2023-11-13 11:29:40 +00:00
|
|
|
package permissions
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2024-12-09 15:26:41 +00:00
|
|
|
"fmt"
|
|
|
|
|
"slices"
|
2023-11-13 11:29:40 +00:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"github.com/databricks/cli/bundle"
|
|
|
|
|
"github.com/databricks/cli/bundle/config"
|
|
|
|
|
"github.com/databricks/cli/bundle/config/resources"
|
2024-05-17 10:10:17 +00:00
|
|
|
"github.com/databricks/databricks-sdk-go/service/jobs"
|
2024-12-09 15:26:41 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2023-11-13 11:29:40 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestApplyBundlePermissions(t *testing.T) {
|
|
|
|
|
b := &bundle.Bundle{
|
|
|
|
|
Config: config.Root{
|
|
|
|
|
Workspace: config.Workspace{
|
|
|
|
|
RootPath: "/Users/foo@bar.com",
|
|
|
|
|
},
|
|
|
|
|
Permissions: []resources.Permission{
|
|
|
|
|
{Level: CAN_MANAGE, UserName: "TestUser"},
|
|
|
|
|
{Level: CAN_VIEW, GroupName: "TestGroup"},
|
|
|
|
|
{Level: CAN_RUN, ServicePrincipalName: "TestServicePrincipal"},
|
|
|
|
|
},
|
|
|
|
|
Resources: config.Resources{
|
|
|
|
|
Jobs: map[string]*resources.Job{
|
2024-05-17 10:10:17 +00:00
|
|
|
"job_1": {
|
|
|
|
|
JobSettings: &jobs.JobSettings{
|
|
|
|
|
Name: "job_1",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"job_2": {
|
|
|
|
|
JobSettings: &jobs.JobSettings{
|
|
|
|
|
Name: "job_2",
|
|
|
|
|
},
|
|
|
|
|
},
|
2023-11-13 11:29:40 +00:00
|
|
|
},
|
|
|
|
|
Pipelines: map[string]*resources.Pipeline{
|
2023-12-22 14:45:53 +00:00
|
|
|
"pipeline_1": {},
|
|
|
|
|
"pipeline_2": {},
|
2023-11-13 11:29:40 +00:00
|
|
|
},
|
|
|
|
|
Models: map[string]*resources.MlflowModel{
|
2023-12-22 14:45:53 +00:00
|
|
|
"model_1": {},
|
|
|
|
|
"model_2": {},
|
2023-11-13 11:29:40 +00:00
|
|
|
},
|
|
|
|
|
Experiments: map[string]*resources.MlflowExperiment{
|
2023-12-22 14:45:53 +00:00
|
|
|
"experiment_1": {},
|
|
|
|
|
"experiment_2": {},
|
2023-11-13 11:29:40 +00:00
|
|
|
},
|
|
|
|
|
ModelServingEndpoints: map[string]*resources.ModelServingEndpoint{
|
2023-12-22 14:45:53 +00:00
|
|
|
"endpoint_1": {},
|
|
|
|
|
"endpoint_2": {},
|
2023-11-13 11:29:40 +00:00
|
|
|
},
|
2024-12-09 15:26:41 +00:00
|
|
|
Dashboards: map[string]*resources.Dashboard{
|
|
|
|
|
"dashboard_1": {},
|
|
|
|
|
"dashboard_2": {},
|
|
|
|
|
},
|
2025-01-13 16:43:48 +00:00
|
|
|
Apps: map[string]*resources.App{
|
|
|
|
|
"app_1": {},
|
|
|
|
|
"app_2": {},
|
|
|
|
|
},
|
2023-11-13 11:29:40 +00:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-25 14:18:47 +00:00
|
|
|
diags := bundle.Apply(context.Background(), b, ApplyBundlePermissions())
|
|
|
|
|
require.NoError(t, diags.Error())
|
2023-11-13 11:29:40 +00:00
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Jobs["job_1"].Permissions, 3)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_1"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_1"].Permissions, resources.Permission{Level: "CAN_VIEW", GroupName: "TestGroup"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_1"].Permissions, resources.Permission{Level: "CAN_MANAGE_RUN", ServicePrincipalName: "TestServicePrincipal"})
|
|
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Jobs["job_2"].Permissions, 3)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_2"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_2"].Permissions, resources.Permission{Level: "CAN_VIEW", GroupName: "TestGroup"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_2"].Permissions, resources.Permission{Level: "CAN_MANAGE_RUN", ServicePrincipalName: "TestServicePrincipal"})
|
|
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Pipelines["pipeline_1"].Permissions, 3)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Pipelines["pipeline_1"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Pipelines["pipeline_1"].Permissions, resources.Permission{Level: "CAN_VIEW", GroupName: "TestGroup"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Pipelines["pipeline_1"].Permissions, resources.Permission{Level: "CAN_RUN", ServicePrincipalName: "TestServicePrincipal"})
|
|
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Pipelines["pipeline_2"].Permissions, 3)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Pipelines["pipeline_2"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Pipelines["pipeline_2"].Permissions, resources.Permission{Level: "CAN_VIEW", GroupName: "TestGroup"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Pipelines["pipeline_2"].Permissions, resources.Permission{Level: "CAN_RUN", ServicePrincipalName: "TestServicePrincipal"})
|
|
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Models["model_1"].Permissions, 2)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Models["model_1"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Models["model_1"].Permissions, resources.Permission{Level: "CAN_READ", GroupName: "TestGroup"})
|
|
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Models["model_2"].Permissions, 2)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Models["model_2"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Models["model_2"].Permissions, resources.Permission{Level: "CAN_READ", GroupName: "TestGroup"})
|
|
