|
23 | 23 | GetWorkspaceWarehouseConfigResponseSecurityPolicy,
|
24 | 24 | )
|
25 | 25 |
|
26 |
| -from databricks.labs.ucx.assessment.aws import AWSPolicyAction, AWSResources, AWSRole |
| 26 | +from databricks.labs.ucx.assessment.aws import AWSPolicyAction, AWSResources, AWSRole, AWSUCRoleCandidate |
27 | 27 | from databricks.labs.ucx.aws.access import AWSResourcePermissions
|
28 | 28 | from databricks.labs.ucx.aws.credentials import IamRoleCreation
|
29 | 29 | from databricks.labs.ucx.aws.locations import AWSExternalLocationsMigration
|
@@ -103,7 +103,12 @@ def installation_no_roles():
|
103 | 103 | @pytest.fixture
|
104 | 104 | def backend():
|
105 | 105 | rows = {
|
106 |
| - "external_locations": [["s3://BUCKET1/FOLDER1", 1], ["s3://BUCKET2/FOLDER2", 1], ["s3://BUCKETX/FOLDERX", 1]] |
| 106 | + "external_locations": [ |
| 107 | + ["s3://BUCKET1/FOLDER1", 1], |
| 108 | + ["s3://BUCKET2/FOLDER2", 1], |
| 109 | + ["s3://BUCKET4", 2], |
| 110 | + ["s3://BUCKETX/FOLDERX", 1], |
| 111 | + ] |
107 | 112 | }
|
108 | 113 | return MockBackend(rows=rows, fails_on_first={})
|
109 | 114 |
|
@@ -201,6 +206,25 @@ def test_create_external_locations_skip_existing(mock_ws, backend, locations):
|
201 | 206 | principal_acl.apply_location_acl.assert_called()
|
202 | 207 |
|
203 | 208 |
|
| 209 | +def test_uc_roles_create_all_roles(mock_ws, backend, locations): |
| 210 | + install = MockInstallation({"uc_roles_access.csv": []}) |
| 211 | + mock_ws.storage_credentials.list.return_value = [] |
| 212 | + mock_ws.external_locations.list.return_value = [] |
| 213 | + aws = AWSResources("profile", lambda cmd: (0, '{"Role": {"Arn": "arn:aws:iam::12345:role/role1"}}', "")) |
| 214 | + aws_resource_permissions = AWSResourcePermissions(install, mock_ws, aws, locations) |
| 215 | + |
| 216 | + roles = aws_resource_permissions.list_uc_roles(single_role=False) |
| 217 | + expected_roles = [ |
| 218 | + AWSUCRoleCandidate(role_name='UC_ROLE_BUCKET4', policy_name='UC_POLICY', resource_paths=['s3://BUCKET4']), |
| 219 | + AWSUCRoleCandidate(role_name='UC_ROLE_BUCKET1', policy_name='UC_POLICY', resource_paths=['s3://BUCKET1']), |
| 220 | + AWSUCRoleCandidate(role_name='UC_ROLE_BUCKETX', policy_name='UC_POLICY', resource_paths=['s3://BUCKETX']), |
| 221 | + AWSUCRoleCandidate(role_name='UC_ROLE_BUCKET2', policy_name='UC_POLICY', resource_paths=['s3://BUCKET2']), |
| 222 | + ] |
| 223 | + assert len(roles) == len(expected_roles) |
| 224 | + for role in expected_roles: |
| 225 | + assert role in roles |
| 226 | + |
| 227 | + |
204 | 228 | def test_create_uber_principal_existing_role_in_policy(mock_ws, mock_installation, backend, locations):
|
205 | 229 | instance_profile_arn = "arn:aws:iam::12345:instance-profile/role1"
|
206 | 230 | cluster_policy = Policy(
|
@@ -228,7 +252,7 @@ def test_create_uber_principal_existing_role_in_policy(mock_ws, mock_installatio
|
228 | 252 | aws.put_role_policy.assert_called_with(
|
229 | 253 | 'UCX_MIGRATION_ROLE_ucx',
|
230 | 254 | 'UCX_MIGRATION_POLICY_ucx',
|
231 |
| - {'s3://BUCKET1/FOLDER1', 's3://BUCKET2/FOLDER2', 's3://BUCKETX/FOLDERX'}, |
| 255 | + {'s3://BUCKET1/FOLDER1', 's3://BUCKET2/FOLDER2', 's3://BUCKET4', 's3://BUCKETX/FOLDERX'}, |
232 | 256 | None,
|
233 | 257 | None,
|
234 | 258 | )
|
@@ -416,7 +440,7 @@ def test_create_uc_role_single(mock_ws, installation_single_role, backend, locat
|
416 | 440 | call(
|
417 | 441 | 'UC_ROLE_123123',
|
418 | 442 | 'UC_POLICY',
|
419 |
| - {'s3://BUCKET1', 's3://BUCKET1/*', 's3://BUCKET2', 's3://BUCKET2/*'}, |
| 443 | + {'s3://BUCKET2/*', 's3://BUCKET4/*', 's3://BUCKET2', 's3://BUCKET4', 's3://BUCKET1', 's3://BUCKET1/*'}, |
420 | 444 | None,
|
421 | 445 | None,
|
422 | 446 | )
|
@@ -452,8 +476,6 @@ def test_create_uc_role_multiple_raises_error(mock_ws, installation_single_role,
|
452 | 476 | aws.list_all_uc_roles.return_value = []
|
453 | 477 | with pytest.raises(PermissionDenied):
|
454 | 478 | role_creation.run(MockPrompts({"Above *": "yes"}), single_role=False)
|
455 |
| - assert call('UC_ROLE_BUCKET1') in aws.create_uc_role.call_args_list |
456 |
| - assert call('UC_ROLE_BUCKET2') in aws.create_uc_role.call_args_list |
457 | 479 | aws.delete_role.assert_called_once()
|
458 | 480 |
|
459 | 481 |
|
|
0 commit comments