mirror of https://github.com/databricks/cli.git
Compare commits
4 Commits
ad2fc1320f
...
07ecd168bd
Author | SHA1 | Date |
---|---|---|
Andrew Nester | 07ecd168bd | |
shreyas-goenka | cc112961ce | |
Andrew Nester | 20f33d6397 | |
Andrew Nester | 8f145e0294 |
|
@ -3,6 +3,7 @@ package permissions
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/databricks/cli/bundle"
|
"github.com/databricks/cli/bundle"
|
||||||
"github.com/databricks/cli/libs/diag"
|
"github.com/databricks/cli/libs/diag"
|
||||||
|
@ -52,16 +53,60 @@ func giveAccessForWorkspaceRoot(ctx context.Context, b *bundle.Bundle) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
w := b.WorkspaceClient().Workspace
|
w := b.WorkspaceClient().Workspace
|
||||||
obj, err := w.GetStatusByPath(ctx, b.Config.Workspace.RootPath)
|
err := setPermissions(ctx, w, b.Config.Workspace.RootPath, permissions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err = w.UpdatePermissions(ctx, workspace.WorkspaceObjectPermissionsRequest{
|
// Adding backslash to the root path
|
||||||
|
rootPath := b.Config.Workspace.RootPath
|
||||||
|
if rootPath[len(rootPath)-1] != '/' {
|
||||||
|
rootPath += "/"
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.HasPrefix(b.Config.Workspace.ArtifactPath, rootPath) {
|
||||||
|
err = setPermissions(ctx, w, b.Config.Workspace.ArtifactPath, permissions)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.HasPrefix(b.Config.Workspace.FilePath, rootPath) {
|
||||||
|
err = setPermissions(ctx, w, b.Config.Workspace.FilePath, permissions)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.HasPrefix(b.Config.Workspace.StatePath, rootPath) {
|
||||||
|
err = setPermissions(ctx, w, b.Config.Workspace.StatePath, permissions)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.HasPrefix(b.Config.Workspace.ResourcePath, rootPath) {
|
||||||
|
err = setPermissions(ctx, w, b.Config.Workspace.ResourcePath, permissions)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func setPermissions(ctx context.Context, w workspace.WorkspaceInterface, path string, permissions []workspace.WorkspaceObjectAccessControlRequest) error {
|
||||||
|
obj, err := w.GetStatusByPath(ctx, path)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = w.SetPermissions(ctx, workspace.WorkspaceObjectPermissionsRequest{
|
||||||
WorkspaceObjectId: fmt.Sprint(obj.ObjectId),
|
WorkspaceObjectId: fmt.Sprint(obj.ObjectId),
|
||||||
WorkspaceObjectType: "directories",
|
WorkspaceObjectType: "directories",
|
||||||
AccessControlList: permissions,
|
AccessControlList: permissions,
|
||||||
})
|
})
|
||||||
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -21,7 +21,11 @@ func TestApplyWorkspaceRootPermissions(t *testing.T) {
|
||||||
b := &bundle.Bundle{
|
b := &bundle.Bundle{
|
||||||
Config: config.Root{
|
Config: config.Root{
|
||||||
Workspace: config.Workspace{
|
Workspace: config.Workspace{
|
||||||
RootPath: "/Users/foo@bar.com",
|
RootPath: "/Users/foo@bar.com",
|
||||||
|
ArtifactPath: "/Users/foo@bar.com/artifacts",
|
||||||
|
FilePath: "/Users/foo@bar.com/files",
|
||||||
|
StatePath: "/Users/foo@bar.com/state",
|
||||||
|