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Experiments["experiment_1"].Permissions, 2)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Experiments["experiment_1"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Experiments["experiment_1"].Permissions, resources.Permission{Level: "CAN_READ", GroupName: "TestGroup"})
|
|
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Experiments["experiment_2"].Permissions, 2)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Experiments["experiment_2"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Experiments["experiment_2"].Permissions, resources.Permission{Level: "CAN_READ", GroupName: "TestGroup"})
|
|
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.ModelServingEndpoints["endpoint_1"].Permissions, 3)
|
|
|
|
|
require.Contains(t, b.Config.Resources.ModelServingEndpoints["endpoint_1"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.ModelServingEndpoints["endpoint_1"].Permissions, resources.Permission{Level: "CAN_VIEW", GroupName: "TestGroup"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.ModelServingEndpoints["endpoint_1"].Permissions, resources.Permission{Level: "CAN_QUERY", ServicePrincipalName: "TestServicePrincipal"})
|
|
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.ModelServingEndpoints["endpoint_2"].Permissions, 3)
|
|
|
|
|
require.Contains(t, b.Config.Resources.ModelServingEndpoints["endpoint_2"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.ModelServingEndpoints["endpoint_2"].Permissions, resources.Permission{Level: "CAN_VIEW", GroupName: "TestGroup"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.ModelServingEndpoints["endpoint_2"].Permissions, resources.Permission{Level: "CAN_QUERY", ServicePrincipalName: "TestServicePrincipal"})
|
2024-12-09 15:26:41 +00:00
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Dashboards["dashboard_1"].Permissions, 2)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Dashboards["dashboard_1"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Dashboards["dashboard_1"].Permissions, resources.Permission{Level: "CAN_READ", GroupName: "TestGroup"})
|
2025-01-13 16:43:48 +00:00
|
|
|
|
|
|
|
|
require.Len(t, b.Config.Resources.Apps["app_1"].Permissions, 2)
|
|
|
|
|
require.Contains(t, b.Config.Resources.Apps["app_1"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Apps["app_1"].Permissions, resources.Permission{Level: "CAN_USE", GroupName: "TestGroup"})
|
2023-11-13 11:29:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestWarningOnOverlapPermission(t *testing.T) {
|
|
|
|
|
b := &bundle.Bundle{
|
|
|
|
|
Config: config.Root{
|
|
|
|
|
Workspace: config.Workspace{
|
|
|
|
|
RootPath: "/Users/foo@bar.com",
|
|
|
|
|
},
|
|
|
|
|
Permissions: []resources.Permission{
|
|
|
|
|
{Level: CAN_MANAGE, UserName: "TestUser"},
|
|
|
|
|
{Level: CAN_VIEW, GroupName: "TestGroup"},
|
|
|
|
|
},
|
|
|
|
|
Resources: config.Resources{
|
|
|
|
|
Jobs: map[string]*resources.Job{
|
|
|
|
|
"job_1": {
|
2024-05-17 10:10:17 +00:00
|
|
|
JobSettings: &jobs.JobSettings{
|
|
|
|
|
Name: "job_1",
|
|
|
|
|
},
|
2023-11-13 11:29:40 +00:00
|
|
|
Permissions: []resources.Permission{
|
|
|
|
|
{Level: CAN_VIEW, UserName: "TestUser"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"job_2": {
|
2024-05-17 10:10:17 +00:00
|
|
|
JobSettings: &jobs.JobSettings{
|
|
|
|
|
Name: "job_2",
|
|
|
|
|
},
|
2023-11-13 11:29:40 +00:00
|
|
|
Permissions: []resources.Permission{
|
|
|
|
|
{Level: CAN_VIEW, UserName: "TestUser2"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-25 14:18:47 +00:00
|
|
|
diags := bundle.Apply(context.Background(), b, ApplyBundlePermissions())
|
|
|
|
|
require.NoError(t, diags.Error())
|
2023-11-13 11:29:40 +00:00
|
|
|
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_1"].Permissions, resources.Permission{Level: "CAN_VIEW", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_1"].Permissions, resources.Permission{Level: "CAN_VIEW", GroupName: "TestGroup"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_2"].Permissions, resources.Permission{Level: "CAN_VIEW", UserName: "TestUser2"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_2"].Permissions, resources.Permission{Level: "CAN_MANAGE", UserName: "TestUser"})
|
|
|
|
|
require.Contains(t, b.Config.Resources.Jobs["job_2"].Permissions, resources.Permission{Level: "CAN_VIEW", GroupName: "TestGroup"})
|
2024-12-09 15:26:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestAllResourcesExplicitlyDefinedForPermissionsSupport(t *testing.T) {
|
|
|
|
|
r := config.Resources{}
|
2023-11-13 11:29:40 +00:00
|
|
|
|
2024-12-09 15:26:41 +00:00
|
|
|
for _, resource := range unsupportedResources {
|
|
|
|
|
_, ok := levelsMap[resource]
|
2025-01-02 11:03:41 +00:00
|
|
|
assert.False(t, ok, "Resource %s is defined in both levelsMap and unsupportedResources", resource)
|
2024-12-09 15:26:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, resource := range r.AllResources() {
|
|
|
|
|
_, ok := levelsMap[resource.Description.PluralName]
|
|
|
|
|
if !slices.Contains(unsupportedResources, resource.Description.PluralName) && !ok {
|
|
|
|
|
assert.Fail(t, fmt.Sprintf("Resource %s is not explicitly defined in levelsMap or unsupportedResources", resource.Description.PluralName))
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-11-13 11:29:40 +00:00
|
|
|
}
|
