policyweaver.plugins.databricks

policyweaver.plugins.databricks.api

class policyweaver.plugins.databricks.api.DatabricksAPIClient

Bases: object

Databricks API Client for fetching account and workspace policies. This client uses the Databricks SDK to interact with the Databricks account and workspace and retrieve users, service principals, groups, catalogs, schemas, tables, and privileges. This class is designed to be used within the Policy Weaver framework to gather and map policies from Databricks workspaces and accounts.

__get_account() → Account

Fetches the account details including users, service principals, and groups. Returns:

Account: An Account object containing the account ID, users, service principals, and groups.

static get_members(group_id, dbx_groups)

get_workspace_policy_map(source: Source) → tuple[Account, Workspace]

Fetches the workspace policy map for a given source. Args:

source (Source): The source object containing the workspace URL, account ID, and API token.

Returns:

Tuple[Account, Workspace]: A tuple containing the Account and Workspace objects.

Raises:

NotFound: If the catalog specified in the source is not found in the workspace.

policyweaver.plugins.databricks.client

class policyweaver.plugins.databricks.client.DatabricksPolicyWeaver(config: DatabricksSourceMap)

Bases: PolicyWeaverCore

Databricks Policy Weaver for Unity Catalog. This class extends the PolicyWeaverCore to implement the mapping of policies from Databricks Unity Catalog to the Policy Weaver framework.

__build_role_policy(principal: str, iam_type: IamType, permissions: List[PrivilegeItem], column_security: bool, row_security: bool) → RolePolicy

Builds a RolePolicy object from the provided principal and iam_type and catalog items. Args:

principal (str): The principal (user or group) for the role policy. iam_type (IamType): The IAM type (user, group, service principal) for the role policy. cat_items (List[CatalogItem]): The catalog items associated with the role policy.

Returns:

RolePolicy: A RolePolicy object representing the role and its associated permissions.

__config_validation(config: DatabricksSourceMap) → None

Validates the configuration for the DatabricksPolicyWeaver. This method checks if the configuration is of type DatabricksSourceMap and if all required fields are present. Args:

config (DatabricksSourceMap): The configuration object to validate.

Raises:

ValueError: If the configuration is not of type DatabricksSourceMap or if any required fields are missing.

__init_environment(config: DatabricksSourceMap) → None

dbx_account_users_group = 'account users'

dbx_all_permissions = ['ALL_PRIVILEGES']

dbx_catalog_read_prereqs = ['USE_CATALOG', 'ALL_PRIVILEGES']

dbx_read_permissions = ['SELECT', 'ALL_PRIVILEGES']

dbx_schema_read_prereqs = ['USE_SCHEMA', 'ALL_PRIVILEGES']

map_policy(policy_mapping: str = 'table_based') → PolicyExport

Maps the policies from the Databricks Unity Catalog to the Policy Weaver framework. This method collects privileges from the workspace catalog, schemas, and tables, applies the access model, and builds the export policies. Returns:

PolicyExport: An object containing the source, type, and policies mapped from the Databricks Unity Catalog.

Raises:

ValueError: If the source is not of type DatabricksSourceMap.

policyweaver.plugins.databricks.model

class policyweaver.plugins.databricks.model.Account(*, id: str | None = None, name: str | None = None, acount_id: Catalog | None = None, users: List[DatabricksUser] | None = None, groups: List[DatabricksGroup] | None = None, service_principals: List[DatabricksServicePrincipal] | None = None)

Bases: BaseObject

Represents a Databricks account. This class extends BaseObject to include the account catalog and identities associated with the account. Attributes:

acount_id (Optional[Catalog]): The catalog associated with the account, which contains schemas and tables. users (Optional[List[DatabricksUser]]): A list of users in the account. groups (Optional[List[DatabricksGroup]]): A list of groups in the account. service_principals (Optional[List[DatabricksServicePrincipal]]): A list of service principals in the account.

_abc_impl = <_abc._abc_data object>

acount_id: Catalog | None

groups: List[DatabricksGroup] | None

lookup_group_by_name(name: str) → DatabricksUser

Looks up a group by its name in the account. Args:

name (str): The name of the group to look up.

Returns:

DatabricksUser: The group object if found, otherwise None.

lookup_service_principal_by_id(id: str) → DatabricksServicePrincipal

Looks up a service principal by its application ID in the account. Args:

id (str): The application ID of the service principal to look up.

