forked from databrickslabs/ucx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
test_redash.py
158 lines (132 loc) · 5.73 KB
/
test_redash.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
import json
import logging
from datetime import timedelta
from unittest import skip
import pytest
from databricks.sdk.errors import NotFound
from databricks.sdk.retries import retried
from databricks.sdk.service import iam, sql
from databricks.labs.ucx.workspace_access import redash
from databricks.labs.ucx.workspace_access.base import Permissions
from databricks.labs.ucx.workspace_access.groups import MigratedGroup, MigrationState
from databricks.labs.ucx.workspace_access.redash import RedashPermissionsSupport
from . import apply_tasks, apply_tasks_appliers, apply_tasks_crawlers
logger = logging.getLogger(__name__)
@pytest.mark.parametrize("use_permission_migration_api", [True, False])
@retried(on=[NotFound], timeout=timedelta(minutes=3))
def test_permissions_for_redash(
ws,
make_group,
migrated_group,
make_user,
make_query,
make_query_permissions,
use_permission_migration_api,
):
ws_group_temp = make_group() # simulate temp/backup group
user = make_user()
query = make_query()
make_query_permissions(
object_id=query.id,
permission_level=sql.PermissionLevel.CAN_EDIT,
group_name=migrated_group.name_in_workspace,
user_name=user.display_name,
)
# Note that Redash support replaces all permissions and apply it on the temp/backup group instead of original group.
# We don't rename the original group as part of this test therefore we need to set the temp group explicitly here.
migrated_group.temporary_name = ws_group_temp.display_name
redash_permissions = RedashPermissionsSupport(
ws,
[redash.Listing(ws.queries.list, sql.ObjectTypePlural.QUERIES)],
)
if use_permission_migration_api:
MigrationState([migrated_group]).apply_to_groups_with_different_names(ws)
else:
apply_tasks(redash_permissions, [migrated_group])
query_permissions = redash_permissions.load_as_dict(sql.ObjectTypePlural.QUERIES, query.id)
if not use_permission_migration_api:
# Note that we don't validate the original group permissions here because Redash support apply the permissions
# on the temp/backup group instead of the original group.
# Permission migration API skips this step
assert sql.PermissionLevel.CAN_EDIT == query_permissions[ws_group_temp.display_name]
assert sql.PermissionLevel.CAN_EDIT == query_permissions[migrated_group.name_in_account]
assert sql.PermissionLevel.CAN_EDIT == query_permissions[user.display_name]
# Redash group permissions are cached for up to 10 mins. If a group is renamed, redash permissions api returns
# the old name for some time. Therefore, we need to allow at least 10 mins in the timeout for checking the permissions
# after group rename.
@skip # skipping as it takes 5-10 mins to execute
@retried(on=[NotFound], timeout=timedelta(minutes=5))
def test_permissions_for_redash_after_group_is_renamed(
ws,
make_group,
make_query,
make_query_permissions,
):
"""
Redash permissions are cached for up to 10 mins. See: https://databricks.atlassian.net/browse/ES-992619
Therefore, when a group is renamed, get redash permissions API can return the old group name for some time.
This test validates that Redash Permissions Support is able to apply and validate permissions correctly
after rename operation.
"""
ws_group = make_group()
acc_group = make_group()
query = make_query()
make_query_permissions(
object_id=query.id,
permission_level=sql.PermissionLevel.CAN_EDIT,
group_name=ws_group.display_name,
)
redash_permissions = RedashPermissionsSupport(
ws,
[redash.Listing(ws.queries.list, sql.ObjectTypePlural.QUERIES)],
)
permissions = apply_tasks_crawlers(redash_permissions)
group_to_migrate = MigratedGroup.partial_info(ws_group, acc_group)
def rename_group(group: iam.Group, new_group_name: str) -> iam.Group:
ws.groups.patch(group.id, operations=[iam.Patch(iam.PatchOp.REPLACE, "displayName", new_group_name)])
group.display_name = new_group_name
return group
# simulate creating temp/backup group by renaming the original workspace-local group
ws_group_a_temp_name = "tmp-" + ws_group.display_name
ws_group = rename_group(ws_group, ws_group_a_temp_name)
apply_tasks_appliers(redash_permissions, permissions, MigrationState([group_to_migrate]))
query_permissions = redash_permissions.load_as_dict(sql.ObjectTypePlural.QUERIES, query.id)
assert sql.PermissionLevel.CAN_EDIT == query_permissions[ws_group.display_name]
assert sql.PermissionLevel.CAN_EDIT == query_permissions[acc_group.display_name]
@retried(on=[NotFound], timeout=timedelta(minutes=3))
def test_verify_permissions_for_redash(
ws,
make_group,
make_query,
make_query_permissions,
):
ws_group = make_group()
query = make_query()
make_query_permissions(
object_id=query.id,
permission_level=sql.PermissionLevel.CAN_EDIT,
group_name=ws_group.display_name,
)
redash_permissions = RedashPermissionsSupport(
ws,
[redash.Listing(ws.queries.list, sql.ObjectTypePlural.QUERIES)],
)
item = Permissions(
object_id=query.id,
object_type=sql.ObjectTypePlural.QUERIES.value,
raw=json.dumps(
sql.GetResponse(
object_type=sql.ObjectType.QUERY,
object_id="test",
access_control_list=[
sql.AccessControl(
group_name=ws_group.display_name,
permission_level=sql.PermissionLevel.CAN_EDIT,
)
],
).as_dict()
),
)
task = redash_permissions.get_verify_task(item)
result = task()
assert result