mirror of https://github.com/databricks/cli.git
57 lines
1.6 KiB
Go
57 lines
1.6 KiB
Go
package permissions
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/databricks/cli/bundle"
|
|
"github.com/databricks/cli/libs/diag"
|
|
)
|
|
|
|
type validateSharedRootPermissions struct {
|
|
}
|
|
|
|
func ValidateSharedRootPermissions() bundle.Mutator {
|
|
return &validateSharedRootPermissions{}
|
|
}
|
|
|
|
func (*validateSharedRootPermissions) Name() string {
|
|
return "ValidateSharedRootPermissions"
|
|
}
|
|
|
|
func (*validateSharedRootPermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
|
|
if isWorkspaceSharedRoot(b.Config.Workspace.RootPath) {
|
|
return isUsersGroupPermissionSet(b)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func isWorkspaceSharedRoot(path string) bool {
|
|
return strings.HasPrefix(path, "/Workspace/Shared/")
|
|
}
|
|
|
|
// isUsersGroupPermissionSet checks that top-level permissions set for bundle contain group_name: users with CAN_MANAGE permission.
|
|
func isUsersGroupPermissionSet(b *bundle.Bundle) diag.Diagnostics {
|
|
var diags diag.Diagnostics
|
|
|
|
allUsers := false
|
|
for _, p := range b.Config.Permissions {
|
|
if p.GroupName == "users" && p.Level == CAN_MANAGE {
|
|
allUsers = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !allUsers {
|
|
diags = diags.Append(diag.Diagnostic{
|
|
Severity: diag.Warning,
|
|
Summary: fmt.Sprintf("the bundle root path %s is writable by all workspace users", b.Config.Workspace.RootPath),
|
|
Detail: "The bundle is configured to use /Workspace/Shared, which will give read/write access to all users. If this is intentional, add CAN_MANAGE for 'group_name: users' permission to your bundle configuration. If the deployment should be restricted, move it to a restricted folder such as /Workspace/Users/<username or principal name>.",
|
|
})
|
|
}
|
|
|
|
return diags
|
|
}
|