ResourcePath: "/Users/foo@bar.com/resources",
|
||||||
},
|
},
|
||||||
Permissions: []resources.Permission{
|
Permissions: []resources.Permission{
|
||||||
{Level: CAN_MANAGE, UserName: "TestUser"},
|
{Level: CAN_MANAGE, UserName: "TestUser"},
|
||||||
|
@ -59,7 +63,7 @@ func TestApplyWorkspaceRootPermissions(t *testing.T) {
|
||||||
workspaceApi.EXPECT().GetStatusByPath(mock.Anything, "/Users/foo@bar.com").Return(&workspace.ObjectInfo{
|
workspaceApi.EXPECT().GetStatusByPath(mock.Anything, "/Users/foo@bar.com").Return(&workspace.ObjectInfo{
|
||||||
ObjectId: 1234,
|
ObjectId: 1234,
|
||||||
}, nil)
|
}, nil)
|
||||||
workspaceApi.EXPECT().UpdatePermissions(mock.Anything, workspace.WorkspaceObjectPermissionsRequest{
|
workspaceApi.EXPECT().SetPermissions(mock.Anything, workspace.WorkspaceObjectPermissionsRequest{
|
||||||
AccessControlList: []workspace.WorkspaceObjectAccessControlRequest{
|
AccessControlList: []workspace.WorkspaceObjectAccessControlRequest{
|
||||||
{UserName: "TestUser", PermissionLevel: "CAN_MANAGE"},
|
{UserName: "TestUser", PermissionLevel: "CAN_MANAGE"},
|
||||||
{GroupName: "TestGroup", PermissionLevel: "CAN_READ"},
|
{GroupName: "TestGroup", PermissionLevel: "CAN_READ"},
|
||||||
|
@ -72,3 +76,116 @@ func TestApplyWorkspaceRootPermissions(t *testing.T) {
|
||||||
diags := bundle.Apply(context.Background(), b, ApplyWorkspaceRootPermissions())
|
diags := bundle.Apply(context.Background(), b, ApplyWorkspaceRootPermissions())
|
||||||
require.NoError(t, diags.Error())
|
require.NoError(t, diags.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestApplyWorkspaceRootPermissionsForAllPaths(t *testing.T) {
|
||||||
|
b := &bundle.Bundle{
|
||||||
|
Config: config.Root{
|
||||||
|
Workspace: config.Workspace{
|
||||||
|
RootPath: "/Some/Root/Path",
|
||||||
|
ArtifactPath: "/Users/foo@bar.com/artifacts",
|
||||||
|
FilePath: "/Users/foo@bar.com/files",
|
||||||
|
StatePath: "/Users/foo@bar.com/state",
|
||||||
|
ResourcePath: "/Users/foo@bar.com/resources",
|
||||||
|
},
|
||||||
|
Permissions: []resources.Permission{
|
||||||
|
{Level: CAN_MANAGE, UserName: "TestUser"},
|
||||||
|
{Level: CAN_VIEW, GroupName: "TestGroup"},
|
||||||
|
{Level: CAN_RUN, ServicePrincipalName: "TestServicePrincipal"},
|
||||||
|
},
|
||||||
|
Resources: config.Resources{
|
||||||
|
Jobs: map[string]*resources.Job{
|
||||||
|
"job_1": {JobSettings: &jobs.JobSettings{Name: "job_1"}},
|
||||||
|
"job_2": {JobSettings: &jobs.JobSettings{Name: "job_2"}},
|
||||||
|
},
|
||||||
|
Pipelines: map[string]*resources.Pipeline{
|
||||||
|
"pipeline_1": {PipelineSpec: &pipelines.PipelineSpec{}},
|
||||||
|
"pipeline_2": {PipelineSpec: &pipelines.PipelineSpec{}},
|
||||||
|
},
|
||||||
|
Models: map[string]*resources.MlflowModel{
|
||||||
|
"model_1": {Model: &ml.Model{}},
|
||||||
|
"model_2": {Model: &ml.Model{}},
|
||||||
|
},
|
||||||
|
Experiments: map[string]*resources.MlflowExperiment{
|
||||||
|
"experiment_1": {Experiment: &ml.Experiment{}},
|
||||||
|
"experiment_2": {Experiment: &ml.Experiment{}},
|
||||||
|
},
|
||||||
|
ModelServingEndpoints: map[string]*resources.ModelServingEndpoint{
