2023-11-13 11:29:40 +00:00
|
|
|
package permissions
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/databricks/cli/bundle"
|
2024-10-30 17:34:11 +00:00
|
|
|
"github.com/databricks/cli/bundle/libraries"
|
2024-10-29 12:06:38 +00:00
|
|
|
"github.com/databricks/cli/bundle/paths"
|
2024-03-25 14:18:47 +00:00
|
|
|
"github.com/databricks/cli/libs/diag"
|
2023-11-13 11:29:40 +00:00
|
|
|
"github.com/databricks/databricks-sdk-go/service/workspace"
|
2024-10-29 12:06:38 +00:00
|
|
|
"golang.org/x/sync/errgroup"
|
2023-11-13 11:29:40 +00:00
|
|
|
)
|
|
|
|
|
2024-12-12 09:28:42 +00:00
|
|
|
type workspaceRootPermissions struct{}
|
2023-11-13 11:29:40 +00:00
|
|
|
|
|
|
|
func ApplyWorkspaceRootPermissions() bundle.Mutator {
|
|
|
|
return &workspaceRootPermissions{}
|
|
|
|
}
|
|
|
|
|
2024-10-18 15:37:16 +00:00
|
|
|
func (*workspaceRootPermissions) Name() string {
|
|
|
|
return "ApplyWorkspaceRootPermissions"
|
|
|
|
}
|
|
|
|
|
2023-11-13 11:29:40 +00:00
|
|
|
// Apply implements bundle.Mutator.
|
2024-03-25 14:18:47 +00:00
|
|
|
func (*workspaceRootPermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
|
2023-11-13 11:29:40 +00:00
|
|
|
err := giveAccessForWorkspaceRoot(ctx, b)
|
|
|
|
if err != nil {
|
2024-03-25 14:18:47 +00:00
|
|
|
return diag.FromErr(err)
|
2023-11-13 11:29:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func giveAccessForWorkspaceRoot(ctx context.Context, b *bundle.Bundle) error {
|
|
|
|
permissions := make([]workspace.WorkspaceObjectAccessControlRequest, 0)
|
|
|
|
|
|
|
|
for _, p := range b.Config.Permissions {
|
2024-10-24 12:36:17 +00:00
|
|
|
level, err := GetWorkspaceObjectPermissionLevel(p.Level)
|
2023-11-13 11:29:40 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
permissions = append(permissions, workspace.WorkspaceObjectAccessControlRequest{
|
|
|
|
GroupName: p.GroupName,
|
|
|
|
UserName: p.UserName,
|
|
|
|
ServicePrincipalName: p.ServicePrincipalName,
|
|
|
|
PermissionLevel: level,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(permissions) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
w := b.WorkspaceClient().Workspace
|
2024-10-29 12:06:38 +00:00
|
|
|
bundlePaths := paths.CollectUniqueWorkspacePathPrefixes(b.Config.Workspace)
|
|
|
|
|
|
|
|
g, ctx := errgroup.WithContext(ctx)
|
|
|
|
for _, p := range bundlePaths {
|
|
|
|
g.Go(func() error {
|
|
|
|
return setPermissions(ctx, w, p, permissions)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
return g.Wait()
|
|
|
|
}
|
|
|
|
|
|
|
|
func setPermissions(ctx context.Context, w workspace.WorkspaceInterface, path string, permissions []workspace.WorkspaceObjectAccessControlRequest) error {
|
2024-10-30 17:34:11 +00:00
|
|
|
// If the folder is shared, then we don't need to set permissions since it's always set for all users and it's checked in mutators before.
|
|
|
|
if libraries.IsWorkspaceSharedPath(path) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2024-10-29 12:06:38 +00:00
|
|
|
obj, err := w.GetStatusByPath(ctx, path)
|
2023-11-13 11:29:40 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2024-10-29 12:06:38 +00:00
|
|
|
_, err = w.SetPermissions(ctx, workspace.WorkspaceObjectPermissionsRequest{
|
2023-11-13 11:29:40 +00:00
|
|
|
WorkspaceObjectId: fmt.Sprint(obj.ObjectId),
|
|
|
|
WorkspaceObjectType: "directories",
|
|
|
|
AccessControlList: permissions,
|
|
|
|
})
|
2024-10-29 12:06:38 +00:00
|
|
|
|
2023-11-13 11:29:40 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2024-10-24 12:36:17 +00:00
|
|
|
func GetWorkspaceObjectPermissionLevel(bundlePermission string) (workspace.WorkspaceObjectPermissionLevel, error) {
|
2023-11-13 11:29:40 +00:00
|
|
|
switch bundlePermission {
|
|
|
|
case CAN_MANAGE:
|
|
|
|
return workspace.WorkspaceObjectPermissionLevelCanManage, nil
|
|
|
|
case CAN_RUN:
|
|
|
|
return workspace.WorkspaceObjectPermissionLevelCanRun, nil
|
|
|
|
case CAN_VIEW:
|
|
|
|
return workspace.WorkspaceObjectPermissionLevelCanRead, nil
|
|
|
|
default:
|
|
|
|
return "", fmt.Errorf("unsupported bundle permission level %s", bundlePermission)
|
|
|
|
}
|
|
|
|
}
|