Filter current user from resource permissions #1262
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1262 +/- ##
==========================================
+ Coverage 52.07% 52.15% +0.07%
==========================================
Files 314 315 +1
Lines 17877 17918 +41
==========================================
+ Hits 9310 9345 +35
- Misses 7877 7881 +4
- Partials 690 692 +2 ☔ View full report in Codecov by Sentry. |
|
The CLI integration tests pass on this PR. Nightlies are green. |
andrewnester
approved these changes
Mar 11, 2024
| // after a depth of 4. | ||
| // [resource_type].[resource_name].[permissions].[array_index] | ||
| // Example: pipelines.foo.permissions.0 | ||
| if len(p) > 4 { |
There was a problem hiding this comment.
Do you really need this clause? The condition below will fire up earlier anyway if I understand correct and you won't go further than taht
There was a problem hiding this comment.
Yeah you are right, it'll be the same. If in the future the permissions block becomes more complex though this will act as another boundary condition. Being more conservative about the boundary conditions helps reason about it better IMO.
There was a problem hiding this comment.
It works both ways, additional conditions add additional cognitive load into what is happening. From what we're trying to achieve, the code might have looked like
if len(p) == 4 && len[2] == "permissions" {
// do mutation
}
return v, nil
if you inverse this it will look like
if len(p) != 4 || len[2] != "permissions" {
return v, nil
}
// do mutate
It does not utilise ErrSkip though but makes it easier to reason about
pietern
added a commit
that referenced
this pull request
Mar 25, 2024
CLI: * Propagate correct `User-Agent` for CLI during OAuth flow ([#1264](#1264)). * Add usage string when command fails with incorrect arguments ([#1276](#1276)). Bundles: * Include `dyn.Path` as argument to the visit callback function ([#1260](#1260)). * Inline logic to set a value in `dyn.SetByPath` ([#1261](#1261)). * Add assertions for the `dyn.Path` argument to the visit callback ([#1265](#1265)). * Add `dyn.MapByPattern` to map a function to values with matching paths ([#1266](#1266)). * Filter current user from resource permissions ([#1262](#1262)). * Retain location annotation when expanding globs for pipeline libraries ([#1274](#1274)). * Added deployment state for bundles ([#1267](#1267)). * Do CheckRunningResource only after terraform.Write ([#1292](#1292)). * Rewrite relative paths using `dyn.Location` of the underlying value ([#1273](#1273)). * Push deployment state right after files upload ([#1293](#1293)). * Make `Append` function to `dyn.Path` return independent slice ([#1295](#1295)). * Move bundle tests into bundle/tests ([#1299](#1299)). * Upgrade Terraform provider to 1.38.0 ([#1308](#1308)). Internal: * Add integration test for mlops-stacks initialization ([#1155](#1155)). * Update actions/setup-python to v5 ([#1290](#1290)). * Update codecov/codecov-action to v4 ([#1291](#1291)). API Changes: * Changed `databricks catalogs list` command. * Changed `databricks online-tables create` command. * Changed `databricks lakeview publish` command. * Added `databricks lakeview create` command. * Added `databricks lakeview get` command. * Added `databricks lakeview get-published` command. * Added `databricks lakeview trash` command. * Added `databricks lakeview update` command. * Moved settings related commands to `databricks settings` and `databricks account settings`. OpenAPI commit 93763b0d7ae908520c229c786fff28b8fd623261 (2024-03-20) Dependency updates: * Bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 ([#1270](#1270)). * Bump golang.org/x/mod from 0.15.0 to 0.16.0 ([#1271](#1271)). * Update Go SDK to v0.35.0 ([#1300](#1300)). * Update Go SDK to v0.36.0 ([#1304](#1304)).
Merged
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 25, 2024
CLI: * Propagate correct `User-Agent` for CLI during OAuth flow ([#1264](#1264)). * Add usage string when command fails with incorrect arguments ([#1276](#1276)). Bundles: * Include `dyn.Path` as argument to the visit callback function ([#1260](#1260)). * Inline logic to set a value in `dyn.SetByPath` ([#1261](#1261)). * Add assertions for the `dyn.Path` argument to the visit callback ([#1265](#1265)). * Add `dyn.MapByPattern` to map a function to values with matching paths ([#1266](#1266)). * Filter current user from resource permissions ([#1262](#1262)). * Retain location annotation when expanding globs for pipeline libraries ([#1274](#1274)). * Added deployment state for bundles ([#1267](#1267)). * Do CheckRunningResource only after terraform.Write ([#1292](#1292)). * Rewrite relative paths using `dyn.Location` of the underlying value ([#1273](#1273)). * Push deployment state right after files upload ([#1293](#1293)). * Make `Append` function to `dyn.Path` return independent slice ([#1295](#1295)). * Move bundle tests into bundle/tests ([#1299](#1299)). * Upgrade Terraform provider to 1.38.0 ([#1308](#1308)). Internal: * Add integration test for mlops-stacks initialization ([#1155](#1155)). * Update actions/setup-python to v5 ([#1290](#1290)). * Update codecov/codecov-action to v4 ([#1291](#1291)). API Changes: * Changed `databricks catalogs list` command. * Changed `databricks online-tables create` command. * Changed `databricks lakeview publish` command. * Added `databricks lakeview create` command. * Added `databricks lakeview get` command. * Added `databricks lakeview get-published` command. * Added `databricks lakeview trash` command. * Added `databricks lakeview update` command. * Moved settings related commands to `databricks settings` and `databricks account settings`. OpenAPI commit 93763b0d7ae908520c229c786fff28b8fd623261 (2024-03-20) Dependency updates: * Bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 ([#1270](#1270)). * Bump golang.org/x/mod from 0.15.0 to 0.16.0 ([#1271](#1271)). * Update Go SDK to v0.35.0 ([#1300](#1300)). * Update Go SDK to v0.36.0 ([#1304](#1304)).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
The databricks terraform provider does not allow changing permission of the current user. Instead, the current identity is implictly set to be the owner of all resources on the platform side.
This PR introduces a mutator to filter permissions from the bundle configuration at deploy time, allowing users to define permissions for their own identities in their bundle config.
This would allow configurations like, allowing both alice and bob to collaborate on the same DAB:
This PR is a reincarnation of #1145. The earlier attempt had to be reverted due to metadata loss converting to and from the dynamic configuration representation (reverted here: #1179)
Tests
Unit test and manually