Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh databricks_grants with latest permissible grants #2567

Merged
merged 4 commits into from
Aug 15, 2023
Merged

Refresh databricks_grants with latest permissible grants #2567

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8a0bf0a
refresh latest grants
nkvuong Aug 8, 2023
79835c7
fix test
nkvuong Aug 8, 2023
791ad15
fix typo
nkvuong Aug 8, 2023
3d6666a
add test
nkvuong Aug 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions catalog/resource_grants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,9 @@ func getPermissionEndpoint(securable, name string) string {
if securable == "share" {
return fmt.Sprintf("/unity-catalog/shares/%s/permissions", name)
}
if securable == "the_connection" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the_connection correct name for securable?

Copy link
Contributor Author

@nkvuong nkvuong Aug 8, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bad typo 😶‍🌫️

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a test to confirm

return fmt.Sprintf("/unity-catalog/permissions/foreign_connection/%s", name)
}
return fmt.Sprintf("/unity-catalog/permissions/%s/%s", securable, name)
}

Expand Down Expand Up @@ -174,9 +177,11 @@ var mapping = securableMapping{

// v1.0
"ALL_PRIVILEGES": true,
"BROWSE": true,
},
"view": {
"SELECT": true,
"BROWSE": true,
},
"catalog": {
"CREATE": true,
Expand All @@ -190,13 +195,15 @@ var mapping = securableMapping{
"CREATE_TABLE": true,
"CREATE_FUNCTION": true,
"CREATE_MATERIALIZED_VIEW": true,
"CREATE_MODEL": true,
"CREATE_VOLUME": true,
"READ_VOLUME": true,
"WRITE_VOLUME": true,
"EXECUTE": true,
"MODIFY": true,
"SELECT": true,
"REFRESH": true,
"BROWSE": true,
},
"schema": {
"CREATE": true,
Expand All @@ -208,13 +215,15 @@ var mapping = securableMapping{
"CREATE_TABLE": true,
"CREATE_FUNCTION": true,
"CREATE_MATERIALIZED_VIEW": true,
"CREATE_MODEL": true,
"CREATE_VOLUME": true,
"READ_VOLUME": true,
"WRITE_VOLUME": true,
"EXECUTE": true,
"MODIFY": true,
"SELECT": true,
"REFRESH": true,
"BROWSE": true,
},
"storage_credential": {
"CREATE_TABLE": true,
Expand All @@ -236,6 +245,7 @@ var mapping = securableMapping{
"CREATE_EXTERNAL_TABLE": true,
"CREATE_MANAGED_STORAGE": true,
"CREATE_EXTERNAL_VOLUME": true,
"BROWSE": true,
},
"metastore": {
// v1.0
Expand Down Expand Up @@ -270,6 +280,14 @@ var mapping = securableMapping{
"READ_VOLUME": true,
"WRITE_VOLUME": true,
},
// avoid reserved field
"foreign_connection": {
"ALL_PRIVILEGES": true,
"CREATE_FOREIGN_CATALOG": true,
"CREATE_FOREIGN_SCHEMA": true,
"CREATE_FOREIGN_TABLE": true,
"USE_CONNECTION": true,
},
}

func setToStrings(set *schema.Set) (ss []string) {
Expand Down
19 changes: 5 additions & 14 deletions docs/resources/grants.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,13 @@ subcategory: "Unity Catalog"
---
# databricks_grants Resource

-> **Note**
It is required to define all permissions for a securable in a single resource, otherwise Terraform cannot guarantee config drift prevention.

-> **Note**
This article refers to the privileges and inheritance model in Privilege Model version 1.0. If you created your metastore during the public preview (before August 25, 2022), you can upgrade to Privilege Model version 1.0 following [Upgrade to privilege inheritance](https://docs.databricks.com/data-governance/unity-catalog/hive-metastore.html)

-> **Notes**
-> **Note**
Unity Catalog APIs are accessible via **workspace-level APIs**. This design may change in the future. Account-level principal grants can be assigned with any valid workspace as the Unity Catalog is decoupled from specific workspaces. More information in [the official documentation](https://docs.databricks.com/data-governance/unity-catalog/index.html).

In Unity Catalog all users initially have no access to data. Only Metastore Admins can create objects and can grant/revoke access on individual objects to users and groups. Every securable object in Unity Catalog has an owner. The owner can be any account-level user or group, called principals in general. The principal that creates an object becomes its owner. Owners receive `ALL_PRIVILEGES` on the securable object (e.g., `SELECT` and `MODIFY` on a table), as well as the permission to grant privileges to other principals.
Expand All @@ -18,22 +21,10 @@ Every `databricks_grants` resource must have exactly one securable identifier an
- `principal` - User name, group name or service principal application ID.
- `privileges` - One or more privileges that are specific to a securable type.

The securable objects are:

- `METASTORE`: The top-level container for metadata. Each metastore exposes a three-level namespace (`catalog`.`schema`.`table`) that organizes your data.
- `CATALOG`: The first layer of the object hierarchy, used to organize your data assets.
- `SCHEMA`: Also known as databases, schemas are the second layer of the object hierarchy and contain tables, volumes and views.
- `TABLE`: The lowest level in the object hierarchy, tables can be _external_ (stored in external locations in your cloud storage of choice) or _managed_ tables (stored in a storage container in your cloud storage that you create expressly for UC).
- `VIEW`: A read-only object created from one or more tables that is contained within a schema.
- `VOLUME`: An object contained within a schema that allows accessing, storing, governing, and organizing files. Volumes unlock new processing capabilities for data governed by the Unity Catalog, including support for most machine learning and data science workloads.
- `EXTERNAL LOCATION`: An object that contains a reference to a storage credential and a cloud storage path that is contained within a metatore.
- `STORAGE CREDENTIAL`: An object that encapsulates a long-term cloud credential that provides access to cloud storage that is contained within a metatore.
- `SHARE`: A logical grouping for the tables you intend to share using Delta Sharing. A share is contained within a Unity Catalog metastore.
For the latest list of privilege types that apply to each securable object in Unity Catalog, please refer to the [official documentation](https://docs.databricks.com/en/data-governance/unity-catalog/manage-privileges/privileges.html#privilege-types-by-securable-object-in-unity-catalog)

Terraform will handle any configuration drift on every `terraform apply` run, even when grants are changed outside of Terraform state.

It is required to define all permissions for a securable in a single resource, otherwise Terraform cannot guarantee config drift prevention.

Unlike the [SQL specification](https://docs.databricks.com/sql/language-manual/sql-ref-privileges.html#privilege-types), all privileges to be written with underscore instead of space, e.g. `CREATE_TABLE` and not `CREATE TABLE`. Below summarizes which privilege types apply to each securable object in the catalog:

## Metastore grants
Expand Down