2023-11-13 11:29:40 +00:00
|
|
|
package permissions
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
|
|
|
|
"github.com/databricks/cli/bundle/config/resources"
|
|
|
|
"github.com/databricks/cli/libs/diag"
|
|
|
|
)
|
|
|
|
|
2024-12-09 15:26:41 +00:00
|
|
|
func convertPermissions(
|
2023-11-13 11:29:40 +00:00
|
|
|
ctx context.Context,
|
|
|
|
bundlePermissions []resources.Permission,
|
|
|
|
resourcePermissions []resources.Permission,
|
|
|
|
resourceName string,
|
|
|
|
lm map[string]string,
|
|
|
|
) []resources.Permission {
|
|
|
|
permissions := make([]resources.Permission, 0)
|
|
|
|
for _, p := range bundlePermissions {
|
|
|
|
level, ok := lm[p.Level]
|
|
|
|
// If there is no bundle permission level defined in the map, it means
|
|
|
|
// it's not applicable for the resource, therefore skipping
|
|
|
|
if !ok {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if notifyForPermissionOverlap(ctx, p, resourcePermissions, resourceName) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
permissions = append(permissions, resources.Permission{
|
|
|
|
Level: level,
|
|
|
|
UserName: p.UserName,
|
|
|
|
GroupName: p.GroupName,
|
|
|
|
ServicePrincipalName: p.ServicePrincipalName,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
return permissions
|
|
|
|
}
|
|
|
|
|
|
|
|
func isPermissionOverlap(
|
|
|
|
permission resources.Permission,
|
|
|
|
resourcePermissions []resources.Permission,
|
|
|
|
resourceName string,
|
|
|
|
) (bool, diag.Diagnostics) {
|
|
|
|
var diagnostics diag.Diagnostics
|
|
|
|
for _, rp := range resourcePermissions {
|
|
|
|
if rp.GroupName != "" && rp.GroupName == permission.GroupName {
|
|
|
|
diagnostics = diagnostics.Extend(
|
|
|
|
diag.Warningf("'%s' already has permissions set for '%s' group", resourceName, rp.GroupName),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
if rp.UserName != "" && rp.UserName == permission.UserName {
|
|
|
|
diagnostics = diagnostics.Extend(
|
|
|
|
diag.Warningf("'%s' already has permissions set for '%s' user name", resourceName, rp.UserName),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
if rp.ServicePrincipalName != "" && rp.ServicePrincipalName == permission.ServicePrincipalName {
|
|
|
|
diagnostics = diagnostics.Extend(
|
|
|
|
diag.Warningf("'%s' already has permissions set for '%s' service principal name", resourceName, rp.ServicePrincipalName),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return len(diagnostics) > 0, diagnostics
|
|
|
|
}
|
|
|
|
|
|
|
|
func notifyForPermissionOverlap(
|
|
|
|
ctx context.Context,
|
|
|
|
permission resources.Permission,
|
|
|
|
resourcePermissions []resources.Permission,
|
|
|
|
resourceName string,
|
|
|
|
) bool {
|
|
|
|
isOverlap, _ := isPermissionOverlap(permission, resourcePermissions, resourceName)
|
|
|
|
// TODO: When we start to collect all diagnostics at the top level and visualize jointly,
|
|
|
|
// use diagnostics returned from isPermissionOverlap to display warnings
|
|
|
|
|
|
|
|
return isOverlap
|
|
|
|
}
|