Fixed the entitlements application for account-level groups #529
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renardeinside
had a problem deploying
to
account-admin
GitHub Actions
Failure
renardeinside
had a problem deploying
to
account-admin
GitHub Actions
Failure
Codecov Report
@@ Coverage Diff @@
## main #529 +/- ##
==========================================
+ Coverage 80.98% 81.77% +0.78%
==========================================
Files 31 33 +2
Lines 3392 3478 +86
Branches 658 673 +15
==========================================
+ Hits 2747 2844 +97
+ Misses 491 475 -16
- Partials 154 159 +5
|
renardeinside
had a problem deploying
to
account-admin
GitHub Actions
Failure
renardeinside
had a problem deploying
to
account-admin
GitHub Actions
Failure
renardeinside
had a problem deploying
to
account-admin
GitHub Actions
Failure
william-conti
suggested changes
Nov 2, 2023
| pi.inventorize_permissions() | ||
| pi.apply_group_permissions(group_manager.migration_state, destination="backup") | ||
| group_manager.replace_workspace_groups_with_account_groups() | ||
| pi.apply_group_permissions(group_manager.migration_state, destination="account") |
There was a problem hiding this comment.
Migration state must be re-instatiated between each invocations, the same as we do in runtime.py.
The test should look like this then:
def test_scim(ws: WorkspaceClient, make_ucx_group, sql_backend, inventory_schema):
"""
This test does the following:
* create a ws group with roles and entitlements
* migrate this group
* verify that the migrated group has the same roles and entitlements
:return:
"""
ws_group, acc_group = make_ucx_group()
_patch_by_id(ws, ws_group.id, "entitlements", [iam.ComplexValue(value="databricks-sql-access")])
groups_config = GroupsConfig(selected=[ws_group.display_name])
#Task 1 - crawl_permissions
scim_support = ScimSupport(ws)
pi = PermissionManager(sql_backend, inventory_schema, [scim_support])
pi.cleanup()
pi.inventorize_permissions()
# Task 2 - apply_permissions_to_backup_groups
group_manager = GroupManager(ws, groups_config)
group_manager.prepare_groups_in_environment()
pi.apply_group_permissions(group_manager.migration_state, destination="backup")
#Task 3 - apply_permissions_to_account_groups
group_manager = GroupManager(ws, groups_config)
group_manager.prepare_groups_in_environment()
group_manager.replace_workspace_groups_with_account_groups()
#Task 4 - apply_permissions_to_account_groups
migration_state = GroupManager.prepare_apply_permissions_to_account_groups(ws, groups_config.backup_group_prefix)
pi.apply_group_permissions(migration_state, destination="account")
assert iam.ComplexValue(value="databricks-sql-access") in ws.groups.get(acc_group.id).entitlements
Which, in my environment, doesn't pass
|
Keep in mind that we're getting rid of the backup groups very soon: #450 |
|
@nfx could you please tell us what "very soon" means specifically? is it in 2-3 days or we're speaking about longer time periods I would suggest going further with proper fix. |
renardeinside
had a problem deploying
to
account-admin
GitHub Actions
Failure
william-conti
had a problem deploying
to
account-admin
GitHub Actions
Failure
william-conti
had a problem deploying
to
account-admin
GitHub Actions
Failure
william-conti
had a problem deploying
to
account-admin
GitHub Actions
Failure
william-conti
had a problem deploying
to
account-admin
GitHub Actions
Failure
william-conti
force-pushed
the
bugfix/apply-entitlements-to-acc-groups
branch
from
d426d96 to
6dec120
Compare
william-conti
had a problem deploying
to
account-admin
GitHub Actions
Failure
renardeinside
commented
Nov 3, 2023
william-conti
had a problem deploying
to
account-admin
GitHub Actions
Error
william-conti
temporarily deployed
to
account-admin
GitHub Actions
Inactive
william-conti
approved these changes
Nov 3, 2023
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
nfx
changed the title
