terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard

Published 20 hours ago verified publisher icon databricks

Handle a special use-case of user home directory permissions

Open favoretti opened this issue 1 year ago • 6 comments

Changes

In a special case when one would want to add rights for extra users to either view or edit things in one's home directory - the user's own CAN_MANAGE permission is implicit.

One can specify it explicitly in the resource, however, during deletion that CAN_MANAGE permission can not be removed, resulting in a failed run that can't be fixed without deleting resource from the state (which leaves other permissions hanging).

Hence here's an attempt to ignore or implicitly add it.

This works when permission is supplied with directory_path that matches the user_name, however, this also doesn't work when we specify user_id...

Therefore as WIP for now..

Tests

  • [x] make test run locally
  • [ ] relevant change in docs/ folder
  • [ ] covered with integration tests in internal/acceptance
  • [ ] relevant acceptance tests are passing
  • [ ] using Go SDK

favoretti avatar May 16 '24 23:05 favoretti

Codecov Report

Attention: Patch coverage is 31.25000% with 11 lines in your changes missing coverage. Please review.

Project coverage is 81.56%. Comparing base (2a9379a) to head (531fd13).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3586      +/-   ##
==========================================
- Coverage   81.60%   81.56%   -0.05%     
==========================================
  Files         196      196              
  Lines       19744    19758      +14     
==========================================
+ Hits        16112    16115       +3     
- Misses       2672     2680       +8     
- Partials      960      963       +3
Files Coverage Δ
permissions/resource_permissions.go 87.41% <31.25%> (-3.40%) :arrow_down:

codecov-commenter avatar May 17 '24 06:05 codecov-commenter

We also need to test how it will behave if we'll try to change permissions for user/SP from manage to lower, like, CAN_READ...

This particular use-case is only intended for a single corner-case permission: user X to /Users/X, so just this particular user's home dir. That case of CAN_MANAGE is implicit, you can't lower it I believe.

favoretti avatar May 17 '24 11:05 favoretti

I'm clarifying with the team who is responsible for workspace-level permissions

alexott avatar Jun 14 '24 15:06 alexott

I got confirmation from the dev team:

Currently, the DirectoryPermissionsHandler prevents users from changing the CAN_MANAGE permissions of a user on its own home folder.

alexott avatar Jun 14 '24 18:06 alexott

@alexott So, to summarize what I need to do to get this merged:

  1. Add SPN home directories to the use-case
  2. Handle object_id next to currently implemented directory_path
  3. Write tests

Correct?

favoretti avatar Jun 17 '24 12:06 favoretti

yes, it looks like. @mgyucht I think it makes sense to discuss in the next office hours

alexott avatar Jun 17 '24 12:06 alexott

Please ensure that the NEXT_CHANGELOG.md file is updated with any relevant changes. If this is not necessary for your PR, please include the following in your PR description: NO_CHANGELOG=true and rerun the job.

github-actions[bot] avatar May 14 '25 09:05 github-actions[bot]

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger: go/deco-tests-run/terraform

Inputs:

  • PR number: 3586
  • Commit SHA: b049a8248ffa6314d655e4b3034e77f63db543b4

Checks will be approved automatically on success.

github-actions[bot] avatar May 14 '25 09:05 github-actions[bot]