Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] BROWSE privilege shows up as None in EffectivePrivilege #899

Open
adamcain-nz opened this issue Feb 24, 2025 · 1 comment
Open

[ISSUE] BROWSE privilege shows up as None in EffectivePrivilege #899

adamcain-nz opened this issue Feb 24, 2025 · 1 comment

Comments

@adamcain-nz
Copy link

Description

Howdy bricksters. I notice when I call grants.get_effective() for a UC securable with the BROWSE privilege granted to some user/group, that privilege shows up with privilege=None.

In the logging, I see that UC's get_effective_permissions API (truly, an excellent API, IMHO....) gives the right output:

2025-02-24 15:35:21,982 [databricks.sdk][DEBUG] GET /api/2.1/unity-catalog/effective-permissions/CATALOG/main
< 200 OK
< {
<   "privilege_assignments": [
<     {
<       "principal": "nz-developers",
<       "privileges": [
<         {
<           "privilege": "BROWSE"
<         },
<         {
<           "privilege": "CREATE_SCHEMA"
<         },
<         {
<           "privilege": "CREATE_TABLE"
<         },
<         {
<           "privilege": "SELECT"
<         },
<         "... (2 additional elements)"
<       ]
<     },
<     "... (2 additional elements)"
<   ]
< }

But it looks like the SDK doesn't translate that BROWSE permission properly:

EffectivePermissionsList(
  privilege_assignments=[
    EffectivePrivilegeAssignment(
      principal='nz-developers',
      privileges=[
        EffectivePrivilege(inherited_from_name=None, inherited_from_type=None, privilege=None),
        EffectivePrivilege(inherited_from_name=None, inherited_from_type=None, privilege=<Privilege.CREATE_SCHEMA: 'CREATE_SCHEMA'>),
        EffectivePrivilege(inherited_from_name=None, inherited_from_type=None, privilege=<Privilege.CREATE_TABLE: 'CREATE_TABLE'>),
        EffectivePrivilege(inherited_from_name=None, inherited_from_type=None, privilege=<Privilege.SELECT: 'SELECT'>),
        EffectivePrivilege(inherited_from_name=None, inherited_from_type=None, privilege=<Privilege.USE_CATALOG: 'USE_CATALOG'>),
        EffectivePrivilege(inherited_from_name=None, inherited_from_type=None, privilege=<Privilege.USE_SCHEMA: 'USE_SCHEMA'>)
      ]
    ),

Reproduction

# Configure `main` catalog to have `BROWSE` privilege for some user/group

from pprint import pprint
from databricks.sdk import WorkspaceClient

w = WorkspaceClient(...)
grants = w.grants.get_effective(securable_type=catalog.SecurableType.CATALOG, full_name="main")
pprint(grants)

Expected behavior
I expect all EffectivePrivilege objects to have a non-None value for privilege, such as privilege=<Privilege.SELECT: 'SELECT'>.

Is it a regression?

I don't know. I tried v0.35.0 as well as the latest (v0.44.1) and saw the same misbehavior.

Debug Logs

See above.

Other Information

  • OS: macOS
  • Version: 14.7.3 (Sonoma)

Additional context

None
@adamcain-nz
Copy link
Author

Perhaps related to issue #639 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adamcain-nz