Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE]: Create UC External Location, Schema, and Table Grants based on workspace-wide Azure SPN mount points #94

Closed
nfx opened this issue Aug 23, 2023 · 8 comments · Fixed by #1374
Closed

[FEATURE]: Create UC External Location, Schema, and Table Grants based on workspace-wide Azure SPN mount points #94

nfx opened this issue Aug 23, 2023 · 8 comments · Fixed by #1374
Assignees
@pritishpai
Labels
cloud/azure issues related to Azure feat/cli CLI commands migrate/access-control Access Control to things migrate/external go/uc/upgrade SYNC EXTERNAL TABLES step

Comments

@nfx
Copy link
Collaborator

nfx commented Aug 23, 2023
edited
Loading

Problem statement

If we have Azure Blob Storage mount points, data is accessible for all clusters and warehouses in the workspace (at least for those people who have access to those warehouses/clusters). We need to migrate that to UC ACLs.

Related issues:

Proposed Solution

  • Get all permissions for all clusters and sql warehouses
  • Create relevant permissions to External Locations that those mounts get converted into
@nfx
Copy link
Collaborator Author

nfx commented Aug 25, 2023

use command executor to run scala code from from terraform exporter https://github.com/databricks/ucx/blob/main/tests/integration/test_installation.py#L76-L79

@nfx nfx assigned william-conti and unassigned william-conti Aug 25, 2023
@william-conti william-conti self-assigned this Sep 11, 2023
@william-conti william-conti mentioned this issue Sep 13, 2023
Closed
@nfx nfx added this to the 1 month milestone Sep 18, 2023
@nfx nfx added the enhancement New feature or request label Sep 18, 2023
@william-conti william-conti removed their assignment Sep 25, 2023
@zpappa
Copy link

zpappa commented Sep 28, 2023

Mounts should be going to volumes, not external locations.

@william-conti @nfx can we get a write up on this proposal?

@pohlposition pohlposition added the migrate/external go/uc/upgrade SYNC EXTERNAL TABLES step label Sep 28, 2023
@zpappa
Copy link

zpappa commented Sep 28, 2023

Does this only work for AWS?
What about if the mount point is in Azure or GCP?

@zpappa
Copy link

zpappa commented Sep 28, 2023

Is this part of the assessment? It's linked in a PRD as related to it, but it seems more as part of sync tables

Can you clarify @nfx?

@william-conti
Copy link
Contributor

@zpappa Not very sure that mounts should automatically go to Volumes, what if there is an external table in there ? Could you please elaborate ?

Right now we've pushed the assessment part only

@nfx nfx mentioned this issue Sep 29, 2023
Closed
22 tasks
@pohlposition
Copy link
Contributor

pohlposition commented Oct 2, 2023
edited
Loading

Is this Issue just for Mounts migrating to External Locations or does it also include Mounts migrating to Volumes?

I didn't see an issue for Volumes but can create one.

Both of these are dependent on Issue #100 (Create CREDENTIALs and EXTERNAL LOCATIONs)

The holistic set of things that need to be addressed are (in no particular order):

  1. Crawl and record mount point paths (done)
  2. Parse notebooks for absolute paths (s3://, s3a://, abfss://, etc.) and record them
  3. Map all paths to either an external location or an external volume
  4. Allow the path mapping to be modified if desired
  5. Map External Locations to External Tables & old table namespace to UC table namespace (Given an HMS table name and database, get the new full name of table in UC #323)
  6. Allow the Location to Table mapping to be modified if desired
  7. Crawl and record instance profiles
  8. Map all instance profiles to a CREDENTIAL
  9. Highlight which paths might not have a CREDENTIAL mapping
  10. Allow the credential mapping to be modified if desired
  11. Indicate to the user which IAM Roles / Managed Identities / etc. need to be modified to (and how) for UC to assume them
  12. Create CREDENTIALs
  13. Create EXTERNAL LOCATIONs
  • Need to figure out how to GRANT read vs write
  1. Create EXTERNAL VOLUMEs
  • Need to figure out how to GRANT read vs write
  1. Create EXTERNAL TABLEs
  2. Migrate TACL GRANTS to EXTERNAL TABLES
  3. Have a separate method for users to move a VOLUME or TABLE to a different namespace if so desired (after workspace N has been upgraded)

@pohlposition pohlposition mentioned this issue Oct 9, 2023
Closed
@nfx nfx mentioned this issue Dec 6, 2023
Closed
@nfx nfx added the feat/cli CLI commands label Dec 6, 2023
@nfx nfx changed the title Semi-automated mounts migration to external locations Figure out storage credential permissions for external locations based on mount points Dec 6, 2023
@pohlposition pohlposition mentioned this issue Dec 21, 2023
Open
@nfx nfx mentioned this issue Feb 5, 2024
Closed
1 task
@nfx nfx added the cloud/azure issues related to Azure label Feb 5, 2024
@nfx nfx mentioned this issue Feb 7, 2024
Closed
@nfx nfx mentioned this issue Mar 13, 2024
Closed
1 task
@nfx nfx changed the title Figure out storage credential permissions for external locations based on mount points [FEATURE]: Create UC External Location, Schema, and Table Grants based on workspace-wide SPN mount points Mar 13, 2024
@nfx nfx added credentials migrate/access-control Access Control to things and removed enhancement New feature or request labels Mar 25, 2024
@nfx nfx changed the title [FEATURE]: Create UC External Location, Schema, and Table Grants based on workspace-wide SPN mount points [FEATURE]: Create UC External Location, Schema, and Table Grants based on workspace-wide Azure SPN mount points Apr 4, 2024
@pritishpai pritishpai mentioned this issue Apr 11, 2024
Merged
11 tasks
@nfx nfx removed the credentials label Apr 22, 2024
@nfx nfx removed this from the 1 month milestone Apr 22, 2024
@nfx
Copy link
Collaborator Author

nfx commented Apr 22, 2024

@pritishpai when it's going to be done?

@pritishpai
Copy link
Contributor

@pritishpai when it's going to be done?
Pushed latest changes to incorporate group ACLs over databases/tables over mounts.

@nfx nfx closed this as completed in #1374 Apr 22, 2024
nfx pushed a commit that referenced this issue Apr 22, 2024
@pritishpai
Create UC External Location, Schema, and Table Grants based on worksp…
f6aecd3 
…ace-wide Azure SPN mount points (#1374)

## Changes
Most work already addressed in
#1285

### Linked issues
<!-- DOC: Link issue with a keyword: close, closes, closed, fix, fixes,
fixed, resolve, resolves, resolved. See
https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword
-->

Closes #94

### Functionality 

- [ ] added relevant user documentation
- [ ] added new CLI command
- [ ] modified existing command: `databricks labs ucx ...`
- [ ] added a new workflow
- [ ] modified existing workflow: `...`
- [ ] added a new table
- [ ] modified existing table: `...`

### Tests
<!-- How is this tested? Please see the checklist below and also
describe any other relevant tests -->

- [ ] manually tested
- [ ] added unit tests
- [ ] added integration tests
- [ ] verified on staging environment (screenshot attached)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pritishpai pritishpai

Labels
cloud/azure issues related to Azure feat/cli CLI commands migrate/access-control Access Control to things migrate/external go/uc/upgrade SYNC EXTERNAL TABLES step
Projects
UCX (roadmap)
Archived in project
Milestone
No milestone
5 participants
@nfx @zpappa @pohlposition @william-conti @pritishpai