Returns:

DatabricksServicePrincipal: The service principal object if found, otherwise None.

lookup_user_by_email(email: str) → DatabricksUser

Looks up a user by their email address in the account. Args:

email (str): The email address of the user to look up.

Returns:

DatabricksUser: The user object if found, otherwise None.

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

service_principals: List[DatabricksServicePrincipal] | None

users: List[DatabricksUser] | None

class policyweaver.plugins.databricks.model.BaseObject(*, id: str | None = None, name: str | None = None)

Bases: CommonBaseModel

Base class for objects in the Databricks model. This class provides a common structure for objects that can have an ID and a name. Attributes:

id (Optional[str]): The unique identifier for the object. name (Optional[str]): The name of the object.

_abc_impl = <_abc._abc_data object>

id: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

name: str | None

class policyweaver.plugins.databricks.model.Catalog(*, id: str | None = None, name: str | None = None, privileges: List[Privilege] | None = None, schemas: List[Schema] | None = None, column_masks: List[DatabricksColumnMask] | None = None, tables_with_masks: List[TableObject] | None = None, row_filters: List[DatabricksRowFilter] | None = None, tables_with_rls: List[TableObject] | None = None)

Bases: PrivilegedObject

Represents a catalog in the Databricks workspace. This class extends PrivilegedObject to include schemas within the catalog. Attributes:

schemas (Optional[List[Schema]]): A list of schemas within the catalog.

This allows the catalog to define its structure and the schemas that it contains.

_abc_impl = <_abc._abc_data object>

column_masks: List[DatabricksColumnMask] | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

row_filters: List[DatabricksRowFilter] | None

schemas: List[Schema] | None

tables_with_masks: List[TableObject] | None

tables_with_rls: List[TableObject] | None

class policyweaver.plugins.databricks.model.ColumnMaskExtraction(*, group_name: str | None = None, mask_pattern: str | None = None, column_mask_type: ColumnMaskType | None = None)

Bases: CommonBaseModel

Represents the extraction of a column mask from a SQL definition. This class is used to capture the details of a column mask, including the group name and mask pattern. Attributes:

group_name (Optional[str]): The name of the group associated with the column mask. mask_pattern (Optional[str]): The pattern used for masking the column. column_mask_type (Optional[ColumnMaskType]): The type of the column mask (e.g., UNMASK_FOR_GROUP, MASK_FOR_GROUP).

_abc_impl = <_abc._abc_data object>

column_mask_type: ColumnMaskType | None

group_name: str | None

mask_pattern: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class policyweaver.plugins.databricks.model.DatabricksColumnMask(*, name: str | None = None, routine_definition: str | None = None, catalog_name: str | None = None, schema_name: str | None = None, table_name: str | None = None, column_name: str | None = None, mask_type: ColumnMaskType | None = None, group_name: str | None = None, mask_pattern: str | None = None)

Bases: CommonBaseModel

Represents a column mask that can be applied to data in the Databricks workspace. This class extends CommonBaseModel to include the routine definition of the mask. Attributes:

name: (Optional[str]): The name of the column mask . routine_definition (Optional[str]): The SQL definition of the column mask routine. column_name (Optional[str]): The name of the column to which the mask applies.

_abc_impl = <_abc._abc_data object>

catalog_name: str | None

column_name: str | None

group_name: str | None

mask_pattern: str | None

mask_type: ColumnMaskType | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

name: str | None

routine_definition: str | None

schema_name: str | None

table_name: str | None

class policyweaver.plugins.databricks.model.DatabricksGroup(*, id: str | None = None, name: str | None = None, members: List[DatabricksGroupMember] | None = None, external_id: str | None = None)

Bases: BaseObject

Represents a group in the Databricks workspace. This class extends BaseObject to include members of the group. Attributes:

id (Optional[str]): The unique identifier for the group. name (Optional[str]): The name of the group. members (Optional[List[DatabricksGroupMember]]): A list of members in the group, which can include users, service principals, or other groups.

