databricks-cli/bundle/permissions/workspace_root.go

package permissions

import (
	"context"
	"fmt"
	"strings"

	"github.com/databricks/cli/bundle"
	"github.com/databricks/cli/libs/diag"
	"github.com/databricks/databricks-sdk-go/service/workspace"
)

type workspaceRootPermissions struct {
}

func ApplyWorkspaceRootPermissions() bundle.Mutator {
	return &workspaceRootPermissions{}
}

// Apply implements bundle.Mutator.
func (*workspaceRootPermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {

	diags := checkWorkspaceRootPermissions(b)
	if len(diags) > 0 {
		return diags
	}

	err := giveAccessForWorkspaceRoot(ctx, b)
	if err != nil {
		return diag.FromErr(err)
	}

	return nil
}

func (*workspaceRootPermissions) Name() string {
	return "ApplyWorkspaceRootPermissions"
}

func giveAccessForWorkspaceRoot(ctx context.Context, b *bundle.Bundle) error {
	permissions := make([]workspace.WorkspaceObjectAccessControlRequest, 0)

	for _, p := range b.Config.Permissions {
		level, err := getWorkspaceObjectPermissionLevel(p.Level)
		if err != nil {
			return err
		}

		permissions = append(permissions, workspace.WorkspaceObjectAccessControlRequest{
			GroupName:            p.GroupName,
			UserName:             p.UserName,
			ServicePrincipalName: p.ServicePrincipalName,
			PermissionLevel:      level,
		})
	}

	if len(permissions) == 0 {
		return nil
	}

	w := b.WorkspaceClient().Workspace
	obj, err := w.GetStatusByPath(ctx, b.Config.Workspace.RootPath)
	if err != nil {
		return err
	}

	_, err = w.UpdatePermissions(ctx, workspace.WorkspaceObjectPermissionsRequest{
		WorkspaceObjectId:   fmt.Sprint(obj.ObjectId),
		WorkspaceObjectType: "directories",
		AccessControlList:   permissions,
	})
	return err
}

func getWorkspaceObjectPermissionLevel(bundlePermission string) (workspace.WorkspaceObjectPermissionLevel, error) {
	switch bundlePermission {
	case CAN_MANAGE:
		return workspace.WorkspaceObjectPermissionLevelCanManage, nil
	case CAN_RUN:
		return workspace.WorkspaceObjectPermissionLevelCanRun, nil
	case CAN_VIEW:
		return workspace.WorkspaceObjectPermissionLevelCanRead, nil
	default:
		return "", fmt.Errorf("unsupported bundle permission level %s", bundlePermission)
	}
}

// checkWorkspaceRootPermissions checks that if permissions are set for the workspace root, and workspace root starts with /Workspace/Shared, then permissions should be set for group: users
func checkWorkspaceRootPermissions(b *bundle.Bundle) diag.Diagnostics {
	var diags diag.Diagnostics

	if !strings.HasPrefix(b.Config.Workspace.RootPath, "/Workspace/Shared/") {
		return nil
	}

	allUsers := false
	for _, p := range b.Config.Permissions {
		if p.GroupName == "users" && p.Level == CAN_MANAGE {
			allUsers = true
		}
	}

	if !allUsers {
		diags = diags.Append(diag.Diagnostic{
			Severity: diag.Warning,
			Summary:  fmt.Sprintf("the bundle root path %s is writable by all workspace users", b.Config.Workspace.RootPath),
			Detail:   "bundle is configured to /Workspace/Shared, which will give read/write access to all users. If all users should have access, add CAN_MANAGE for 'group_name: users' permission to your bundle configuration. If the deployment should be restricted, move it to a restricted folder such as /Users/<username or principal name>",
		})
	}

	return diags
}
Added support for top-level permissions (#928) ## Changes Now it's possible to define top level `permissions` section in bundle configuration and permissions defined there will be applied to all resources defined in the bundle. Supported top-level permission levels: CAN_MANAGE, CAN_VIEW, CAN_RUN. Permissions are applied to: Jobs, DLT Pipelines, ML Models, ML Experiments and Model Service Endpoints ``` bundle: name: permissions workspace: host: *** permissions: - level: CAN_VIEW group_name: test-group - level: CAN_MANAGE user_name: user@company.com - level: CAN_RUN service_principal_name: 123456-abcdef ``` ## Tests Added corresponding unit tests + ran `bundle validate` and `bundle deploy` manually 2023-11-13 11:29:40 +00:00			`package permissions`

