Closed P164-slalom closed 2 months ago
HariGS-DB
commented
2 months ago @P164-slalom Thanks for raising this issue. Could you please give more details on the issue.
dipankarkush-db
commented
2 months ago @HariGS-DB - Table migration is working correctly as well as the grants. There are some scenarios where same abfss (ADLS) location is access from more than one workspace. When workspace 1 is migrating to UC tables and grants then workspace 2 is losing access to the abfss location as there is a UC table on that location and principals from workspace 2 has not been granted permission on those tables yet.
HariGS-DB
commented
2 months ago Conclusion: This is not technically a bug in UCX. The issue is occurring due to the fact that when you create table on a location, the permission defined on the external location are ignored. If a user has access to the external location and was able to access before, but once a table is created and if the user is not given access to select/modify the table, then the user can read from the external location, This is standard UC behaviour. Customers need to make sure while migrating tables and acl to UC, there shouldn't be any existing principals having access to the underlying location
Is there an existing issue for this?
Current Behavior
When we execute the table migration workflow, the tables are created as per the mapping csv. However, when the tables are created in the corresponding external location, the grants are not applied causing the table permissions to overwrite the external location permissions. This is causing any jobs from other workspaces and service principals that previously had access to the external location are failing.
Expected Behavior
The expectation is apply the grants immediately to the tables as they are created. Also, making sure the external location permissions are applied to the table grants so the failures do not occur.
Steps To Reproduce
No response
Cloud
Azure
Operating System
Windows
Version
latest via Databricks CLI
Relevant log output