|
||||||
|
"endpoint_1": {CreateServingEndpoint: &serving.CreateServingEndpoint{}},
|
||||||
|
"endpoint_2": {CreateServingEndpoint: &serving.CreateServingEndpoint{}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
m := mocks.NewMockWorkspaceClient(t)
|
||||||
|
b.SetWorkpaceClient(m.WorkspaceClient)
|
||||||
|
workspaceApi := m.GetMockWorkspaceAPI()
|
||||||
|
workspaceApi.EXPECT().GetStatusByPath(mock.Anything, "/Some/Root/Path").Return(&workspace.ObjectInfo{
|
||||||
|
ObjectId: 1,
|
||||||
|
}, nil)
|
||||||
|
workspaceApi.EXPECT().GetStatusByPath(mock.Anything, "/Users/foo@bar.com/artifacts").Return(&workspace.ObjectInfo{
|
||||||
|
ObjectId: 2,
|
||||||
|
}, nil)
|
||||||
|
workspaceApi.EXPECT().GetStatusByPath(mock.Anything, "/Users/foo@bar.com/files").Return(&workspace.ObjectInfo{
|
||||||
|
ObjectId: 3,
|
||||||
|
}, nil)
|
||||||
|
workspaceApi.EXPECT().GetStatusByPath(mock.Anything, "/Users/foo@bar.com/state").Return(&workspace.ObjectInfo{
|
||||||
|
ObjectId: 4,
|
||||||
|
}, nil)
|
||||||
|
workspaceApi.EXPECT().GetStatusByPath(mock.Anything, "/Users/foo@bar.com/resources").Return(&workspace.ObjectInfo{
|
||||||
|
ObjectId: 5,
|
||||||
|
}, nil)
|
||||||
|
|
||||||
|
workspaceApi.EXPECT().SetPermissions(mock.Anything, workspace.WorkspaceObjectPermissionsRequest{
|
||||||
|
AccessControlList: []workspace.WorkspaceObjectAccessControlRequest{
|
||||||
|
{UserName: "TestUser", PermissionLevel: "CAN_MANAGE"},
|
||||||
|
{GroupName: "TestGroup", PermissionLevel: "CAN_READ"},
|
||||||
|
{ServicePrincipalName: "TestServicePrincipal", PermissionLevel: "CAN_RUN"},
|
||||||
|
},
|
||||||
|
WorkspaceObjectId: "1",
|
||||||
|
WorkspaceObjectType: "directories",
|
||||||
|
}).Return(nil, nil)
|
||||||
|
|
||||||
|
workspaceApi.EXPECT().SetPermissions(mock.Anything, workspace.WorkspaceObjectPermissionsRequest{
|
||||||
|
AccessControlList: []workspace.WorkspaceObjectAccessControlRequest{
|
||||||
|
{UserName: "TestUser", PermissionLevel: "CAN_MANAGE"},
|
||||||
|
{GroupName: "TestGroup", PermissionLevel: "CAN_READ"},
|
||||||
|
{ServicePrincipalName: "TestServicePrincipal", PermissionLevel: "CAN_RUN"},
|
||||||
|
},
|
||||||
|
WorkspaceObjectId: "2",
|
||||||
|
WorkspaceObjectType: "directories",
|
||||||
|
}).Return(nil, nil)
|
||||||
|
|
||||||
|
workspaceApi.EXPECT().SetPermissions(mock.Anything, workspace.WorkspaceObjectPermissionsRequest{
|
||||||
|
AccessControlList: []workspace.WorkspaceObjectAccessControlRequest{
|
||||||
|
{UserName: "TestUser", PermissionLevel: "CAN_MANAGE"},
|
||||||
|
{GroupName: "TestGroup", PermissionLevel: "CAN_READ"},
|
||||||
|
{ServicePrincipalName: "TestServicePrincipal", PermissionLevel: "CAN_RUN"},
|
||||||
|
},
|
||||||
|
WorkspaceObjectId: "3",
|
||||||
|
WorkspaceObjectType: "directories",
|
||||||
|
}).Return(nil, nil)
|
||||||
|
|
||||||
|
workspaceApi.EXPECT().SetPermissions(mock.Anything, workspace.WorkspaceObjectPermissionsRequest{
|
||||||
|
AccessControlList: []workspace.WorkspaceObjectAccessControlRequest{
|
||||||
|
{UserName: "TestUser", PermissionLevel: "CAN_MANAGE"},
|
||||||
|
{GroupName: "TestGroup", PermissionLevel: "CAN_READ"},
