-
Notifications
You must be signed in to change notification settings - Fork 394
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fix] Don't use single-node cluster for databricks_sql_permissions
#4141
Open
alexott
wants to merge
1
commit into
main
Choose a base branch
from
fix/issue-4140
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+50
−44
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,14 +3,13 @@ subcategory: "Security" | |
| --- | ||
| # databricks_sql_permissions Resource | ||
|
|
||
| -> Please switch to [databricks_grants](grants.md) with Unity Catalog to manage data access, which provides a better and faster way for managing data security. `databricks_grants` resource *doesn't require a technical cluster to perform operations*. On workspaces with Unity Catalog enabled, you may run into errors such as `Error: cannot create sql permissions: cannot read current grants: For unity catalog, please specify the catalog name explicitly. E.g. SHOW GRANT ``[email protected]`` ON CATALOG main`. This happens if your `default_catalog_name` was set to a UC catalog instead of `hive_metastore`. The workaround is to re-assign the metastore again with the default catalog set to be `hive_metastore`. See [databricks_metastore_assignment](metastore_assignment.md). | ||
| -> Please switch to [databricks_grants](grants.md) with Unity Catalog to manage data access, which provides a better and faster way for managing data security. `databricks_grants` resource *doesn't require a technical cluster to perform operations*. On workspaces with Unity Catalog enabled, you may run into errors such as `Error: cannot create sql permissions: cannot read current grants: For unity catalog, please specify the catalog name explicitly. E.g. SHOW GRANT ``[email protected]`` ON CATALOG main`. This happens if your `default_catalog_name` was set to a UC catalog instead of `hive_metastore`. The workaround is to re-assign the metastore again with the default catalog set to `hive_metastore`. See [databricks_metastore_assignment](metastore_assignment.md). | ||
|
|
||
| This resource manages data object access control lists in Databricks workspaces for things like tables, views, databases, and [more](https://docs.databricks.com/security/access-control/table-acls/object-privileges.html). In order to enable Table Access control, you have to login to the workspace as administrator, go to `Admin Console`, pick `Access Control` tab, click on `Enable` button in `Table Access Control` section, and click `Confirm`. The security guarantees of table access control **will only be effective if cluster access control is also turned on**. Please make sure that no users can create clusters in your workspace and all [databricks_cluster](cluster.md) have approximately the following configuration: | ||
| This resource manages data object access control lists in Databricks workspaces for things like tables, views, databases, and [more](https://docs.databricks.com/security/access-control/table-acls/object-privileges.html). In order to enable Table Access control, you have to login to the workspace as administrator, go to `Admin Console`, pick the `Access Control` tab, click on the `Enable` button in the `Table Access Control` section, and click `Confirm`. The security guarantees of table access control **will only be effective if cluster access control is also turned on**. Please make sure that no users can create clusters in your workspace and all [databricks_cluster](cluster.md) have approximately the following configuration: | ||
|
|
||
| ```hcl | ||
| resource "databricks_cluster" "cluster_with_table_access_control" { | ||
| // ... | ||
|
|
||
| spark_conf = { | ||
| "spark.databricks.acl.dfAclsEnabled" : "true", | ||
| "spark.databricks.repl.allowedLanguages" : "python,sql", | ||
|
|
@@ -34,11 +33,13 @@ The following resource definition will enforce access control on a table by exec | |
| resource "databricks_sql_permissions" "foo_table" { | ||
| table = "foo" | ||
|
|
||
|
|
||
| privilege_assignments { | ||
| principal = "[email protected]" | ||
| privileges = ["SELECT", "MODIFY"] | ||
| } | ||
|
|
||
|
|
||
| privilege_assignments { | ||
| principal = "special group" | ||
| privileges = ["SELECT"] | ||
|
|
@@ -48,7 +49,7 @@ resource "databricks_sql_permissions" "foo_table" { | |
|
|
||
| ## Argument Reference | ||
|
|
||
| * `cluster_id` - (Optional) Id of an existing [databricks_cluster](cluster.md), where the appropriate `GRANT`/`REVOKE` commands are executed. This cluster must have the appropriate data security mode (`USER_ISOLATION` or `LEGACY_TABLE_ACL` specified). If no `cluster_id` is specified, a single-node TACL cluster named `terraform-table-acl` is automatically created. | ||
| * `cluster_id` - (Optional) Id of an existing [databricks_cluster](cluster.md), where the appropriate `GRANT`/`REVOKE` commands are executed. This cluster must have the appropriate data security mode (`USER_ISOLATION` or `LEGACY_TABLE_ACL` specified). If no `cluster_id` is specified, a TACL-enabled cluster with the name `terraform-table-acl` is automatically created. | ||
|
|
||
| ```hcl | ||
| resource "databricks_sql_permissions" "foo_table" { | ||
|
|
@@ -59,12 +60,12 @@ resource "databricks_sql_permissions" "foo_table" { | |
|
|
||
| The following arguments are available to specify the data object you need to enforce access controls on. You must specify only one of those arguments (except for `table` and `view`), otherwise resource creation will fail. | ||
|
|
||
| * `database` - Name of the database. Has default value of `default`. | ||
| * `table` - Name of the table. Can be combined with `database`. | ||
| * `view` - Name of the view. Can be combined with `database`. | ||
| * `database` - Name of the database. Has a default value of `default`. | ||
| * `table` - Name of the table. Can be combined with the `database`. | ||
| * `view` - Name of the view. Can be combined with the `database`. | ||
| * `catalog` - (Boolean) If this access control for the entire catalog. Defaults to `false`. | ||
| * `any_file` - (Boolean) If this access control for reading/writing any file. Defaults to `false`. | ||
| * `anonymous_function` - (Boolean) If this access control for using anonymous function. Defaults to `false`. | ||
| * `anonymous_function` - (Boolean) If this access control for using an anonymous function. Defaults to `false`. | ||
|
|
||
| ### `privilege_assignments` blocks | ||
|
|
||
|
|
@@ -81,15 +82,15 @@ You must specify one or many `privilege_assignments` configuration blocks to dec | |
| * `USAGE` - do not give any abilities, but is an additional requirement to perform any action on a database object. | ||
| * `READ_METADATA` - gives the ability to view an object and its metadata. | ||
| * `CREATE_NAMED_FUNCTION` - gives the ability to create a named UDF in an existing catalog or database. | ||
| * `MODIFY_CLASSPATH` - gives the ability to add files to the Spark class path. | ||
| * `MODIFY_CLASSPATH` - gives the ability to add files to the Spark classpath. | ||
|
|
||
| -> Even though the value `ALL PRIVILEGES` is mentioned in Table ACL documentation, it's not recommended to use it from terraform, as it may result in unnecessary state updates. | ||
| -> Even though the value `ALL PRIVILEGES` is mentioned in Table ACL documentation, it's not recommended to use it from Terraform, as it may result in unnecessary state updates. | ||
|
|
||
| ## Import | ||
|
|
||
| The resource can be imported using a synthetic identifier. Examples of valid synthetic identifiers are: | ||
|
|
||
| * `table/default.foo` - table `foo` in a `default` database. Database is always mandatory. | ||
| * `table/default.foo` - table `foo` in a `default` database. The `database` is always mandatory. | ||
| * `view/bar.foo` - view `foo` in `bar` database. | ||
| * `database/bar` - `bar` database. | ||
| * `catalog/` - entire catalog. `/` suffix is mandatory. | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there an internal ticket which tracks this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to ask the product team about Jira...