ucx
ucx copied to clipboard
databrickslabs
Convert ADL ACLs to UC Grants (credential passthrough)
It is meant for customers who:
- Use Credential Passthrough with Adls Gen1 or Gen2
- Use a metastore that points to tables the rely on Credential Passthrough
The command is expected to be run with a user that can access the Azure AD Graph API, and the ADLS or ABFS APIs. Perform inventory of azure storage account ACL defined for passthrough clusters and prepare inventory. Extend the save_azure_storage_accounts cli cmd to include the output of this inventory
This may be necessary to run from account-admin perspective as well
Upstream dependencies:
- https://github.com/databrickslabs/ucx/issues/670
When we were moving to TACL from pass-through for DBSQL, Shant created some code to do this: go/aclsbootstrap
One thing to consider here is that ADLS lets you see all the folders and drill down into them until you hit a folder you don't have access to. This assumes you have access to the storage container.
We should think about replicating this into UC's BROWSE permission
some customers do not use table ACLs and rely on giving access to ADLS folders directly (and would like to solve the lack of table ACLs when adopting UC)
if they have a structure as
container@storage_account_url/path/bbdd/table
they can give read or write permissions to principals at either the bbdd or the table level (which would translate to GRANTS for UC objects), and then execute permissions to path (which would be translated as a BROWSE at the catalog level at UC, since the idea would be to be able to list the objects)
as a generalization, there could be folders with more than 3 levels, where the last 2 should always be table and bbdd with either write or read access, and the upper folders could have execute permissions (which in the same way would translate to GRANTs and BROWSE permissions)
