Decouple PermissionsManager from GroupMigrationToolkit (#407)

nfx · web-flow · commit 6dc620b22a42 · 2023-10-07T17:27:01.000+02:00
diff --git a/src/databricks/labs/ucx/runtime.py b/src/databricks/labs/ucx/runtime.py
@@ -11,7 +11,8 @@
 from databricks.labs.ucx.hive_metastore import GrantsCrawler, TablesCrawler
 from databricks.labs.ucx.hive_metastore.data_objects import ExternalLocationCrawler
 from databricks.labs.ucx.hive_metastore.mounts import Mounts
-from databricks.labs.ucx.workspace_access import GroupMigrationToolkit
+from databricks.labs.ucx.workspace_access.groups import GroupManager
+from databricks.labs.ucx.workspace_access.manager import PermissionManager
 
 logger = logging.getLogger(__name__)
 
@@ -132,9 +133,16 @@ def crawl_permissions(cfg: WorkspaceConfig):
     custom access configurations, and any specialized policies governing resource access. The results of this
     meticulous scan are methodically stored within the `$inventory.permissions` table, which serves as a central
     repository for preserving and managing these crucial access control details."""
-    toolkit = GroupMigrationToolkit(cfg)
-    toolkit.cleanup_inventory_table()
-    toolkit.inventorize_permissions()
+    ws = WorkspaceClient(config=cfg.to_databricks_config())
+    permission_manager = PermissionManager.factory(
+        ws,
+        RuntimeBackend(),
+        cfg.inventory_database,
+        num_threads=cfg.num_threads,
+        workspace_start_path=cfg.workspace_start_path,
+    )
+    permission_manager.cleanup()
+    permission_manager.inventorize_permissions()
 
 
 @task(
@@ -188,21 +196,32 @@ def migrate_permissions(cfg: WorkspaceConfig):
     organization.
 
     See [interactive tutorial here](https://app.getreprise.com/launch/myM3VNn/)."""
-    toolkit = GroupMigrationToolkit(cfg)
-    toolkit.prepare_environment()
-    if toolkit.has_groups():
-        toolkit.apply_permissions_to_backup_groups()
-        toolkit.replace_workspace_groups_with_account_groups()
-        toolkit.apply_permissions_to_account_groups()
-    else:
+    ws = WorkspaceClient(config=cfg.to_databricks_config())
+    group_manager = GroupManager(ws, cfg.groups)
+    group_manager.prepare_groups_in_environment()
+    if not group_manager.has_groups():
         logger.info("Skipping group migration as no groups were found.")
+        return
+
+    permission_manager = PermissionManager.factory(
+        ws,
+        RuntimeBackend(),
+        cfg.inventory_database,
+        num_threads=cfg.num_threads,
+        workspace_start_path=cfg.workspace_start_path,
+    )
+
+    permission_manager.apply_group_permissions(group_manager.migration_groups_provider, destination="backup")
+    group_manager.replace_workspace_groups_with_account_groups()
+    permission_manager.apply_group_permissions(group_manager.migration_groups_provider, destination="account")
 
 
 @task("migrate-groups-cleanup", depends_on=[migrate_permissions])
 def delete_backup_groups(cfg: WorkspaceConfig):
     """Removes workspace-level backup groups"""
-    toolkit = GroupMigrationToolkit(cfg)
-    toolkit.delete_backup_groups()
+    ws = WorkspaceClient(config=cfg.to_databricks_config())
+    group_manager = GroupManager(ws, cfg.groups)
+    group_manager.delete_backup_groups()
 
 
 @task("destroy-schema")
diff --git a/src/databricks/labs/ucx/workspace_access/manager.py b/src/databricks/labs/ucx/workspace_access/manager.py
@@ -1,10 +1,15 @@
 import logging
+import os
 from collections.abc import Callable, Iterator
 from itertools import groupby
 from typing import Literal
 
+from databricks.sdk import WorkspaceClient
+from databricks.sdk.service import sql
+
 from databricks.labs.ucx.framework.crawlers import CrawlerBase, SqlBackend
 from databricks.labs.ucx.framework.parallel import Threads
+from databricks.labs.ucx.workspace_access import generic, redash, scim, secrets
 from databricks.labs.ucx.workspace_access.base import Applier, Crawler, Permissions
 from databricks.labs.ucx.workspace_access.groups import GroupMigrationState
 
@@ -19,6 +24,74 @@ def __init__(
         self._crawlers = crawlers
         self._appliers = appliers
 
