Create Databricks access connector #1376

JCZuurmond · 2024-04-12T07:12:38Z

Changes

Create access connector-managed identity

Linked issues

Resolves #888

Functionality

added relevant user documentation
added new CLI command
modified existing command: databricks labs ucx ...
added a new workflow
modified existing workflow: ...
added a new table
modified existing table: ...

Tests

manually tested
added unit tests
added integration tests
verified on staging environment (screenshot attached)

nfx

You have to create a user managed identity first

tests/integration/azure/conftest.py

tests/integration/azure/test_resources.py

src/databricks/labs/ucx/azure/resources.py

nfx · 2024-04-12T07:35:54Z

Perhaps the user assigned identity is not necessary - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/databricks_access_connector

To be used for manual testing

src/databricks/labs/ucx/azure/resources.py

…rmissionMapping

JCZuurmond

Will be split into smaller PR, see comment

JCZuurmond · 2024-04-16T12:30:37Z

src/databricks/labs/ucx/azure/access.py

@@ -21,16 +24,23 @@
 @dataclass
 class StoragePermissionMapping:


@nfx : The change to this data class blew up the PR.

I will separate the PR to make it easier to comprehend and review.

I would like your input on if we can circumvent this change. Specifically the role_name, which is required to track the storage permission, so that we can set the appropriate permission level for the access connectors. The StoragePermissionMapping contains the Databricks privilege, however, this does not map to the Azure storage permissions. -> We could neglect the "Storage Blob Data Owner", give "Storage Blob Data Contributor" as highest permission as the access connectors should not be used to do POSIX access control

JCZuurmond · 2024-04-16T12:35:58Z

First merge: #1417

JCZuurmond added 16 commits April 11, 2024 16:03

Add AccessConnector dataclass

18618c0

Move azure resources into seprate fixture

b70eb1a

Move azure resources fixture into conftest

2b7b411

Add AccessConnectorClient to resources

db9a6c4

Add test resources

e987e90

Add whiteline

6065333

Add whiteline

9b06464

Parse accessconnector response

91b595c

Add subscription id and resource group name parsing

12a6643

Implement create access connector

b35bdec

Add api_version to delete method

018fbc1

Implement delete access connector

8214bf0

Add TODO about create access connector

82dde54

Refactor AccessConnector to remove name

69ab93a

Make AccessConnector.type static

4533725

Move tests to unit tests

4043bcb

nfx requested changes Apr 12, 2024

View reviewed changes

JCZuurmond added 9 commits April 12, 2024 09:44

Merge access connector with existing test setup

7962e74

Add tags to access conenctor

6c9acde

Fix create access connector

ff5200f

Broaden access connector regex

97ee478

Add todo about list with resource group

43687a6

Add pagination

f907a44

Add skipped integration test

bd9dbc9

To be used for manual testing

Add tags when creating access connector

1e299a4

Refactor method to create or update

ac71445

JCZuurmond commented Apr 12, 2024

View reviewed changes

src/databricks/labs/ucx/azure/resources.py Outdated Show resolved Hide resolved

JCZuurmond force-pushed the feature/handle-access-connector-managed-identity branch from 52592b5 to 420d6eb Compare April 12, 2024 09:38

Change back credentials and conftest

fc8b98e

JCZuurmond requested a review from qziyuan April 15, 2024 18:27

JCZuurmond added 25 commits April 16, 2024 08:42

Rename ServicePrincipal migration methods

f67cfd5

Return access connectors

c7dbd4d

Fix wrongly named argument

5b5fddc

Mock resources for access connector creation

2058462

Move logging around execution result to run method

04ccf42

Create storage credentials for access connectors

ed14bd9

Add role name to StoragePermissionMapping

5eaea51

Move prompts into run

4819369

Move service principal migration info out of migrate service principals

9fb85bc

Expect service principal migration info in create access connectors

e09dcc2

Add storage account to StoragePermissionMapping

66e4bde

Build mapping with storage account permission

59b7117

Add hierarchy to levels

64d7812

Make role name an argument for creating an access connector

b2a7150

Expect storage account permissions mapping

177424d

Build storage account permission mapping

862ad77

Pass role name up when creating access connectors

548f999

Add note about validating storage credential

e285d84

Format

9ce86f0

Return empty list

2a75fc0

Add missing type hints

f49a34f

Shorten service_principal_migration_info

ff607d4

Fix missing StoragePermissionMapping args

e42b375

Shorten variable names

651eff2

Update test to include the storage account and role name in StoragePe…

2c0507d

…rmissionMapping

JCZuurmond commented Apr 16, 2024

View reviewed changes

JCZuurmond closed this Apr 16, 2024

nfx deleted the feature/handle-access-connector-managed-identity branch April 26, 2024 15:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Create Databricks access connector #1376

Create Databricks access connector #1376

JCZuurmond commented Apr 12, 2024 •

edited

Loading

nfx left a comment

nfx commented Apr 12, 2024

JCZuurmond left a comment

JCZuurmond Apr 16, 2024

JCZuurmond commented Apr 16, 2024

		@@ -21,16 +24,23 @@
		@dataclass
		class StoragePermissionMapping:

Create Databricks access connector #1376

Create Databricks access connector #1376

Conversation

JCZuurmond commented Apr 12, 2024 • edited Loading

Changes

Linked issues

Functionality

Tests

nfx left a comment

Choose a reason for hiding this comment

nfx commented Apr 12, 2024

JCZuurmond left a comment

Choose a reason for hiding this comment

JCZuurmond Apr 16, 2024

Choose a reason for hiding this comment

JCZuurmond commented Apr 16, 2024

JCZuurmond commented Apr 12, 2024 •

edited

Loading