databricks-cli/bundle/permissions/mutator.go

134 lines
2.9 KiB
Go

package permissions
import (
"context"
"fmt"
"slices"
"strings"
"github.com/databricks/cli/bundle"
"github.com/databricks/cli/bundle/config/resources"
"github.com/databricks/cli/libs/diag"
"github.com/databricks/cli/libs/dyn"
"github.com/databricks/cli/libs/dyn/convert"
)
const CAN_MANAGE = "CAN_MANAGE"
const CAN_VIEW = "CAN_VIEW"
const CAN_RUN = "CAN_RUN"
var unsupportedResources = []string{"clusters", "volumes", "schemas", "quality_monitors", "registered_models"}
var allowedLevels = []string{CAN_MANAGE, CAN_VIEW, CAN_RUN}
var levelsMap = map[string](map[string]string){
"jobs": {
CAN_MANAGE: "CAN_MANAGE",
CAN_VIEW: "CAN_VIEW",
CAN_RUN: "CAN_MANAGE_RUN",
},
"pipelines": {
CAN_MANAGE: "CAN_MANAGE",
CAN_VIEW: "CAN_VIEW",
CAN_RUN: "CAN_RUN",
},
"experiments": {
CAN_MANAGE: "CAN_MANAGE",
CAN_VIEW: "CAN_READ",
},
"models": {
CAN_MANAGE: "CAN_MANAGE",
CAN_VIEW: "CAN_READ",
},
"model_serving_endpoints": {
CAN_MANAGE: "CAN_MANAGE",
CAN_VIEW: "CAN_VIEW",
CAN_RUN: "CAN_QUERY",
},
"dashboards": {
CAN_MANAGE: "CAN_MANAGE",
CAN_VIEW: "CAN_READ",
},
}
type bundlePermissions struct{}
func ApplyBundlePermissions() bundle.Mutator {
return &bundlePermissions{}
}
func (m *bundlePermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
err := validate(b)
if err != nil {
return diag.FromErr(err)
}
patterns := make(map[string]dyn.Pattern, 0)
for key := range levelsMap {
patterns[key] = dyn.NewPattern(
dyn.Key("resources"),
dyn.Key(key),
dyn.AnyKey(),
)
}
err = b.Config.Mutate(func(v dyn.Value) (dyn.Value, error) {
for key, pattern := range patterns {
v, err = dyn.MapByPattern(v, pattern, func(p dyn.Path, v dyn.Value) (dyn.Value, error) {
var permissions []resources.Permission
pv, err := dyn.Get(v, "permissions")
// If the permissions field is not found, we set to an empty array
if err != nil {
pv = dyn.V([]dyn.Value{})
}
err = convert.ToTyped(&permissions, pv)
if err != nil {
return dyn.InvalidValue, fmt.Errorf("failed to convert permissions: %w", err)
}
permissions = append(permissions, convertPermissions(
ctx,
b.Config.Permissions,
permissions,
key,
levelsMap[key],
)...)
pv, err = convert.FromTyped(permissions, dyn.NilValue)
if err != nil {
return dyn.InvalidValue, fmt.Errorf("failed to convert permissions: %w", err)
}
return dyn.Set(v, "permissions", pv)
})
if err != nil {
return dyn.InvalidValue, err
}
}
return v, nil
})
if err != nil {
return diag.FromErr(err)
}
return nil
}
func validate(b *bundle.Bundle) error {
for _, p := range b.Config.Permissions {
if !slices.Contains(allowedLevels, p.Level) {
return fmt.Errorf("invalid permission level: %s, allowed values: [%s]", p.Level, strings.Join(allowedLevels, ", "))
}
}
return nil
}
func (m *bundlePermissions) Name() string {
return "ApplyBundlePermissions"
}