databricks-cli/bundle/permissions/utils.go

package permissions

import (
	"context"

	"github.com/databricks/cli/bundle/config/resources"
	"github.com/databricks/cli/libs/diag"
)

func convert(
	ctx context.Context,
	bundlePermissions []resources.Permission,
	resourcePermissions []resources.Permission,
	resourceName string,
	lm map[string]string,
) []resources.Permission {
	permissions := make([]resources.Permission, 0)
	for _, p := range bundlePermissions {
		level, ok := lm[p.Level]
		// If there is no bundle permission level defined in the map, it means
		// it's not applicable for the resource, therefore skipping
		if !ok {
			continue
		}

		if notifyForPermissionOverlap(ctx, p, resourcePermissions, resourceName) {
			continue
		}

		permissions = append(permissions, resources.Permission{
			Level:                level,
			UserName:             p.UserName,
			GroupName:            p.GroupName,
			ServicePrincipalName: p.ServicePrincipalName,
		})
	}

	return permissions
}

func isPermissionOverlap(
	permission resources.Permission,
	resourcePermissions []resources.Permission,
	resourceName string,
) (bool, diag.Diagnostics) {
	var diagnostics diag.Diagnostics
	for _, rp := range resourcePermissions {
		if rp.GroupName != "" && rp.GroupName == permission.GroupName {
			diagnostics = diagnostics.Extend(
				diag.Warningf("'%s' already has permissions set for '%s' group", resourceName, rp.GroupName),
			)
		}

		if rp.UserName != "" && rp.UserName == permission.UserName {
			diagnostics = diagnostics.Extend(
				diag.Warningf("'%s' already has permissions set for '%s' user name", resourceName, rp.UserName),
			)
		}

		if rp.ServicePrincipalName != "" && rp.ServicePrincipalName == permission.ServicePrincipalName {
			diagnostics = diagnostics.Extend(
				diag.Warningf("'%s' already has permissions set for '%s' service principal name", resourceName, rp.ServicePrincipalName),
			)
		}
	}

	return len(diagnostics) > 0, diagnostics
}

func notifyForPermissionOverlap(
	ctx context.Context,
	permission resources.Permission,
	resourcePermissions []resources.Permission,
	resourceName string,
) bool {
	isOverlap, _ := isPermissionOverlap(permission, resourcePermissions, resourceName)
	// TODO: When we start to collect all diagnostics at the top level and visualize jointly,
	// use diagnostics returned from isPermissionOverlap to display warnings

	return isOverlap
}
Added support for top-level permissions (#928) ## Changes Now it's possible to define top level `permissions` section in bundle configuration and permissions defined there will be applied to all resources defined in the bundle. Supported top-level permission levels: CAN_MANAGE, CAN_VIEW, CAN_RUN. Permissions are applied to: Jobs, DLT Pipelines, ML Models, ML Experiments and Model Service Endpoints ``` bundle: name: permissions workspace: host: *** permissions: - level: CAN_VIEW group_name: test-group - level: CAN_MANAGE user_name: user@company.com - level: CAN_RUN service_principal_name: 123456-abcdef ``` ## Tests Added corresponding unit tests + ran `bundle validate` and `bundle deploy` manually 2023-11-13 11:29:40 +00:00			`package permissions`

			`import (`
			`"context"`

			`"github.com/databricks/cli/bundle/config/resources"`
			`"github.com/databricks/cli/libs/diag"`
			`)`

			`func convert(`
			`ctx context.Context,`
			`bundlePermissions []resources.Permission,`
			`resourcePermissions []resources.Permission,`
			`resourceName string,`
			`lm map[string]string,`
			`) []resources.Permission {`
			`permissions := make([]resources.Permission, 0)`
			`for _, p := range bundlePermissions {`
			`level, ok := lm[p.Level]`
			`// If there is no bundle permission level defined in the map, it means`
			`// it's not applicable for the resource, therefore skipping`
			`if !ok {`
			`continue`
			`}`

			`if notifyForPermissionOverlap(ctx, p, resourcePermissions, resourceName) {`
			`continue`
			`}`

			`permissions = append(permissions, resources.Permission{`
			`Level: level,`
			`UserName: p.UserName,`
			`GroupName: p.GroupName,`
			`ServicePrincipalName: p.ServicePrincipalName,`
			`})`
			`}`

			`return permissions`
			`}`

			`func isPermissionOverlap(`
			`permission resources.Permission,`
			`resourcePermissions []resources.Permission,`
			`resourceName string,`
			`) (bool, diag.Diagnostics) {`
			`var diagnostics diag.Diagnostics`
			`for _, rp := range resourcePermissions {`
			`if rp.GroupName != "" && rp.GroupName == permission.GroupName {`
			`diagnostics = diagnostics.Extend(`
			`diag.Warningf("'%s' already has permissions set for '%s' group", resourceName, rp.GroupName),`
			`)`
			`}`

			`if rp.UserName != "" && rp.UserName == permission.UserName {`
			`diagnostics = diagnostics.Extend(`
			`diag.Warningf("'%s' already has permissions set for '%s' user name", resourceName, rp.UserName),`
			`)`
			`}`

			`if rp.ServicePrincipalName != "" && rp.ServicePrincipalName == permission.ServicePrincipalName {`
			`diagnostics = diagnostics.Extend(`
			`diag.Warningf("'%s' already has permissions set for '%s' service principal name", resourceName, rp.ServicePrincipalName),`
			`)`
			`}`
			`}`

			`return len(diagnostics) > 0, diagnostics`
			`}`

			`func notifyForPermissionOverlap(`
			`ctx context.Context,`
			`permission resources.Permission,`
			`resourcePermissions []resources.Permission,`
			`resourceName string,`
			`) bool {`
			`isOverlap, _ := isPermissionOverlap(permission, resourcePermissions, resourceName)`
			`// TODO: When we start to collect all diagnostics at the top level and visualize jointly,`
			`// use diagnostics returned from isPermissionOverlap to display warnings`

			`return isOverlap`
			`}`