_abc_impl = <_abc._abc_data object>

external_id: str | None

members: List[DatabricksGroupMember] | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class policyweaver.plugins.databricks.model.DatabricksGroupMember(*, id: str | None = None, name: str | None = None, type: IamType | None = None, external_id: str | None = None)

Bases: BaseObject

Represents a member of a Databricks group. This class extends BaseObject to include the type of the member. Attributes:

id (Optional[str]): The unique identifier for the member. name (Optional[str]): The name of the member. type (Optional[IamType]): The type of the member (USER, SERVICE_PRINCIPAL, or GROUP).

_abc_impl = <_abc._abc_data object>

external_id: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

type: IamType | None

class policyweaver.plugins.databricks.model.DatabricksRowFilter(*, name: str | None = None, routine_definition: str | None = None, catalog_name: str | None = None, schema_name: str | None = None, table_name: str | None = None, details: RowFilterDetails | None = None)

Bases: CommonBaseModel

Represents a row filter that can be applied to data in the Databricks workspace. This class extends CommonBaseModel to include the routine definition of the filter. Attributes:

name: (Optional[str]): The name of the row filter. routine_definition (Optional[str]): The SQL definition of the row filter routine.

_abc_impl = <_abc._abc_data object>

catalog_name: str | None

details: RowFilterDetails | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

name: str | None

routine_definition: str | None

schema_name: str | None

table_name: str | None

class policyweaver.plugins.databricks.model.DatabricksServicePrincipal(*, id: str | None = None, name: str | None = None, application_id: str | None = None, external_id: str | None = None)

Bases: BaseObject

Represents a service principal in the Databricks workspace. This class extends BaseObject to include additional attributes specific to service principals. Attributes:

id (Optional[str]): The unique identifier for the service principal. name (Optional[str]): The name of the service principal. application_id (Optional[str]): The application ID of the service principal. external_id (Optional[str]): An external identifier for the service principal, if applicable.

_abc_impl = <_abc._abc_data object>

application_id: str | None

external_id: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class policyweaver.plugins.databricks.model.DatabricksSourceConfig(*, workspace_url: str | None = None, account_id: str | None = None, account_api_token: str | None = None)

Bases: CommonBaseModel

Represents the configuration for a Databricks source. This class includes the workspace URL, account ID, and account API token. Attributes:

workspace_url (Optional[str]): The URL of the Databricks workspace. account_id (Optional[str]): The unique identifier for the Databricks account. account_api_token (Optional[str]): The API token for accessing the Databricks account.

_abc_impl = <_abc._abc_data object>

account_api_token: str | None

account_id: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

workspace_url: str | None

class policyweaver.plugins.databricks.model.DatabricksSourceMap(*, application_name: str | None = 'POLICY_WEAVER', correlation_id: str | None = None, type: PolicyWeaverConnectorType | None = None, source: Source | None = None, fabric: FabricConfig | None = None, constraints: ConstraintsConfig | None = None, service_principal: ServicePrincipalConfig | None = None, mapped_items: List[SourceMapItem] | None = None, keyvault: KeyVaultConfig | None = None, databricks: DatabricksSourceConfig | None = None)

Bases: SourceMap

_abc_impl = <_abc._abc_data object>

databricks: DatabricksSourceConfig | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

model_post_init(context: Any, /) → None

This function is meant to behave like a BaseModel method to initialise private attributes.

It takes context as an argument since that’s what pydantic-core passes when calling it.

Args:

self: The BaseModel instance. context: The context.

class policyweaver.plugins.databricks.model.DatabricksUser(*, id: str | None = None, name: str | None = None, email: str | None = None, external_id: str | None = None)

Bases: BaseObject

Represents a user in the Databricks workspace. This class extends BaseObject to include additional attributes specific to users. Attributes:

id (Optional[str]): The unique identifier for the user. name (Optional[str]): The name of the user. email (Optional[str]): The email address of the user. external_id (Optional[str]): An external identifier for the user, if applicable.

_abc_impl = <_abc._abc_data object>

email: str | None

external_id: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class policyweaver.plugins.databricks.model.DependencyMap(*, catalog: str | None = None, schema: str | None = None, table: str | None = None, privileges: List[str] | None = [], catalog_all_cascade: bool | None = False, catalog_prerequisites: bool | None = False, schema_all_cascade: bool | None = False, schema_prerequisites: bool | None = False, read_permissions: bool | None = False)

Bases: CommonBaseModel

Represents a map of dependencies for a specific privilege. This is used to track the dependencies of privileges in a structured way. Attributes:

catalog (Optional[str]): The name of the catalog. catalog_schema (Optional[str]): The schema within the catalog. table (Optional[str]): The name of the table. privileges (Optional[List[str]]): A list of privileges associated with this dependency. catalog_prerequisites (Optional[bool]): Indicates if catalog prerequisites are required. schema_prerequisites (Optional[bool]): Indicates if schema prerequisites are required. read_permissions (Optional[bool]): Indicates if read permissions are required.