FastLee
pushed a commit
that referenced
this pull request
Nov 8, 2023
Addresses the issues in #488 . **Problem Statement** - Setup: - We have a ws and acc group. - Ws group has an entitlement - Crawler: - During the inventorization, the entitlement is saved into the inventory without any issues into a Permissions object with `object_type="entitlements"` and `object_id="workspace_group_id"` - Appy to backups: - Backup group is created - Entitlements are applied to the backup group - Replace: - Simply replaces the groups - Apply to acc groups (separate task) - **Migration state** becomes lost and there is no link between the workspace group id and the acc group id anymore. - Since there is no linkage in the migration state, the `is_item_relevant` method returns `None`, therefore it won’t apply the proper group entitlements. **Design** Together with @william-conti we've decided that the `migration_state` object needs to be persisted across the `replace` and `apply_to_account` tasks to properly save the state and avoid losing the logical association between ws and acc groups. --------- Co-authored-by: William Conti <william.conti@databricks.com>
nfx
added a commit
that referenced
this pull request
Nov 17, 2023
**Breaking changes** (existing installations need to reinstall UCX and re-run assessment jobs) * Switched local group migration component to rename groups instead of creating backup groups ([#450](#450)). * Mitigate permissions loss in Table ACLs by folding grants belonging to the same principal, object id and object type together ([#512](#512)). **New features** * Added support for the experimental Databricks CLI launcher ([#517](#517)). * Added support for external Hive Metastores including AWS Glue ([#400](#400)). * Added more views to assessment dashboard ([#474](#474)). * Added rate limit for creating backup group to increase stability ([#500](#500)). * Added deduplication for mount point list ([#569](#569)). * Added documentation to describe interaction with external Hive Metastores ([#473](#473)). * Added failure injection for job failure message propagation ([#591](#591)). * Added uniqueness in the new warehouse name to avoid conflicts on installation ([#542](#542)). * Added a global init script to collect Hive Metastore lineage ([#513](#513)). * Added retry set/update permissions when possible and assess the changes in the workspace ([#519](#519)). * Use `~/.ucx/state.json` to store the state of both dashboards and jobs ([#561](#561)). **Bug fixes** * Fixed handling for `OWN` table permissions ([#571](#571)). * Fixed handling of keys with and without values. ([#514](#514)). * Fixed integration test failures related to concurrent group delete ([#584](#584)). * Fixed issue with workspace listing process on None type `object_type` ([#481](#481)). * Fixed missing group entitlement migration bug ([#583](#583)). * Fixed entitlement application for account-level groups ([#529](#529)). * Fixed assessment throwing an error when the owner of an object is empty ([#485](#485)). * Fixed installer to migrate between different configuration file versions ([#596](#596)). * Fixed cluster policy crawler to be aware of deleted policies ([#486](#486)). * Improved error message for not null constraints violated ([#532](#532)). * Improved integration test resiliency ([#597](#597), [#594](#594), [#586](#586)). * Introduced Safer access to workspace objects' properties. ([#530](#530)). * Mitigated permissions loss in Table ACLs by running appliers with single thread ([#518](#518)). * Running apply permission task before assessment should display message ([#487](#487)). * Split integration tests from blocking the merge queue ([#496](#496)). * Support more than one dashboard per step ([#472](#472)). * Update databricks-sdk requirement from ~=0.11.0 to ~=0.12.0 ([#505](#505)). * Update databricks-sdk requirement from ~=0.12.0 to ~=0.13.0 ([#575](#575)).
