Skip to content

Emit permission overlap warnings instead of discarding them #5520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
simonfaltum wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Emit permission overlap warnings instead of discarding them #5520

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions acceptance/bundle/validate/permissions_overlap/databricks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
bundle:
name: test-bundle

permissions:
- level: CAN_MANAGE
user_name: overlap@example.com
- level: CAN_VIEW
group_name: some_group

resources:
jobs:
overlapping_job:
tasks:
- task_key: main
notebook_task:
notebook_path: /Workspace/Users/user@example.com/notebook
source: WORKSPACE
permissions:
- level: CAN_VIEW
user_name: overlap@example.com

other_job:
tasks:
- task_key: main
notebook_task:
notebook_path: /Workspace/Users/user@example.com/notebook
source: WORKSPACE
3 changes: 3 additions & 0 deletions acceptance/bundle/validate/permissions_overlap/out.test.toml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

44 changes: 44 additions & 0 deletions acceptance/bundle/validate/permissions_overlap/output.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
Warning: 'jobs' already has permissions set for 'overlap@example.com' user name

Recommendation: permissions section should explicitly include the current deployment identity '[USERNAME]' or one of its groups
If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.

Consider using a adding a top-level permissions section such as the following:

permissions:
- user_name: [USERNAME]
level: CAN_MANAGE

See https://docs.databricks.com/dev-tools/bundles/permissions.html to learn more about permission configuration.
in databricks.yml:5:3

{
"other_job": [
{
"level": "CAN_MANAGE",
"user_name": "overlap@example.com"
},
{
"group_name": "some_group",
"level": "CAN_VIEW"
},
{
"level": "IS_OWNER",
"user_name": "[USERNAME]"
}
],
"overlapping_job": [
{
"level": "CAN_VIEW",
"user_name": "overlap@example.com"
},
{
"group_name": "some_group",
"level": "CAN_VIEW"
},
{
"level": "IS_OWNER",
"user_name": "[USERNAME]"
}
]
}
1 change: 1 addition & 0 deletions acceptance/bundle/validate/permissions_overlap/script
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
$CLI bundle validate -o json | jq '.resources.jobs | map_values(.permissions)'
8 changes: 5 additions & 3 deletions bundle/config/mutator/resourcemutator/apply_bundle_permissions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/databricks/cli/libs/diag"
"github.com/databricks/cli/libs/dyn"
"github.com/databricks/cli/libs/dyn/convert"
"github.com/databricks/cli/libs/logdiag"
"github.com/databricks/databricks-sdk-go/service/iam"
)

Expand Down Expand Up @@ -236,9 +237,10 @@ func notifyForPermissionOverlap(
resourcePermissions []resources.Permission,
resourceName string,
) bool {
isOverlap, _ := isPermissionOverlap(permission, resourcePermissions, resourceName)
// TODO: When we start to collect all diagnostics at the top level and visualize jointly,
// use diagnostics returned from isPermissionOverlap to display warnings
isOverlap, diagnostics := isPermissionOverlap(permission, resourcePermissions, resourceName)
for _, d := range diagnostics {
logdiag.LogDiag(ctx, d)
}

return isOverlap
}
5 changes: 5 additions & 0 deletions bundle/config/mutator/resourcemutator/apply_bundle_permissions_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/databricks/cli/bundle"
"github.com/databricks/cli/bundle/config"
"github.com/databricks/cli/bundle/config/resources"
"github.com/databricks/cli/libs/diag"
"github.com/databricks/databricks-sdk-go/service/jobs"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
Expand Down Expand Up @@ -191,6 +192,10 @@ func TestWarningOnOverlapPermission(t *testing.T) {
diags := bundle.Apply(t.Context(), b, ApplyBundlePermissions())
require.NoError(t, diags.Error())

require.Len(t, diags, 1)
require.Equal(t, diag.Warning, diags[0].Severity)
require.Equal(t, "'jobs' already has permissions set for 'TestUser' user name", diags[0].Summary)

require.Contains(t, b.Config.Resources.Jobs["job_1"].Permissions, resources.JobPermission{Level: "CAN_VIEW", UserName: "TestUser"})
require.Contains(t, b.Config.Resources.Jobs["job_1"].Permissions, resources.JobPermission{Level: "CAN_VIEW", GroupName: "TestGroup"})
require.Contains(t, b.Config.Resources.Jobs["job_2"].Permissions, resources.JobPermission{Level: "CAN_VIEW", UserName: "TestUser2"})
Expand Down
Loading