terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard

Published 20 hours ago verified publisher icon databricks

[FEATURE REQUEST] resource to manage UC tables/views owner

Open ebarault opened this issue 3 years ago • 11 comments

Hi @nfx,

I'd like to suggest a new resource to manage UC tables/views owner, this could look like as simple as this:

Example configuration

resource "databricks_table_owner" "pnl_report_owner" {
  table = "main.reporting.pnl"
  owner = "accounting"
}

It would also support the property view in addition to table (mutually exclusive).

Or maybe this could be merged with the databricks_grants resource, with an extra owner property, but then it would imply managing the owner of any object managed by this resource : catalog/schema/table/view

Rationale

The idea is that inside a company, one would often split the responsibilities regarding data schemas/permissions like this:

  • dataops/devops: create UC catalog and schemas/databases and manage permissions over these using iac tools like terraform
  • developers: create the tables/views using a migration toolkit, running in CICD in a step before deploying the code/job to Databricks
  • dataops/devops: managing the permissions over these tables/views. Several options are available to do this, one of them being iac/terraform

Along with managing permissions over these tables, managing owners of the tables/views also falls under dataops/devops responsibility. One trivial but systematic action is to switch owners from simple users to a groups.

Note: This module could also be thought generic enough to cover inclusion of other UC objects, such as UDFs.

Happy to discuss these rationales and implementation details

ebarault avatar Apr 27 '22 09:04 ebarault

Probably we'll just use owner field in the table resource

nfx avatar Apr 27 '22 18:04 nfx

Are you thinking to an upsert resource ?

  • create table if user provides the required parameters
  • update the owner if user provides only this set of parameters ?
resource "databricks_table" "thing" {
  name               = "this"
  schema_name        = "there"
  catalog_name       = "here"
  owner              = "foo"

ebarault avatar Apr 28 '22 07:04 ebarault

though, on the other hand, if table schema evolution is controlled outside of terraform, the resource will constantly drift

nfx avatar Apr 28 '22 11:04 nfx

right, so a dedicated resource, or reusing the databricks_grants resource would be more appropriate

ebarault avatar Apr 28 '22 13:04 ebarault

databricks_grants uses different api, that is not managing ownership

nfx avatar Apr 28 '22 13:04 nfx

@nfx , @nkvuong this is not quite what i discussed in this issue. what if the tables were not created using terraform and we need to change the owner using terraform ? having to import the tables in terraform is not the way I suggested here

ebarault avatar Jun 03 '22 16:06 ebarault

@ebarault currently it's easier for us to manage ownership in the resources themselves. databricks_grant might be the place to add it.

nfx avatar Jun 03 '22 16:06 nfx

Closed in #1338

nfx avatar Oct 13 '22 10:10 nfx

hmm @nfx I believe it is not quite the same. The related PR seems to apply to UC securables created via terraform.

What I was refering to is to change the ownership of already existing UC securables

ebarault avatar Oct 13 '22 10:10 ebarault

Thank you for the feature request! Currently, the team operates in a limited capacity, carefully prioritizing, and we cannot provide a timeline to implement this feature. Please make a Pull Request if you'd like to see this feature sooner, and we'll guide you through the journey.

nfx avatar Oct 13 '22 10:10 nfx