Handle a special use-case of user home directory permissions #3586
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3586 +/- ##
==========================================
- Coverage 81.60% 81.56% -0.05%
==========================================
Files 196 196
Lines 19744 19758 +14
==========================================
+ Hits 16112 16115 +3
- Misses 2672 2680 +8
- Partials 960 963 +3
|
| @@ -215,6 +215,16 @@ func (a PermissionsAPI) Delete(objectID string) error { | |||
| accl.AccessControlList = append(accl.AccessControlList, change) | |||
| } | |||
| } | |||
|
|
|||
| // handle special case when we add extra permission to a user home dir | |||
| if v, ok := d.GetOk("directory_path"); ok { | |||
There was a problem hiding this comment.
We need to think how we will handle this for the case when we specify object ID instead of directory path...
There was a problem hiding this comment.
Yeah, that's a tricky one my brain refused to wrap itself around at 3am.. Directory ID won't match user_name of course, but fetching a user record based on a user name seemed like an overkill. Open for any hints here.
Now that I think about it.. Even if I fetch the user record, user id won't match directory id, so there's no real way for me to correlate.. Maybe fetch directory object based on id and get its path? If that's even an option...
There was a problem hiding this comment.
yes, it's possible to get the directory path by object iD
This particular use-case is only intended for a single corner-case permission: user |
|
I'm clarifying with the team who is responsible for workspace-level permissions |
| @@ -215,6 +215,16 @@ func (a PermissionsAPI) Delete(objectID string) error { | |||
| accl.AccessControlList = append(accl.AccessControlList, change) | |||
| } | |||
| } | |||
|
|
|||
| // handle special case when we add extra permission to a user home dir | |||
| if v, ok := d.GetOk("directory_path"); ok { | |||
There was a problem hiding this comment.
yes, it's possible to get the directory path by object iD
There was a problem hiding this comment.
I think that we'll need to expand tests to cover this stuff.
| @@ -215,6 +215,16 @@ func (a PermissionsAPI) Delete(objectID string) error { | |||
| accl.AccessControlList = append(accl.AccessControlList, change) | |||
| } | |||
| } | |||
|
|
|||
| // handle special case when we add extra permission to a user home dir | |||
| if v, ok := d.GetOk("directory_path"); ok { | |||
There was a problem hiding this comment.
We may need to disallow changes only for the current user - then we'll need to add a check like if me == accessControl.UserName || me == accessControl.ServicePrincipalName { like below. We also need to handle the case of home directory of the service principal, not only ordinary users.
|
I got confirmation from the dev team:
|
favoretti
force-pushed
the
favoretti/special_user_home_permission_case
branch
from
c02fbc4 to
531fd13
Compare
|
@alexott So, to summarize what I need to do to get this merged:
Correct? |
|
yes, it looks like. @mgyucht I think it makes sense to discuss in the next office hours |
permissions/resource_permissions.go
Outdated
|
|
||
| // handle special case when we add extra permission to a user home dir | ||
| if v, ok := d.GetOk("directory_path"); ok { | ||
| if v.(string) == fmt.Sprintf("/Users/%s", acl.UserName) && acl.AllPermissions[0].PermissionLevel == "CAN_MANAGE" { |
There was a problem hiding this comment.
Why do we only compare with the first index of the list? Just to confirm, is it necessar that CAN_MANAGE will always be at 0 index?
There was a problem hiding this comment.
@tanmay-db That is... a great question, considering that this PR has been hanging here for a while - I'm not sure... I'm unfortunately not that knee-deep in databricks provider code, would you mind suggesting an alternative?
There was a problem hiding this comment.
@alexott and me discussed this and we think going ahead with checking all the items in the list would be more safer.
There was a problem hiding this comment.
Just to check, after this extending this to SPN and adding tests would be left before we can merge this right?
There was a problem hiding this comment.
@tanmay-db Something like this?
There was a problem hiding this comment.
Just to check, after this extending this to SPN and adding tests would be left before we can merge this right?
Expanding to SPN homedir you mean? Yeah, I'll need to work on that too, although I have no ideas what the format of SPN's home dir is... is it /Users/<spn_id>? If so, which ID is it, Azure Object ID, Azure app ID or Databricks internal ID? :)
As for tests... I'll do my best, but would really appreciate some help, I'm incredibly new to your codebase :)
There was a problem hiding this comment.
it's SPN's Application ID (UUID)
There was a problem hiding this comment.
@favoretti, yes, to optimise a little, we can add break in the loop when we find the permission level to CAN_MANAGE.
Changes
In a special case when one would want to add rights for extra users to either view or edit things in one's home directory - the user's own
CAN_MANAGEpermission is implicit.One can specify it explicitly in the resource, however, during deletion that
CAN_MANAGEpermission can not be removed, resulting in a failed run that can't be fixed without deleting resource from the state (which leaves other permissions hanging).Hence here's an attempt to ignore or implicitly add it.
This works when permission is supplied with
directory_paththat matches theuser_name, however, this also doesn't work when we specifyuser_id...Therefore as WIP for now..
Tests
make testrun locallydocs/folderinternal/acceptance