+    @classmethod
+    def factory(
+        cls,
+        ws: WorkspaceClient,
+        sql_backend: SqlBackend,
+        inventory_database: str,
+        *,
+        num_threads: int | None = None,
+        workspace_start_path: str = "/",
+    ) -> "PermissionManager":
+        if num_threads is None:
+            num_threads = os.cpu_count() * 2
+        generic_acl_listing = [
+            generic.listing_wrapper(ws.clusters.list, "cluster_id", "clusters"),
+            generic.listing_wrapper(ws.cluster_policies.list, "policy_id", "cluster-policies"),
+            generic.listing_wrapper(ws.instance_pools.list, "instance_pool_id", "instance-pools"),
+            generic.listing_wrapper(ws.warehouses.list, "id", "sql/warehouses"),
+            generic.listing_wrapper(ws.jobs.list, "job_id", "jobs"),
+            generic.listing_wrapper(ws.pipelines.list_pipelines, "pipeline_id", "pipelines"),
+            generic.listing_wrapper(generic.experiments_listing(ws), "experiment_id", "experiments"),
+            generic.listing_wrapper(generic.models_listing(ws), "id", "registered-models"),
+            generic.workspace_listing(ws, num_threads=num_threads, start_path=workspace_start_path),
+            generic.authorization_listing(),
+        ]
+        redash_acl_listing = [
+            redash.redash_listing_wrapper(ws.alerts.list, sql.ObjectTypePlural.ALERTS),
+            redash.redash_listing_wrapper(ws.dashboards.list, sql.ObjectTypePlural.DASHBOARDS),
+            redash.redash_listing_wrapper(ws.queries.list, sql.ObjectTypePlural.QUERIES),
+        ]
+        generic_support = generic.GenericPermissionsSupport(ws, generic_acl_listing)
+        sql_support = redash.SqlPermissionsSupport(ws, redash_acl_listing)
+        secrets_support = secrets.SecretScopesSupport(ws)
+        scim_support = scim.ScimSupport(ws)
+        return cls(
+            sql_backend,
+            inventory_database,
+            [generic_support, sql_support, secrets_support, scim_support],
+            cls._object_type_appliers(generic_support, sql_support, secrets_support, scim_support),
+        )
+
+    @staticmethod
+    def _object_type_appliers(generic_support, sql_support, secrets_support, scim_support):
+        return {
+            # SCIM-based API
+            "entitlements": scim_support,
+            "roles": scim_support,
+            # Generic Permissions API
+            "authorization": generic_support,
+            "clusters": generic_support,
+            "cluster-policies": generic_support,
+            "instance-pools": generic_support,
+            "sql/warehouses": generic_support,
+            "jobs": generic_support,
+            "pipelines": generic_support,
+            "experiments": generic_support,
+            "registered-models": generic_support,
+            "notebooks": generic_support,
+            "files": generic_support,
+            "directories": generic_support,
+            "repos": generic_support,
+            # Redash equivalent of Generic Permissions API
+            "alerts": sql_support,
+            "queries": sql_support,
+            "dashboards": sql_support,
+            # Secret Scope ACL API
+            "secrets": secrets_support,
+        }
+
     def inventorize_permissions(self):
         logger.debug("Crawling permissions")
         crawler_tasks = list(self._get_crawler_tasks())
diff --git a/src/databricks/labs/ucx/workspace_access/migration.py b/src/databricks/labs/ucx/workspace_access/migration.py
@@ -28,6 +28,7 @@
 from databricks.labs.ucx.workspace_access.verification import VerificationManager
 
 
+# TODO: fully remove this obsolete class later
 class GroupMigrationToolkit:
     def __init__(self, config: WorkspaceConfig, *, warehouse_id=None):
         self._configure_logger(config.log_level)
@@ -65,6 +66,8 @@ def __init__(self, config: WorkspaceConfig, *, warehouse_id=None):
             self._object_type_appliers(generic_support, sql_support, secrets_support, scim_support),
         )
         self._group_manager = GroupManager(ws, config.groups)
+        # TODO: remove VerificationManager in scope of https://github.com/databrickslabs/ucx/issues/36,
+        # where we probably should add verify() abstract method to every Applier
         self._verification_manager = VerificationManager(ws, secrets_support)
 
     @staticmethod
diff --git a/tests/unit/workspace_access/test_manager.py b/tests/unit/workspace_access/test_manager.py
@@ -170,3 +170,9 @@ def test_unregistered_support():
     )
     pm = PermissionManager(b, "test", [], {})
     pm.apply_group_permissions(migration_state=MagicMock(), destination="backup")
+
+
+def test_factory(mocker):
+    ws = mocker.Mock()
+    b = MockBackend()
+    PermissionManager.factory(ws, b, "test")