|
||||||
|
{ServicePrincipalName: "TestServicePrincipal", PermissionLevel: "CAN_RUN"},
|
||||||
|
},
|
||||||
|
WorkspaceObjectId: "4",
|
||||||
|
WorkspaceObjectType: "directories",
|
||||||
|
}).Return(nil, nil)
|
||||||
|
|
||||||
|
workspaceApi.EXPECT().SetPermissions(mock.Anything, workspace.WorkspaceObjectPermissionsRequest{
|
||||||
|
AccessControlList: []workspace.WorkspaceObjectAccessControlRequest{
|
||||||
|
{UserName: "TestUser", PermissionLevel: "CAN_MANAGE"},
|
||||||
|
{GroupName: "TestGroup", PermissionLevel: "CAN_READ"},
|
||||||
|
{ServicePrincipalName: "TestServicePrincipal", PermissionLevel: "CAN_RUN"},
|
||||||
|
},
|
||||||
|
WorkspaceObjectId: "5",
|
||||||
|
WorkspaceObjectType: "directories",
|
||||||
|
}).Return(nil, nil)
|
||||||
|
|
||||||
|
diags := bundle.Apply(context.Background(), b, ApplyWorkspaceRootPermissions())
|
||||||
|
require.NoError(t, diags.Error())
|
||||||
|
}
|
||||||
|
|
|
@ -112,8 +112,8 @@ func TestAccFsMkdirWhenFileExistsAtPath(t *testing.T) {
|
||||||
// assert mkdir fails
|
// assert mkdir fails
|
||||||
_, _, err = RequireErrorRun(t, "fs", "mkdir", path.Join(tmpDir, "hello"))
|
_, _, err = RequireErrorRun(t, "fs", "mkdir", path.Join(tmpDir, "hello"))
|
||||||
|
|
||||||
// Different cloud providers return different errors.
|
// Different cloud providers or cloud configurations return different errors.
|
||||||
regex := regexp.MustCompile(`(^|: )Path is a file: .*$|(^|: )Cannot create directory .* because .* is an existing file\.$|(^|: )mkdirs\(hadoopPath: .*, permission: rwxrwxrwx\): failed$`)
|
regex := regexp.MustCompile(`(^|: )Path is a file: .*$|(^|: )Cannot create directory .* because .* is an existing file\.$|(^|: )mkdirs\(hadoopPath: .*, permission: rwxrwxrwx\): failed$|(^|: )"The specified path already exists.".*$`)
|
||||||
assert.Regexp(t, regex, err.Error())
|
assert.Regexp(t, regex, err.Error())
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
|
@ -20,6 +20,7 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/databricks/cli/cmd/root"
|
"github.com/databricks/cli/cmd/root"
|
||||||
|
"github.com/databricks/cli/internal/acc"
|
||||||
"github.com/databricks/cli/libs/flags"
|
"github.com/databricks/cli/libs/flags"
|
||||||
|
|
||||||
"github.com/databricks/cli/cmd"
|
"github.com/databricks/cli/cmd"
|
||||||
|
@ -591,13 +592,10 @@ func setupWsfsExtensionsFiler(t *testing.T) (filer.Filer, string) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func setupDbfsFiler(t *testing.T) (filer.Filer, string) {
|
func setupDbfsFiler(t *testing.T) (filer.Filer, string) {
|
||||||
t.Log(GetEnvOrSkipTest(t, "CLOUD_ENV"))
|
_, wt := acc.WorkspaceTest(t)
|
||||||
|
|
||||||
w, err := databricks.NewWorkspaceClient()
|
tmpDir := TemporaryDbfsDir(t, wt.W)
|
||||||
require.NoError(t, err)
|
f, err := filer.NewDbfsClient(wt.W, tmpDir)
|
||||||
|
|
||||||
tmpDir := TemporaryDbfsDir(t, w)
|
|
||||||
f, err := filer.NewDbfsClient(w, tmpDir)
|
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
return f, path.Join("dbfs:/", tmpDir)
|
return f, path.Join("dbfs:/", tmpDir)
|
||||||
|
|
Loading…
Reference in New Issue