package permissions import ( "context" "fmt" "slices" "strings" "github.com/databricks/cli/bundle" "github.com/databricks/cli/bundle/config/resources" "github.com/databricks/cli/libs/diag" "github.com/databricks/cli/libs/dyn" "github.com/databricks/cli/libs/dyn/convert" ) const CAN_MANAGE = "CAN_MANAGE" const CAN_VIEW = "CAN_VIEW" const CAN_RUN = "CAN_RUN" var unsupportedResources = []string{"clusters", "volumes", "schemas", "quality_monitors", "registered_models"} var allowedLevels = []string{CAN_MANAGE, CAN_VIEW, CAN_RUN} var levelsMap = map[string](map[string]string){ "jobs": { CAN_MANAGE: "CAN_MANAGE", CAN_VIEW: "CAN_VIEW", CAN_RUN: "CAN_MANAGE_RUN", }, "pipelines": { CAN_MANAGE: "CAN_MANAGE", CAN_VIEW: "CAN_VIEW", CAN_RUN: "CAN_RUN", }, "experiments": { CAN_MANAGE: "CAN_MANAGE", CAN_VIEW: "CAN_READ", }, "models": { CAN_MANAGE: "CAN_MANAGE", CAN_VIEW: "CAN_READ", }, "model_serving_endpoints": { CAN_MANAGE: "CAN_MANAGE", CAN_VIEW: "CAN_VIEW", CAN_RUN: "CAN_QUERY", }, "dashboards": { CAN_MANAGE: "CAN_MANAGE", CAN_VIEW: "CAN_READ", }, } type bundlePermissions struct{} func ApplyBundlePermissions() bundle.Mutator { return &bundlePermissions{} } func (m *bundlePermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics { err := validate(b) if err != nil { return diag.FromErr(err) } patterns := make(map[string]dyn.Pattern, 0) for key := range levelsMap { patterns[key] = dyn.NewPattern( dyn.Key("resources"), dyn.Key(key), dyn.AnyKey(), ) } err = b.Config.Mutate(func(v dyn.Value) (dyn.Value, error) { for key, pattern := range patterns { v, err = dyn.MapByPattern(v, pattern, func(p dyn.Path, v dyn.Value) (dyn.Value, error) { var permissions []resources.Permission pv, err := dyn.Get(v, "permissions") // If the permissions field is not found, we set to an empty array if err != nil { pv = dyn.V([]dyn.Value{}) } err = convert.ToTyped(&permissions, pv) if err != nil { return dyn.InvalidValue, fmt.Errorf("failed to convert permissions: %w", err) } permissions = append(permissions, convertPermissions( ctx, b.Config.Permissions, permissions, key, levelsMap[key], )...) pv, err = convert.FromTyped(permissions, dyn.NilValue) if err != nil { return dyn.InvalidValue, fmt.Errorf("failed to convert permissions: %w", err) } return dyn.Set(v, "permissions", pv) }) if err != nil { return dyn.InvalidValue, err } } return v, nil }) if err != nil { return diag.FromErr(err) } return nil } func validate(b *bundle.Bundle) error { for _, p := range b.Config.Permissions { if !slices.Contains(allowedLevels, p.Level) { return fmt.Errorf("invalid permission level: %s, allowed values: [%s]", p.Level, strings.Join(allowedLevels, ", ")) } } return nil } func (m *bundlePermissions) Name() string { return "ApplyBundlePermissions" }