1

我正在尝试使用databrickslabs/databricks提供程序使用 Terraform 管理我的 Azure Databricks 用户和组。像这样的东西:

resource "databricks_group" "group" {
  display_name = var.group_name
  force        = true

  allow_cluster_create       = false
  allow_instance_pool_create = false
  databricks_sql_access      = true
  workspace_access           = true
}

resource "databricks_user" "user" {
  user_name    = var.user_mail
  display_name = var.user_name
  force        = true
}

resource "databricks_group_member" "membership" {
  group_id  = databricks_group.group.id
  member_id = databricks_user.user.id
}

这一切都是通过我的 Azure 服务主体部署的,作为更大的代码库的一部分,该代码库还提供了 Databricks 工作区……而且效果很好。

但是,如果我将用户添加到 Databricks 内置组之一(adminsusers),而部署工作,terraform destroy- 再次,作为我的服务主体运行 - 尝试销毁databricks_group_member.membership资源时出现以下错误:

错误:无法删除组成员:PERMISSION_DENIED:请求用户“0a19c919-7b10-499d-acd4-057944582a41”没有编辑系统组的权限。

为什么我的服务主体可以定义组成员身份,但不能删除它?是否有一些特殊的 Databricks 权限我可以授予我的服务主体——当我创建工作区时——这将解决这个问题?否则,我必须手动terraform state rm对资源进行操作才能destroy通过。

4

1 回答 1

1

users is a built-in group that contains all users of the workspace, you can't remove user from it, but you also shouldn't add users explicitly into it. You can remove user, then it will be removed from users as well. If you're afraid about having too broad permissions for all users, you can revoke as much as possible from the users group, and set specific permissions for each group.

Regarding admins group, the example from documentation works just fine - you add user, put it into the admins group:

Terraform will perform the following actions:

  # databricks_group_member.i-am-admin will be created
  + resource "databricks_group_member" "i-am-admin" {
      + group_id  = "5662462700018557"
      + id        = (known after apply)
      + member_id = (known after apply)
    }

  # databricks_user.me will be created
  + resource "databricks_user" "me" {
      + active                     = true
      + allow_cluster_create       = false
      + allow_instance_pool_create = false
      + databricks_sql_access      = false
      + display_name               = (known after apply)
      + id                         = (known after apply)
      + user_name                  = "me@example.com"
      + workspace_access           = false
    }

Plan: 2 to add, 0 to change, 0 to destroy.
databricks_user.me: Creating...
databricks_user.me: Creation complete after 2s [id=3766754836829044]
databricks_group_member.i-am-admin: Creating...
databricks_group_member.i-am-admin: Creation complete after 1s [id=5662462700018557|3766754836829044]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

and when you remove this user from admins group by removing the databricks_group_member resource, it just removed without error, but user will stay a member of users group:

Terraform will perform the following actions:

  # databricks_group_member.i-am-admin will be destroyed
  - resource "databricks_group_member" "i-am-admin" {
      - group_id  = "5662462700018557" -> null
      - id        = "5662462700018557|3766754836829044" -> null
      - member_id = "3766754836829044" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.
databricks_group_member.i-am-admin: Destroying... [id=5662462700018557|3766754836829044]
databricks_group_member.i-am-admin: Destruction complete after 1s

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.
于 2022-02-03T07:44:58.017 回答