Skip to content

Commit

Permalink
fix: refine and downscope UC grants for volume (#651)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jayengee
jayengee authored Oct 14, 2024
1 parent 6b4d601 commit 617cb81
Showing 1 changed file with 13 additions and 23 deletions.
36 changes: 13 additions & 23 deletions databricks-s3-volume/grants.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ resource "databricks_grant" "catalog_r" {

catalog = local.catalog_name
principal = each.value
privileges = ["USE_CATALOG", "USE_SCHEMA", "SELECT", "BROWSE"]
privileges = ["USE_CATALOG", "BROWSE"]
}

resource "databricks_grant" "catalog_rw" {
Expand All @@ -23,20 +23,10 @@ resource "databricks_grant" "catalog_rw" {
catalog = local.catalog_name
principal = each.value
privileges = [
"APPLY_TAG",
"CREATE_CONNECTION",
"CREATE_SCHEMA",
"USE_CATALOG",
"CREATE_FUNCTION",
"CREATE_TABLE",
"EXECUTE",
"MODIFY",
"REFRESH",
"SELECT",
"READ_VOLUME",
"WRITE_VOLUME",
"USE_SCHEMA",
"BROWSE",
"APPLY_TAG",
"CREATE_SCHEMA",
]
}

Expand All @@ -47,7 +37,7 @@ resource "databricks_grant" "schema_r" {

schema = "${local.catalog_name}.${local.schema_name}"
principal = each.value
privileges = ["USE_SCHEMA", "SELECT", "READ_VOLUME"]
privileges = ["USE_SCHEMA"]
}

resource "databricks_grant" "schema_rw" {
Expand All @@ -57,17 +47,12 @@ resource "databricks_grant" "schema_rw" {
schema = "${local.catalog_name}.${local.schema_name}"
principal = each.value
privileges = [
"USE_SCHEMA",
"APPLY_TAG",
"CREATE_FUNCTION",
"CREATE_TABLE",
"CREATE_VOLUME",
"USE_SCHEMA",
"EXECUTE",
"MODIFY",
"REFRESH",
"SELECT",
"READ_VOLUME",
"WRITE_VOLUME"
"CREATE_MATERIALIZED_VIEW",
]
}

Expand All @@ -76,12 +61,17 @@ resource "databricks_grant" "volume_r" {
for_each = toset(var.volume_r_grant_principals)
volume = databricks_volume.volume.id
principal = each.value
privileges = ["READ_VOLUME"]
privileges = ["READ_VOLUME", "READ_FILES"]
}

resource "databricks_grant" "volume_rw" {
for_each = toset(var.volume_rw_grant_principals)
volume = databricks_volume.volume.id
principal = each.value
privileges = ["READ_VOLUME", "WRITE_VOLUME"]
privileges = [
"READ_VOLUME",
"READ_FILES",
"WRITE_VOLUME",
"WRITE_FILES",
]
}

0 comments on commit 617cb81

Please sign in to comment.