) (*GetPasswordPermissionLevelsResponse, error)
// Get password permissions.
//
// Gets the permissions of all passwords. Passwords can inherit permissions
// from their root object.
GetPermissions(ctx context.Context) (*PasswordPermissions, error)
// List users.
//
// Gets details for all the users associated with a Databricks workspace.
//
// Use ListAll() to get all User instances, which will iterate over every result page.
List(ctx context.Context, request ListUsersRequest) (*ListUsersResponse, error)
// Update user details.
//
// Partially updates a user resource by applying the supplied operations on
// specific user attributes.
Patch(ctx context.Context, request PartialUpdate) error
// Set password permissions.
//
// Sets permissions on all passwords. Passwords can inherit permissions from
// their root object.
SetPermissions(ctx context.Context, request PasswordPermissionsRequest) (*PasswordPermissions, error)
// Replace a user.
//
// Replaces a user's information with the data supplied in request.
Update(ctx context.Context, request User) error
// Update password permissions.
//
// Updates the permissions on all passwords. Passwords can inherit
// permissions from their root object.
UpdatePermissions(ctx context.Context, request PasswordPermissionsRequest) (*PasswordPermissions, error)
}
// The Workspace Permission Assignment API allows you to manage workspace
// permissions for principals in your account.
type WorkspaceAssignmentService interface {
// Delete permissions assignment.
//
// Deletes the workspace permissions assignment in a given account and
// workspace for the specified principal.
Delete(ctx context.Context, request DeleteWorkspaceAssignmentRequest) error
// List workspace permissions.
//
// Get an array of workspace permissions for the specified account and
// workspace.
Get(ctx context.Context, request GetWorkspaceAssignmentRequest) (*WorkspacePermissions, error)
// Get permission assignments.
//
// Get the permission assignments for the specified Databricks account and
// Databricks workspace.
//
// Use ListAll() to get all PermissionAssignment instances
List(ctx context.Context, request ListWorkspaceAssignmentRequest) (*PermissionAssignments, error)
// Create or update permissions assignment.
//
// Creates or updates the workspace permissions assignment in a given
// account and workspace for the specified principal.
Update(ctx context.Context, request UpdateWorkspaceAssignments) (*PermissionAssignment, error)
}