			`import (`
			`"context"`
			`"fmt"`
Added a warning when incorrect permissions used for /Workspace/Shared bundle root 2024-10-10 11:52:13 +00:00			`"strings"`
Added support for top-level permissions (#928) ## Changes Now it's possible to define top level `permissions` section in bundle configuration and permissions defined there will be applied to all resources defined in the bundle. Supported top-level permission levels: CAN_MANAGE, CAN_VIEW, CAN_RUN. Permissions are applied to: Jobs, DLT Pipelines, ML Models, ML Experiments and Model Service Endpoints ``` bundle: name: permissions workspace: host: *** permissions: - level: CAN_VIEW group_name: test-group - level: CAN_MANAGE user_name: user@company.com - level: CAN_RUN service_principal_name: 123456-abcdef ``` ## Tests Added corresponding unit tests + ran `bundle validate` and `bundle deploy` manually 2023-11-13 11:29:40 +00:00
			`"github.com/databricks/cli/bundle"`
Return `diag.Diagnostics` from mutators (#1305) ## Changes This diagnostics type allows us to capture multiple warnings as well as errors in the return value. This is a preparation for returning additional warnings from mutators in case we detect non-fatal problems. * All return statements that previously returned an error now return `diag.FromErr` * All return statements that previously returned `fmt.Errorf` now return `diag.Errorf` * All `err != nil` checks now use `diags.HasError()` or `diags.Error()` ## Tests * Existing tests pass. * I confirmed no call site under `./bundle` or `./cmd/bundle` uses `errors.Is` on the return value from mutators. This is relevant because we cannot wrap errors with `%w` when calling `diag.Errorf` (like `fmt.Errorf`; context in https://github.com/golang/go/issues/47641). 2024-03-25 14:18:47 +00:00			`"github.com/databricks/cli/libs/diag"`
Added support for top-level permissions (#928) ## Changes Now it's possible to define top level `permissions` section in bundle configuration and permissions defined there will be applied to all resources defined in the bundle. Supported top-level permission levels: CAN_MANAGE, CAN_VIEW, CAN_RUN. Permissions are applied to: Jobs, DLT Pipelines, ML Models, ML Experiments and Model Service Endpoints ``` bundle: name: permissions workspace: host: *** permissions: - level: CAN_VIEW group_name: test-group - level: CAN_MANAGE user_name: user@company.com - level: CAN_RUN service_principal_name: 123456-abcdef ``` ## Tests Added corresponding unit tests + ran `bundle validate` and `bundle deploy` manually 2023-11-13 11:29:40 +00:00			`"github.com/databricks/databricks-sdk-go/service/workspace"`
			`)`

			`type workspaceRootPermissions struct {`
			`}`

			`func ApplyWorkspaceRootPermissions() bundle.Mutator {`
			`return &workspaceRootPermissions{}`
			`}`

			`// Apply implements bundle.Mutator.`
Return `diag.Diagnostics` from mutators (#1305) ## Changes This diagnostics type allows us to capture multiple warnings as well as errors in the return value. This is a preparation for returning additional warnings from mutators in case we detect non-fatal problems. * All return statements that previously returned an error now return `diag.FromErr` * All return statements that previously returned `fmt.Errorf` now return `diag.Errorf` * All `err != nil` checks now use `diags.HasError()` or `diags.Error()` ## Tests * Existing tests pass. * I confirmed no call site under `./bundle` or `./cmd/bundle` uses `errors.Is` on the return value from mutators. This is relevant because we cannot wrap errors with `%w` when calling `diag.Errorf` (like `fmt.Errorf`; context in https://github.com/golang/go/issues/47641). 2024-03-25 14:18:47 +00:00			`func (workspaceRootPermissions) Apply(ctx context.Context, b bundle.Bundle) diag.Diagnostics {`
Added a warning when incorrect permissions used for /Workspace/Shared bundle root 2024-10-10 11:52:13 +00:00
			`diags := checkWorkspaceRootPermissions(b)`
			`if len(diags) > 0 {`
			`return diags`
			`}`

Added support for top-level permissions (#928) ## Changes Now it's possible to define top level `permissions` section in bundle configuration and permissions defined there will be applied to all resources defined in the bundle. Supported top-level permission levels: CAN_MANAGE, CAN_VIEW, CAN_RUN. Permissions are applied to: Jobs, DLT Pipelines, ML Models, ML Experiments and Model Service Endpoints ``` bundle: name: permissions workspace: host: *** permissions: - level: CAN_VIEW group_name: test-group - level: CAN_MANAGE user_name: user@company.com - level: CAN_RUN service_principal_name: 123456-abcdef ``` ## Tests Added corresponding unit tests + ran `bundle validate` and `bundle deploy` manually 2023-11-13 11:29:40 +00:00			`err := giveAccessForWorkspaceRoot(ctx, b)`
			`if err != nil {`
Return `diag.Diagnostics` from mutators (#1305) ## Changes This diagnostics type allows us to capture multiple warnings as well as errors in the return value. This is a preparation for returning additional warnings from mutators in case we detect non-fatal problems. * All return statements that previously returned an error now return `diag.FromErr` * All return statements that previously returned `fmt.Errorf` now return `diag.Errorf` * All `err != nil` checks now use `diags.HasError()` or `diags.Error()` ## Tests * Existing tests pass. * I confirmed no call site under `./bundle` or `./cmd/bundle` uses `errors.Is` on the return value from mutators. This is relevant because we cannot wrap errors with `%w` when calling `diag.Errorf` (like `fmt.Errorf`; context in https://github.com/golang/go/issues/47641). 2024-03-25 14:18:47 +00:00			`return diag.FromErr(err)`
Added support for top-level permissions (#928) ## Changes Now it's possible to define top level `permissions` section in bundle configuration and permissions defined there will be applied to all resources defined in the bundle. Supported top-level permission levels: CAN_MANAGE, CAN_VIEW, CAN_RUN. Permissions are applied to: Jobs, DLT Pipelines, ML Models, ML Experiments and Model Service Endpoints ``` bundle: name: permissions workspace: host: *** permissions: - level: CAN_VIEW group_name: test-group - level: CAN_MANAGE user_name: user@company.com - level: CAN_RUN service_principal_name: 123456-abcdef ``` ## Tests Added corresponding unit tests + ran `bundle validate` and `bundle deploy` manually 2023-11-13 11:29:40 +00:00			`}`

