2023-11-13 11:29:40 +00:00
|
|
|
package permissions
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"slices"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/databricks/cli/bundle"
|
2024-12-09 15:26:41 +00:00
|
|
|
"github.com/databricks/cli/bundle/config/resources"
|
2024-03-25 14:18:47 +00:00
|
|
|
"github.com/databricks/cli/libs/diag"
|
2024-12-09 15:26:41 +00:00
|
|
|
"github.com/databricks/cli/libs/dyn"
|
|
|
|
|
"github.com/databricks/cli/libs/dyn/convert"
|
2023-11-13 11:29:40 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
CAN_MANAGE = "CAN_MANAGE"
|
|
|
|
|
CAN_VIEW = "CAN_VIEW"
|
|
|
|
|
CAN_RUN = "CAN_RUN"
|
2024-12-12 09:28:42 +00:00
|
|
|
)
|
2023-11-13 11:29:40 +00:00
|
|
|
|
2024-12-09 15:26:41 +00:00
|
|
|
var unsupportedResources = []string{"clusters", "volumes", "schemas", "quality_monitors", "registered_models"}
|
|
|
|
|
|
2023-11-13 11:29:40 +00:00
|
|
|
var (
|
|
|
|
|
allowedLevels = []string{CAN_MANAGE, CAN_VIEW, CAN_RUN}
|
|
|
|
|
levelsMap = map[string](map[string]string){
|
|
|
|
|
"jobs": {
|
|
|
|
|
CAN_MANAGE: "CAN_MANAGE",
|
|
|
|
|
CAN_VIEW: "CAN_VIEW",
|
|
|
|
|
CAN_RUN: "CAN_MANAGE_RUN",
|
|
|
|
|
},
|
|
|
|
|
"pipelines": {
|
|
|
|
|
CAN_MANAGE: "CAN_MANAGE",
|
|
|
|
|
CAN_VIEW: "CAN_VIEW",
|
|
|
|
|
CAN_RUN: "CAN_RUN",
|
|
|
|
|
},
|
2024-12-09 15:26:41 +00:00
|
|
|
"experiments": {
|
2023-11-13 11:29:40 +00:00
|
|
|
CAN_MANAGE: "CAN_MANAGE",
|
|
|
|
|
CAN_VIEW: "CAN_READ",
|
|
|
|
|
},
|
2024-12-09 15:26:41 +00:00
|
|
|
"models": {
|
2023-11-13 11:29:40 +00:00
|
|
|
CAN_MANAGE: "CAN_MANAGE",
|
|
|
|
|
CAN_VIEW: "CAN_READ",
|
|
|
|
|
},
|
|
|
|
|
"model_serving_endpoints": {
|
|
|
|
|
CAN_MANAGE: "CAN_MANAGE",
|
|
|
|
|
CAN_VIEW: "CAN_VIEW",
|
|
|
|
|
CAN_RUN: "CAN_QUERY",
|
|
|
|
|
},
|
2024-10-29 09:11:08 +00:00
|
|
|
"dashboards": {
|
|
|
|
|
CAN_MANAGE: "CAN_MANAGE",
|
|
|
|
|
CAN_VIEW: "CAN_READ",
|
|
|
|
|
},
|
2025-01-13 16:43:48 +00:00
|
|
|
"apps": {
|
|
|
|
|
CAN_MANAGE: "CAN_MANAGE",
|
|
|
|
|
CAN_VIEW: "CAN_USE",
|
|
|
|
|
},
|
2023-11-13 11:29:40 +00:00
|
|
|
}
|
2024-12-12 09:28:42 +00:00
|
|
|
)
|
2023-11-13 11:29:40 +00:00
|
|
|
|
|
|
|
|
type bundlePermissions struct{}
|
|
|
|
|
|
|
|
|
|
func ApplyBundlePermissions() bundle.Mutator {
|
|
|
|
|
return &bundlePermissions{}
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-25 14:18:47 +00:00
|
|
|
func (m *bundlePermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
|
2023-11-13 11:29:40 +00:00
|
|
|
err := validate(b)
|
|
|
|
|
if err != nil {
|
2024-03-25 14:18:47 +00:00
|
|
|
return diag.FromErr(err)
|
2023-11-13 11:29:40 +00:00
|
|
|
}
|
|
|
|
|
|
2024-12-09 15:26:41 +00:00
|
|
|
patterns := make(map[string]dyn.Pattern, 0)
|
|
|
|
|
for key := range levelsMap {
|
|
|
|
|
patterns[key] = dyn.NewPattern(
|
|
|
|
|
dyn.Key("resources"),
|
|
|
|
|
dyn.Key(key),
|
|
|
|
|
dyn.AnyKey(),
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = b.Config.Mutate(func(v dyn.Value) (dyn.Value, error) {
|
|
|
|
|
for key, pattern := range patterns {
|
|
|
|
|
v, err = dyn.MapByPattern(v, pattern, func(p dyn.Path, v dyn.Value) (dyn.Value, error) {
|
|
|
|
|
var permissions []resources.Permission
|
|
|
|
|
pv, err := dyn.Get(v, "permissions")
|
|
|
|
|
// If the permissions field is not found, we set to an empty array
|
|
|
|
|
if err != nil {
|
|
|
|
|
pv = dyn.V([]dyn.Value{})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = convert.ToTyped(&permissions, pv)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return dyn.InvalidValue, fmt.Errorf("failed to convert permissions: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
permissions = append(permissions, convertPermissions(
|
|
|
|
|
ctx,
|
|
|
|
|
b.Config.Permissions,
|
|
|
|
|
permissions,
|
|
|
|
|
key,
|
|
|
|
|
levelsMap[key],
|
|
|
|
|
)...)
|
|
|
|
|
|
|
|
|
|
pv, err = convert.FromTyped(permissions, dyn.NilValue)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return dyn.InvalidValue, fmt.Errorf("failed to convert permissions: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return dyn.Set(v, "permissions", pv)
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return dyn.InvalidValue, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return v, nil
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return diag.FromErr(err)
|
|
|
|
|
}
|
2023-11-13 11:29:40 +00:00
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func validate(b *bundle.Bundle) error {
|
|
|
|
|
for _, p := range b.Config.Permissions {
|
|
|
|
|
if !slices.Contains(allowedLevels, p.Level) {
|
|
|
|
|
return fmt.Errorf("invalid permission level: %s, allowed values: [%s]", p.Level, strings.Join(allowedLevels, ", "))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m *bundlePermissions) Name() string {
|
|
|
|
|
return "ApplyBundlePermissions"
|
|
|
|
|
}
|