Merged
nfx
added a commit
that referenced
this pull request
Nov 17, 2023
**Breaking changes** (existing installations need to reinstall UCX and re-run assessment jobs) * Switched local group migration component to rename groups instead of creating backup groups ([#450](#450)). * Mitigate permissions loss in Table ACLs by folding grants belonging to the same principal, object id and object type together ([#512](#512)). **New features** * Added support for the experimental Databricks CLI launcher ([#517](#517)). * Added support for external Hive Metastores including AWS Glue ([#400](#400)). * Added more views to assessment dashboard ([#474](#474)). * Added rate limit for creating backup group to increase stability ([#500](#500)). * Added deduplication for mount point list ([#569](#569)). * Added documentation to describe interaction with external Hive Metastores ([#473](#473)). * Added failure injection for job failure message propagation ([#591](#591)). * Added uniqueness in the new warehouse name to avoid conflicts on installation ([#542](#542)). * Added a global init script to collect Hive Metastore lineage ([#513](#513)). * Added retry set/update permissions when possible and assess the changes in the workspace ([#519](#519)). * Use `~/.ucx/state.json` to store the state of both dashboards and jobs ([#561](#561)). **Bug fixes** * Fixed handling for `OWN` table permissions ([#571](#571)). * Fixed handling of keys with and without values. ([#514](#514)). * Fixed integration test failures related to concurrent group delete ([#584](#584)). * Fixed issue with workspace listing process on None type `object_type` ([#481](#481)). * Fixed missing group entitlement migration bug ([#583](#583)). * Fixed entitlement application for account-level groups ([#529](#529)). * Fixed assessment throwing an error when the owner of an object is empty ([#485](#485)). * Fixed installer to migrate between different configuration file versions ([#596](#596)). * Fixed cluster policy crawler to be aware of deleted policies ([#486](#486)). * Improved error message for not null constraints violated ([#532](#532)). * Improved integration test resiliency ([#597](#597), [#594](#594), [#586](#586)). * Introduced Safer access to workspace objects' properties. ([#530](#530)). * Mitigated permissions loss in Table ACLs by running appliers with single thread ([#518](#518)). * Running apply permission task before assessment should display message ([#487](#487)). * Split integration tests from blocking the merge queue ([#496](#496)). * Support more than one dashboard per step ([#472](#472)). * Update databricks-sdk requirement from ~=0.11.0 to ~=0.12.0 ([#505](#505)). * Update databricks-sdk requirement from ~=0.12.0 to ~=0.13.0 ([#575](#575)).
pritishpai
pushed a commit
that referenced
this pull request
Nov 21, 2023
**Breaking changes** (existing installations need to reinstall UCX and re-run assessment jobs) * Switched local group migration component to rename groups instead of creating backup groups ([#450](#450)). * Mitigate permissions loss in Table ACLs by folding grants belonging to the same principal, object id and object type together ([#512](#512)). **New features** * Added support for the experimental Databricks CLI launcher ([#517](#517)). * Added support for external Hive Metastores including AWS Glue ([#400](#400)). * Added more views to assessment dashboard ([#474](#474)). * Added rate limit for creating backup group to increase stability ([#500](#500)). * Added deduplication for mount point list ([#569](#569)). * Added documentation to describe interaction with external Hive Metastores ([#473](#473)). * Added failure injection for job failure message propagation ([#591](#591)). * Added uniqueness in the new warehouse name to avoid conflicts on installation ([#542](#542)). * Added a global init script to collect Hive Metastore lineage ([#513](#513)). * Added retry set/update permissions when possible and assess the changes in the workspace ([#519](#519)). * Use `~/.ucx/state.json` to store the state of both dashboards and jobs ([#561](#561)). **Bug fixes** * Fixed handling for `OWN` table permissions ([#571](#571)). * Fixed handling of keys with and without values. ([#514](#514)). * Fixed integration test failures related to concurrent group delete ([#584](#584)). * Fixed issue with workspace listing process on None type `object_type` ([#481](#481)). * Fixed missing group entitlement migration bug ([#583](#583)). * Fixed entitlement application for account-level groups ([#529](#529)). * Fixed assessment throwing an error when the owner of an object is empty ([#485](#485)). * Fixed installer to migrate between different configuration file versions ([#596](#596)). * Fixed cluster policy crawler to be aware of deleted policies ([#486](#486)). * Improved error message for not null constraints violated ([#532](#532)). * Improved integration test resiliency ([#597](#597), [#594](#594), [#586](#586)). * Introduced Safer access to workspace objects' properties. ([#530](#530)). * Mitigated permissions loss in Table ACLs by running appliers with single thread ([#518](#518)). * Running apply permission task before assessment should display message ([#487](#487)). * Split integration tests from blocking the merge queue ([#496](#496)). * Support more than one dashboard per step ([#472](#472)). * Update databricks-sdk requirement from ~=0.11.0 to ~=0.12.0 ([#505](#505)). * Update databricks-sdk requirement from ~=0.12.0 to ~=0.13.0 ([#575](#575)).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses the issues in #488 .
Problem Statement
object_type="entitlements"andobject_id="workspace_group_id"is_item_relevantmethod returnsNone, therefore it won’t apply the proper group entitlements.Design
Together with @william-conti we've decided that the
migration_stateobject needs to be persisted across thereplaceandapply_to_accounttasks to properly save the state and avoid losing the logical association between ws and acc groups.