			`return nil`
			`}`

			`func (*workspaceRootPermissions) Name() string {`
			`return "ApplyWorkspaceRootPermissions"`
			`}`

			`func giveAccessForWorkspaceRoot(ctx context.Context, b *bundle.Bundle) error {`
			`permissions := make([]workspace.WorkspaceObjectAccessControlRequest, 0)`

			`for _, p := range b.Config.Permissions {`
			`level, err := getWorkspaceObjectPermissionLevel(p.Level)`
			`if err != nil {`
			`return err`
			`}`

			`permissions = append(permissions, workspace.WorkspaceObjectAccessControlRequest{`
			`GroupName: p.GroupName,`
			`UserName: p.UserName,`
			`ServicePrincipalName: p.ServicePrincipalName,`
			`PermissionLevel: level,`
			`})`
			`}`

			`if len(permissions) == 0 {`
			`return nil`
			`}`

			`w := b.WorkspaceClient().Workspace`
			`obj, err := w.GetStatusByPath(ctx, b.Config.Workspace.RootPath)`
			`if err != nil {`
			`return err`
			`}`

			`_, err = w.UpdatePermissions(ctx, workspace.WorkspaceObjectPermissionsRequest{`
			`WorkspaceObjectId: fmt.Sprint(obj.ObjectId),`
			`WorkspaceObjectType: "directories",`
			`AccessControlList: permissions,`
			`})`
			`return err`
			`}`

			`func getWorkspaceObjectPermissionLevel(bundlePermission string) (workspace.WorkspaceObjectPermissionLevel, error) {`
			`switch bundlePermission {`
			`case CAN_MANAGE:`
			`return workspace.WorkspaceObjectPermissionLevelCanManage, nil`
			`case CAN_RUN:`
			`return workspace.WorkspaceObjectPermissionLevelCanRun, nil`
			`case CAN_VIEW:`
			`return workspace.WorkspaceObjectPermissionLevelCanRead, nil`
			`default:`
			`return "", fmt.Errorf("unsupported bundle permission level %s", bundlePermission)`
			`}`
			`}`
Added a warning when incorrect permissions used for /Workspace/Shared bundle root 2024-10-10 11:52:13 +00:00
			`// checkWorkspaceRootPermissions checks that if permissions are set for the workspace root, and workspace root starts with /Workspace/Shared, then permissions should be set for group: users`
			`func checkWorkspaceRootPermissions(b *bundle.Bundle) diag.Diagnostics {`
			`var diags diag.Diagnostics`

Update bundle/permissions/workspace_root.go Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com> 2024-10-10 13:18:40 +00:00			`if !strings.HasPrefix(b.Config.Workspace.RootPath, "/Workspace/Shared/") {`
Added a warning when incorrect permissions used for /Workspace/Shared bundle root 2024-10-10 11:52:13 +00:00			`return nil`
			`}`

			`allUsers := false`
			`for _, p := range b.Config.Permissions {`
			`if p.GroupName == "users" && p.Level == CAN_MANAGE {`
			`allUsers = true`
			`}`
			`}`

			`if !allUsers {`
			`diags = diags.Append(diag.Diagnostic{`
			`Severity: diag.Warning,`
fixes 2024-10-10 13:21:50 +00:00			`Summary: fmt.Sprintf("the bundle root path %s is writable by all workspace users", b.Config.Workspace.RootPath),`
Added a warning when incorrect permissions used for /Workspace/Shared bundle root 2024-10-10 11:52:13 +00:00			`Detail: "bundle is configured to /Workspace/Shared, which will give read/write access to all users. If all users should have access, add CAN_MANAGE for 'group_name: users' permission to your bundle configuration. If the deployment should be restricted, move it to a restricted folder such as /Users/<username or principal name>",`
			`})`
			`}`

			`return diags`
			`}`