[FEATURE REQUEST] resource to manage UC tables/views owner

[ebarault]

Hi @nfx,

I'd like to suggest a new resource to manage UC tables/views owner, this could look like as simple as this:

Example configuration

resource "databricks_table_owner" "pnl_report_owner" {
  table = "main.reporting.pnl"
  owner = "accounting"
}

It would also support the property view in addition to table (mutually exclusive).

Or maybe this could be merged with the databricks_grants resource, with an extra owner property, but then it would imply managing the owner of any object managed by this resource : catalog/schema/table/view

Rationale

The idea is that inside a company, one would often split the responsibilities regarding data schemas/permissions like this:

• dataops/devops: create UC catalog and schemas/databases and manage permissions over these using iac tools like terraform
• developers: create the tables/views using a migration toolkit, running in CICD in a step before deploying the code/job to Databricks
• dataops/devops: managing the permissions over these tables/views. Several options are available to do this, one of them being iac/terraform

Along with managing permissions over these tables, managing owners of the tables/views also falls under dataops/devops responsibility. One trivial but systematic action is to switch owners from simple users to a groups.

Note: This module could also be thought generic enough to cover inclusion of other UC objects, such as UDFs.

Happy to discuss these rationales and implementation details

[nfx]

Probably we'll just use owner field in the table resource

[ebarault]

Are you thinking to an upsert resource ?

• create table if user provides the required parameters
• update the owner if user provides only this set of parameters ?

resource "databricks_table" "thing" {
  name               = "this"
  schema_name        = "there"
  catalog_name       = "here"
  owner              = "foo"

[nfx]

though, on the other hand, if table schema evolution is controlled outside of terraform, the resource will constantly drift

[ebarault]

right, so a dedicated resource, or reusing the databricks_grants resource would be more appropriate

[nfx]

databricks_grants uses different api, that is not managing ownership

[ebarault]

@nfx , @nkvuong this is not quite what i discussed in this issue.
what if the tables were not created using terraform and we need to change the owner using terraform ?
having to import the tables in terraform is not the way I suggested here

[nfx]

@ebarault currently it's easier for us to manage ownership in the resources themselves. databricks_grant might be the place to add it.

[nfx]

Closed in #1338

[ebarault]

hmm @nfx I believe it is not quite the same.
The related PR seems to apply to UC securables created via terraform.

What I was refering to is to change the ownership of already existing UC securables

[nfx]

Thank you for the feature request! Currently, the team operates in a limited capacity, carefully prioritizing, and we cannot provide a timeline to implement this feature. Please make a Pull Request if you'd like to see this feature sooner, and we'll guide you through the journey.

[ebarault]

hi @nfx ! catching up here, is this still an ongoing issue ? or was it solve in the meantime ?