[FEATURE]: legacy Deny ACL is not handled #1803
Description
Is there an existing issue for this?
- I have searched the existing issues
Problem statement
In our legacy table ACLs, there are DENY operations. However, the current UCX version 0.24.0 only supports GRANT and REVOKE operations. This discrepancy causes errors on apply_permissions_to_account_groups step when running the Group Migration job.
The following error occurs:
Unknown: Action Unknown ActionType DENIED_CREATE cannot be granted on database `xxxx`
On our HMS there are 6 denial cases.
DENIED_READ_METADATADENIED_MODIFYDENIED_CREATE_NAMED_FUNCTIONDENIED_SELECTDENIED_USAGEDENIED_CREATE
This issue is blocking the successful execution of Group Migration tasks and needs to be addressed to ensure smooth migration and permission application processes.
Proposed Solution
I think it can be resolved just checking DENIED_ prefix exists on actions.
def hive_grant_sql(self) -> list[str]:
object_type, object_key = self.this_type_and_key()
# See https://docs.databricks.com/en/sql/language-manual/security-grant.html
statements = []
actions = self.action_type.split(", ")
if "OWN" in actions:
actions.remove("OWN")
statements.append(self._set_owner_sql(object_type, object_key))
if actions:
for action in actions:
if "DENIED" in action:
deny_action = action.replace("DENIED_", "")
statements.append(self._apply_deny_sql(deny_action, object_type, object_key))
else:
statements.append(self._apply_grant_sql(action, object_type, object_key))
return statements
...
def _apply_deny_sql(self, action_type, object_type, object_key):
return f"DENY {action_type} ON {object_type} {escape_sql_identifier(object_key)} TO `{self.principal}`"Please refer my commit on forked repo.
Thanks! 😄
Additional Context
No response