steve/databricks-cli
steve
/
databricks-cli
mirror of https://github.com/databricks/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added a warning when incorrect permissions used for /Workspace/Shared bundle root

This commit is contained in:
Andrew Nester 2024-10-10 13:52:13 +02:00
parent c92c67afc9
commit df7f9b4395
No known key found for this signature in database
GPG Key ID: 12BC628A44B7DA57
2 changed files with 101 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
bundle/permissions/workspace_root.go
View File

@ -3,6 +3,7 @@ package permissions
import ( import (
"context" "context"
"fmt" "fmt"
"strings"
"github.com/databricks/cli/bundle" "github.com/databricks/cli/bundle"
"github.com/databricks/cli/libs/diag" "github.com/databricks/cli/libs/diag"
@ -18,6 +19,12 @@ func ApplyWorkspaceRootPermissions() bundle.Mutator {
// Apply implements bundle.Mutator. // Apply implements bundle.Mutator.
func (*workspaceRootPermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics { func (*workspaceRootPermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
diags := checkWorkspaceRootPermissions(b)
if len(diags) > 0 {
return diags
}
err := giveAccessForWorkspaceRoot(ctx, b) err := giveAccessForWorkspaceRoot(ctx, b)
if err != nil { if err != nil {
return diag.FromErr(err) return diag.FromErr(err)
@ -77,3 +84,32 @@ func getWorkspaceObjectPermissionLevel(bundlePermission string) (workspace.Works
return "", fmt.Errorf("unsupported bundle permission level %s", bundlePermission) return "", fmt.Errorf("unsupported bundle permission level %s", bundlePermission)
} }
} }
// checkWorkspaceRootPermissions checks that if permissions are set for the workspace root, and workspace root starts with /Workspace/Shared, then permissions should be set for group: users
func checkWorkspaceRootPermissions(b *bundle.Bundle) diag.Diagnostics {
var diags diag.Diagnostics
if len(b.Config.Permissions) == 0 {
return nil
}
if !strings.HasPrefix(b.Config.Workspace.RootPath, "/Workspace/Shared") {
return nil
}
allUsers := false
for _, p := range b.Config.Permissions {
if p.GroupName == "users" && p.Level == CAN_MANAGE {
allUsers = true
}
}
if !allUsers {
diags = diags.Append(diag.Diagnostic{
Severity: diag.Warning,
Summary: "workspace_root_permissions",
Detail: "bundle is configured to /Workspace/Shared, which will give read/write access to all users. If all users should have access, add CAN_MANAGE for 'group_name: users' permission to your bundle configuration. If the deployment should be restricted, move it to a restricted folder such as /Users/<username or principal name>",
})
}
return diags
}

66
bundle/permissions/workspace_root_test.go
View File

@ -7,6 +7,7 @@ import (
"github.com/databricks/cli/bundle" "github.com/databricks/cli/bundle"
"github.com/databricks/cli/bundle/config" "github.com/databricks/cli/bundle/config"
"github.com/databricks/cli/bundle/config/resources" "github.com/databricks/cli/bundle/config/resources"
"github.com/databricks/cli/libs/diag"
"github.com/databricks/databricks-sdk-go/experimental/mocks" "github.com/databricks/databricks-sdk-go/experimental/mocks"
"github.com/databricks/databricks-sdk-go/service/jobs" "github.com/databricks/databricks-sdk-go/service/jobs"
"github.com/databricks/databricks-sdk-go/service/ml" "github.com/databricks/databricks-sdk-go/service/ml"
@ -70,5 +71,68 @@ func TestApplyWorkspaceRootPermissions(t *testing.T) {
}).Return(nil, nil) }).Return(nil, nil)
diags := bundle.Apply(context.Background(), b, ApplyWorkspaceRootPermissions()) diags := bundle.Apply(context.Background(), b, ApplyWorkspaceRootPermissions())
require.NoError(t, diags.Error()) require.Empty(t, diags)
}
func TestApplyWorkspaceRootPermissionsForShared(t *testing.T) {
b := &bundle.Bundle{
Config: config.Root{
Workspace: config.Workspace{
RootPath: "/Workspace/Shared/foo/bar",
},
Permissions: []resources.Permission{
{Level: CAN_MANAGE, GroupName: "users"},
},
Resources: config.Resources{
Jobs: map[string]*resources.Job{
"job_1": {JobSettings: &jobs.JobSettings{Name: "job_1"}},
"job_2": {JobSettings: &jobs.JobSettings{Name: "job_2"}},
},
},
},
}
m := mocks.NewMockWorkspaceClient(t)
b.SetWorkpaceClient(m.WorkspaceClient)
workspaceApi := m.GetMockWorkspaceAPI()
workspaceApi.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Shared/foo/bar").Return(&workspace.ObjectInfo{
ObjectId: 1234,
}, nil)
workspaceApi.EXPECT().UpdatePermissions(mock.Anything, workspace.WorkspaceObjectPermissionsRequest{
AccessControlList: []workspace.WorkspaceObjectAccessControlRequest{
{GroupName: "users", PermissionLevel: "CAN_MANAGE"},
},
WorkspaceObjectId: "1234",
WorkspaceObjectType: "directories",
}).Return(nil, nil)
diags := bundle.Apply(context.Background(), b, ApplyWorkspaceRootPermissions())
require.Empty(t, diags)
}
func TestApplyWorkspaceRootPermissionsForSharedError(t *testing.T) {
b := &bundle.Bundle{
Config: config.Root{
Workspace: config.Workspace{
RootPath: "/Workspace/Shared/foo/bar",
},
Permissions: []resources.Permission{
{Level: CAN_MANAGE, UserName: "foo@bar.com"},
},
Resources: config.Resources{
Jobs: map[string]*resources.Job{
"job_1": {JobSettings: &jobs.JobSettings{Name: "job_1"}},
"job_2": {JobSettings: &jobs.JobSettings{Name: "job_2"}},
},
},
},
}
m := mocks.NewMockWorkspaceClient(t)
b.SetWorkpaceClient(m.WorkspaceClient)
diags := bundle.Apply(context.Background(), b, ApplyWorkspaceRootPermissions())
require.Len(t, diags, 1)
require.Equal(t, "workspace_root_permissions", diags[0].Summary)
require.Equal(t, diag.Warning, diags[0].Severity)
} }