Use TACL cluster in test_all_grant_types and wait for ANONYMOUS FILE grant
#3800
+113
−81
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JCZuurmond
added
migrate/access-control
JCZuurmond
had a problem deploying
to
account-admin
GitHub Actions
Failure
|
❌ 107/112 passed, 5 failed, 8 skipped, 8h31m22s total ❌ test_all_grant_types: TimeoutError: Timed out after 0:03:00 (20m12.287s)❌ test_all_grants_for_other_objects: AssertionError: assert {'MODIFY', 'SELECT'} == set() (11m31.159s)❌ test_grant_findings: AttributeError: 'list' object has no attribute 'object_type' (24m26.62s)❌ test_table_migration_job_refreshes_migration_status[regular-migrate-tables]: databricks.sdk.errors.platform.BadRequest: org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:javax.jdo.JDODataStoreException: Exception thrown flushing changes to datastore (11m18.892s)❌ test_permission_for_files_anonymous_func_migration_api: TimeoutError: Timed out after 0:02:00 (11m27.256s)Running from acceptance #8469 |
pritishpai
force-pushed
the
fix/grants-integration-tests
branch
from
cfaceb2 to
a7c762e
Compare
pritishpai
had a problem deploying
to
account-admin
GitHub Actions
Failure
JCZuurmond
force-pushed
the
fix/grants-integration-tests
branch
from
a7c762e to
e405ef6
Compare
JCZuurmond
had a problem deploying
to
account-admin
GitHub Actions
Failure
JCZuurmond
commented
Mar 4, 2025
There was a problem hiding this comment.
@pritishpai : Handing over this PR to you. We looked into the issue yesterday and saw it might be an issue specific to our workspace.
I added some comments with my thoughts.
| assert tables_crawler._catalog == udf._catalog | ||
| assert tables_crawler._schema == udf._schema | ||
| super().__init__(tables_crawler._sql_backend, tables_crawler._catalog, tables_crawler._schema, "grants", Grant) | ||
| def __init__( |
There was a problem hiding this comment.
I decoupled the grantscrawler from the tables crawler for two reasons:
- IMO it is confusing because AFAIK this is the only crawler which does it. It also bears the question: why not tightly couple it with the UDFs crawler?
- The
GrantsCrawleris expected to run against a differentSqlBackendin the assessment workflow, namely the TACL cluster.
| @@ -25,7 +35,7 @@ def _deployed_schema(runtime_ctx) -> None: | |||
|
|
|||
|
|
|||
| @retried(on=[NotFound, TimeoutError], timeout=dt.timedelta(minutes=3)) | |||
| def test_all_grant_types(runtime_ctx: MockRuntimeContext, _deployed_schema: None): | |||
| def test_all_grant_types(runtime_ctx: MockRuntimeContext, sql_backend_tacl: SqlBackend, _deployed_schema: None): | |||
There was a problem hiding this comment.
I am mimicking the assessment workflow here:
TablesCrawlerandUdfsCrawlerrun against the "regular" backendGrantsCrawlerrun against the "tacl" backend
| wait_for_grants(contains_select_on_any_file, any_file=True) | ||
| # Only verifying the SELECT permission on ANY FILE and ANONYMOUS FUNCTION as those take a while to propagate. | ||
| wait_for_grants(grants_contain_select_action, any_file=True) | ||
| wait_for_grants(grants_contain_select_action, anonymous_function=True) |
There was a problem hiding this comment.
This fails with the following error:
DatabricksServiceHttpClientException: TEMPORARILY_UNAVAILABLE: The service at /api/2.0/sql-acl/get-permissions is taking too long to process your request. Please try again later or try a faster operation. [TraceId: 00-afa5633f98d2b7cbc47937e9233436b5-c5249ad122b4daa2-00]
This endpoint API docs suggest to use the new API endpoint. However, the choice for API endpoint is not up to us as it we use SHOW GRANTS ... - not the API endpoints directly. (Note we might implicitly chose the endpoint with the runtime.)
@gueniai : Could you ask the endpoint team on guidance here?
There was a problem hiding this comment.
I tried manually last night and I could make the /api/2.0/sql-acl/get-permissions via a python api call. If the endpoint team can give us the revoke permissions or anything that can help us clear the dangling permissions it would help us a lot.
pritishpai
force-pushed
the
fix/grants-integration-tests
branch
from
e405ef6 to
9e44daa
Compare
pritishpai
had a problem deploying
to
account-admin
GitHub Actions
Failure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
Use TACL cluster in
test_all_grant_typesand wait forANONYMOUS FILEgrant to improve stability of test.Linked issues
Resolves #3798
Related to #3765
Tests
test_all_grant_types&test_grant_findings