Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert ADL ACLs to UC Grants (credential passthrough) #321

Open
Tracked by #1485
nfx opened this issue Sep 28, 2023 · 5 comments
Open
Tracked by #1485

Convert ADL ACLs to UC Grants (credential passthrough) #321

nfx opened this issue Sep 28, 2023 · 5 comments
Assignees
@HariGS-DB
Labels
cloud/azure issues related to Azure feat/cli CLI commands migrate/access-control Access Control to things

Comments

@nfx
Copy link
Collaborator

nfx commented Sep 28, 2023
edited
Loading

It is meant for customers who:

  • Use Credential Passthrough with Adls Gen1 or Gen2
  • Use a metastore that points to tables the rely on Credential Passthrough

The command is expected to be run with a user that can access the Azure AD Graph API, and the ADLS or ABFS APIs. Perform inventory of azure storage account ACL defined for passthrough clusters and prepare inventory. Extend the save_azure_storage_accounts cli cmd to include the output of this inventory

This may be necessary to run from account-admin perspective as well

Upstream dependencies:
@nfx nfx added enhancement New feature or request feat/account-level cross-workspace installations step/assessment go/uc/upgrade - Assessment Step migrate/external go/uc/upgrade SYNC EXTERNAL TABLES step labels Sep 28, 2023
@pohlposition
Copy link
Contributor

pohlposition commented Oct 2, 2023
edited
Loading

When we were moving to TACL from pass-through for DBSQL, Shant created some code to do this:
go/aclsbootstrap

@nfx nfx added this to UCX Oct 3, 2023
@nfx nfx moved this to Triage in UCX Oct 3, 2023
@nfx
Copy link
Collaborator Author

nfx commented Oct 3, 2023

@pohlposition do we want to put links to internal repos here? 😉

@pohlposition
Copy link
Contributor

Changed to go link

@pohlposition pohlposition moved this from Triage to Month Backlog in UCX Oct 6, 2023
@nfx nfx added the feat/cli CLI commands label Dec 6, 2023
@nfx nfx moved this from Month Backlog to Triage in UCX Dec 6, 2023
@nfx nfx moved this from Triage to Quarter Backlog in UCX Dec 6, 2023
@nfx nfx changed the title Convert ADL ACLs to UC Grants Convert ADL ACLs to UC Grants (credential passthrough) Feb 5, 2024
@nfx nfx added the cloud/azure issues related to Azure label Feb 5, 2024
This was referenced Feb 5, 2024
Closed
Closed
@nfx nfx added migrate/access-control Access Control to things and removed feat/account-level cross-workspace installations labels Mar 25, 2024
@pohlposition pohlposition moved this from Quarter Backlog to Month Backlog in UCX Apr 8, 2024
@nfx nfx added credentials and removed migrate/external go/uc/upgrade SYNC EXTERNAL TABLES step credentials enhancement New feature or request step/assessment go/uc/upgrade - Assessment Step labels Apr 15, 2024
@nfx nfx mentioned this issue Apr 22, 2024
Open
10 tasks
@nfx nfx moved this from Month Backlog to Quarter Backlog in UCX Apr 24, 2024
@HariGS-DB HariGS-DB self-assigned this Apr 26, 2024
@pohlposition
Copy link
Contributor

One thing to consider here is that ADLS lets you see all the folders and drill down into them until you hit a folder you don't have access to. This assumes you have access to the storage container.

We should think about replicating this into UC's BROWSE permission

@lorenzorubi-db
Copy link

some customers do not use table ACLs and rely on giving access to ADLS folders directly (and would like to solve the lack of table ACLs when adopting UC)

if they have a structure as

container@storage_account_url/path/bbdd/table

they can give read or write permissions to principals at either the bbdd or the table level (which would translate to GRANTS for UC objects), and then execute permissions to path (which would be translated as a BROWSE at the catalog level at UC, since the idea would be to be able to list the objects)

as a generalization, there could be folders with more than 3 levels, where the last 2 should always be table and bbdd with either write or read access, and the upper folders could have execute permissions (which in the same way would translate to GRANTs and BROWSE permissions)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@HariGS-DB HariGS-DB

Labels
cloud/azure issues related to Azure feat/cli CLI commands migrate/access-control Access Control to things
Projects
UCX
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nfx @pohlposition @lorenzorubi-db @HariGS-DB