-
Notifications
You must be signed in to change notification settings - Fork 356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ISSUE] Secret scope ACL is set to MANAGE for all users by default and no way to override #322
Comments
The only supported principal for this option is the group users, which contains all users in the workspace. If initial_manage_principal is not specified, the initial ACL with MANAGE permission applied to the scope is assigned to the API request issuer’s user identity. From the api documentation from the databricks api: https://docs.databricks.com/dev-tools/api/latest/secrets.html. You have two options one is initial_acl will be "users" or no initial managed principal then it will be user used to create the secret. Those are the only two options provided by the API. To get around this you can create an acl and associate that with the scope and then there will be an actual ACL that is tied to the scope. Let me know if that addresses your concerns/question. @jordanjennings |
@stikkireddy The workaround does not remove the So for example, with this terraform:
I end up with an ACL like:
And with what I think you're suggesting as a workaround, like this:
I end up with this ACL:
As far as I can see there is no way to remove Note that in a previous version of the provider I was able to provide an empty string like this:
However, older versions of the provider had numerous other bugs so rolling back isn't a viable option. Let me know if I can provide more details to clarify anything. |
@jordanjennings which cloud are you using? |
@nfx Running on Azure Databricks |
@jordanjennings what would you prefer - disabling |
@alexott I would prefer not to specify the value at all, because then I would reasonably expect it to do whatever is the default behavior for the API. That said, assuming that the underlying API isn't going to change, I would suggest a design change to this resource to be more clear and have something like:
My order of preference for how to fix this issue:
|
@jordanjennings thank you for your preferences - I'll implement first option tomorrow. I'm not sure about setting this field to |
i'll prefer to remove default value of |
@nfx Good point, since option 1 is not viable then just to be overly clear: Option 2 (strongly preferred):
Option 3:
|
option 2 is more in line with long-term vision on provider. |
@jordanjennings released in 0.2.7 |
Hello, I have an ACL on a scope as follows. This does not state that the default 'users' group has any privilege on the resource. Hence, I assumed it should be a 'DENY' for 'users' by default.
But, surprisingly, users other than 'user123' are also able to READ and use secrets from this scope. The other users have a workspace admin privileges (Entitlements: Workspace access, Databricks SQL access, Allow unrestricted cluster creation, allow-instance-pool-create). Question,
Regards |
Terraform Version
Affected Resource(s)
databricks_secret_scope
Terraform Configuration Files
Expected Behavior
A secret scope is created with only the user whose databricks authentication is being used having MANAGE access
Actual Behavior
All users are given MANAGE access to the secret scope
Steps to Reproduce
terraform apply
The underlying issue appears to be that the Databricks API is somewhat limited and requires that
initial_manage_principal
be omitted OR be set tousers
. Surprisingly it does not allow a caller to specify a specific desired manage principal, even if you set the principal to match the calling user.In the provider code I see that there's a default value of
Users
set for this field: https://github.com/databrickslabs/terraform-provider-databricks/blob/master/access/resource_secret_scope.go#L83There should be no default for this field if it's not present, because the API sets the value to the current user only if the parameter is not present in the API call. Any other value is rejected by the API with a 400 error code.
The text was updated successfully, but these errors were encountered: