Added MLflow permissions #1013

nfx · 2021-12-30T17:34:56Z

MLflow Experiment usage

Valid permission levels for databricks_mlflow_experiment are: CAN_READ, CAN_EDIT, and CAN_MANAGE.

data "databricks_current_user" "me" {}

resource "databricks_mlflow_experiment" "this" {
  name              = "${data.databricks_current_user.me.home}/Sample"
  artifact_location = "dbfs:/tmp/my-experiment"
  description       = "My MLflow experiment description"
}

resource "databricks_group" "auto" {
  display_name = "Automation"
}

resource "databricks_group" "eng" {
  display_name = "Engineering"
}

resource "databricks_permissions" "experiment_usage" {
  experiment_id = databricks_mlflow_experiment.this.id

  access_control {
    group_name       = "users"
    permission_level = "CAN_READ"
  }

  access_control {
    group_name       = databricks_group.auto.display_name
    permission_level = "CAN_MANAGE"
  }

  access_control {
    group_name       = databricks_group.eng.display_name
    permission_level = "CAN_EDIT"
  }
}

MLflow Model usage

Valid permission levels for databricks_mlflow_model are: CAN_READ, CAN_EDIT, CAN_MANAGE_STAGING_VERSIONS, CAN_MANAGE_PRODUCTION_VERSIONS, and CAN_MANAGE.

resource "databricks_mlflow_model" "this" {
  name = "SomePredictions"
}

resource "databricks_group" "auto" {
  display_name = "Automation"
}

resource "databricks_group" "eng" {
  display_name = "Engineering"
}

resource "databricks_permissions" "model_usage" {
  registered_model_id = databricks_mlflow_model.this.registered_model_id

  access_control {
    group_name       = "users"
    permission_level = "CAN_READ"
  }

  access_control {
    group_name       = databricks_group.auto.display_name
    permission_level = "CAN_MANAGE_PRODUCTION_VERSIONS"
  }

  access_control {
    group_name       = databricks_group.eng.display_name
    permission_level = "CAN_MANAGE_STAGING_VERSIONS"
  }
}

Fixes #1012

## MLflow Experiment usage Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-experiment-permissions-1) for [databricks_mlflow_experiment](mlflow_experiment.md) are: `CAN_READ`, `CAN_EDIT`, and `CAN_MANAGE`. ```hcl data "databricks_current_user" "me" {} resource "databricks_mlflow_experiment" "this" { name = "${data.databricks_current_user.me.home}/Sample" artifact_location = "dbfs:/tmp/my-experiment" description = "My MLflow experiment description" } resource "databricks_group" "auto" { display_name = "Automation" } resource "databricks_group" "eng" { display_name = "Engineering" } resource "databricks_permissions" "experiment_usage" { experiment_id = databricks_mlflow_experiment.this.id access_control { group_name = "users" permission_level = "CAN_READ" } access_control { group_name = databricks_group.auto.display_name permission_level = "CAN_MANAGE" } access_control { group_name = databricks_group.eng.display_name permission_level = "CAN_EDIT" } } ``` ## MLflow Model usage Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-model-permissions-1) for [databricks_mlflow_model](mlflow_model.md) are: `CAN_READ`, `CAN_EDIT`, `CAN_MANAGE_STAGING_VERSIONS`, `CAN_MANAGE_PRODUCTION_VERSIONS`, and `CAN_MANAGE`. ```hcl resource "databricks_mlflow_model" "this" { name = "SomePredictions" } resource "databricks_group" "auto" { display_name = "Automation" } resource "databricks_group" "eng" { display_name = "Engineering" } resource "databricks_permissions" "model_usage" { registered_model_id = databricks_mlflow_model.this.registered_model_id access_control { group_name = "users" permission_level = "CAN_READ" } access_control { group_name = databricks_group.auto.display_name permission_level = "CAN_MANAGE_PRODUCTION_VERSIONS" } access_control { group_name = databricks_group.eng.display_name permission_level = "CAN_MANAGE_STAGING_VERSIONS" } } ``` Fixes #1012

codecov · 2021-12-30T17:38:35Z

Codecov Report

Merging #1013 (0b61c8e) into master (edcdc5e) will decrease coverage by 0.00%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #1013      +/-   ##
==========================================
- Coverage   90.65%   90.64%   -0.01%     
==========================================
  Files         106      106              
  Lines        9256     9259       +3     
==========================================
+ Hits         8391     8393       +2     
- Misses        513      514       +1     
  Partials      352      352

Impacted Files	Coverage Δ
mlflow/resource_model.go	`100.00% <100.00%> (ø)`
permissions/resource_permissions.go	`88.28% <100.00%> (+0.16%)`	⬆️
sqlanalytics/resource_widget.go	`86.76% <0.00%> (-0.74%)`	⬇️

* Added support for `databricks_permissions` for `databricks_mlflow_experiment` and `databricks_mlflow_model` ([#1013](#1013)). * Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` ([#821](#821)). * Improved documentation with regards to public subnets in AWS quick start ([#1005](#1005)). * Added `databricks_mount` code genration for [exporter](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/guides/experimental-exporter) tooling ([#1006](#1006)). * Increase dependency check frequency ([#1007](#1007)). * Added experimental resources.

## MLflow Experiment usage Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-experiment-permissions-1) for [databricks_mlflow_experiment](mlflow_experiment.md) are: `CAN_READ`, `CAN_EDIT`, and `CAN_MANAGE`. ```hcl data "databricks_current_user" "me" {} resource "databricks_mlflow_experiment" "this" { name = "${data.databricks_current_user.me.home}/Sample" artifact_location = "dbfs:/tmp/my-experiment" description = "My MLflow experiment description" } resource "databricks_group" "auto" { display_name = "Automation" } resource "databricks_group" "eng" { display_name = "Engineering" } resource "databricks_permissions" "experiment_usage" { experiment_id = databricks_mlflow_experiment.this.id access_control { group_name = "users" permission_level = "CAN_READ" } access_control { group_name = databricks_group.auto.display_name permission_level = "CAN_MANAGE" } access_control { group_name = databricks_group.eng.display_name permission_level = "CAN_EDIT" } } ``` ## MLflow Model usage Valid [permission levels](https://docs.databricks.com/security/access-control/workspace-acl.html#mlflow-model-permissions-1) for [databricks_mlflow_model](mlflow_model.md) are: `CAN_READ`, `CAN_EDIT`, `CAN_MANAGE_STAGING_VERSIONS`, `CAN_MANAGE_PRODUCTION_VERSIONS`, and `CAN_MANAGE`. ```hcl resource "databricks_mlflow_model" "this" { name = "SomePredictions" } resource "databricks_group" "auto" { display_name = "Automation" } resource "databricks_group" "eng" { display_name = "Engineering" } resource "databricks_permissions" "model_usage" { registered_model_id = databricks_mlflow_model.this.registered_model_id access_control { group_name = "users" permission_level = "CAN_READ" } access_control { group_name = databricks_group.auto.display_name permission_level = "CAN_MANAGE_PRODUCTION_VERSIONS" } access_control { group_name = databricks_group.eng.display_name permission_level = "CAN_MANAGE_STAGING_VERSIONS" } } ``` Fixes databricks#1012

* Added support for `databricks_permissions` for `databricks_mlflow_experiment` and `databricks_mlflow_model` ([databricks#1013](databricks#1013)). * Added `Using XXX auth` explanation to HTTP 403 errors, which should help troubleshooting misconfigured authentication or provider aliasing. Example error message now looks like: *cannot create group: /2.0/preview/scim/v2/Groups is only accessible by admins. Using databricks-cli auth: host=https://XXX.cloud.databricks.com/, token=`***REDACTED***`, profile=demo.* All sensitive configuration parameters (`token`, `password`, and `azure_client_secret`) are redacted and replaced with `***REDACTED***` ([databricks#821](databricks#821)). * Improved documentation with regards to public subnets in AWS quick start ([databricks#1005](databricks#1005)). * Added `databricks_mount` code genration for [exporter](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/guides/experimental-exporter) tooling ([databricks#1006](databricks#1006)). * Increase dependency check frequency ([databricks#1007](databricks#1007)). * Added experimental resources.

nfx added this to the v0.4.3 milestone Dec 30, 2021

nfx added 2 commits December 30, 2021 18:35

rebase and changelog

0b61c8e

nfx force-pushed the mlflow-permissions branch from 1cf89f1 to 0b61c8e Compare December 30, 2021 17:37

nfx merged commit 6fbe7ff into master Dec 30, 2021

nfx deleted the mlflow-permissions branch December 30, 2021 17:43

nfx mentioned this pull request Dec 30, 2021

Release v0.4.3 #1015

Merged

94 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added MLflow permissions #1013

Added MLflow permissions #1013

nfx commented Dec 30, 2021

codecov bot commented Dec 30, 2021 •

edited

Loading

Added MLflow permissions #1013

Added MLflow permissions #1013

Conversation

nfx commented Dec 30, 2021

MLflow Experiment usage

MLflow Model usage

codecov bot commented Dec 30, 2021 • edited Loading

Codecov Report

codecov bot commented Dec 30, 2021 •

edited

Loading