The key property returns a unique key for the dependency map based on its attributes.

_abc_impl = <_abc._abc_data object>

catalog: str | None

catalog_all_cascade: bool | None

catalog_prerequisites: bool | None

catalog_schema: str | None

property key: str

Returns a unique key for the dependency map based on its attributes. The key is a string representation of the catalog, schema, and table, formatted as ‘catalog.schema.table’, with all components in lowercase.

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

privileges: List[str] | None

read_permissions: bool | None

schema_all_cascade: bool | None

schema_prerequisites: bool | None

table: str | None

class policyweaver.plugins.databricks.model.Function(*, id: str | None = None, name: str | None = None, privileges: List[Privilege] | None = None, sql: str | None = None, function_type: str | None = None)

Bases: PrivilegedObject

Represents a function that can be applied to data in the Databricks workspace. This class extends PrivilegedObject to include the SQL definition of the function. Attributes:

sql (Optional[str]): The SQL definition of the function. function_type (Optional[str]): The type of the function (e.g., SCALAR, TABLE). This allows the function to be defined in SQL and applied to data as needed.

_abc_impl = <_abc._abc_data object>

function_type: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

sql: str | None

class policyweaver.plugins.databricks.model.FunctionMap(*, id: str | None = None, name: str | None = None, column: List[str] | None = None)

Bases: BaseObject

Represents a mapping of a function to specific columns in a table. This class is used to define how a function applies to certain columns in a table. Attributes:

function (Optional[str]): The name of the function being applied. columns (Optional[List[str]]): A list of column names to which the function applies.

This allows the function to be applied selectively to specific columns in a table.

_abc_impl = <_abc._abc_data object>

columns: List[str] | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

class policyweaver.plugins.databricks.model.Privilege(*, principal: str | None = None, privileges: List[str] | None = None)

Bases: CommonBaseModel

Represents a privilege granted to a principal. This is used to define the access rights of a principal within the Databricks workspace. Attributes:

principal (Optional[str]): The identifier of the principal (user, service principal, or group). privileges (Optional[List[str]]): A list of privileges granted to the principal. The get_principal_type method determines the type of the principal based on its identifier.

_abc_impl = <_abc._abc_data object>

get_principal_type() → IamType

Determines the type of the principal based on its identifier. Returns:

IamType: The type of the principal (USER, SERVICE_PRINCIPAL, or GROUP).

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

principal: str | None

privileges: List[str] | None

class policyweaver.plugins.databricks.model.PrivilegeItem(*, catalog: str | None = None, schema: str | None = None, table: str | None = None, role: str | None = None, type: str | None = None, permission: str | None = None, grant: str | None = None)

Bases: CommonBaseModel

Represents a specific privilege item Attributes:

catalog (Optional[str]): The name of the catalog. catalog_schema (Optional[str]): The name of the schema. table (Optional[str]): The name of the table. role (Optional[str]): The role associated with the privilege. type (Optional[str]): The type of the privilege. permission (Optional[str]): The permission level (e.g., read, write). grant (Optional[str]): The grant option for the privilege.

_abc_impl = <_abc._abc_data object>

catalog: str | None

catalog_schema: str | None

grant: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

permission: str | None

role: str | None

table: str | None

type: str | None

class policyweaver.plugins.databricks.model.PrivilegeSnapshot(*, principal: str | None = None, type: IamType | None = None, maps: Dict[str, DependencyMap] | None = {}, group_membership: List[str] | None = [], members: List[str] | None = [])

Bases: CommonBaseModel

Represents a snapshot of privileges for a specific principal. This is used to capture the state of privileges at a specific point in time. Attributes:

principal (Optional[str]): The identifier of the principal (user, service principal, or group type (Optional[IamType]): The type of the principal (user, service principal, or group). maps (Optional[Dict[str, DependencyMap]]): A dictionary mapping privilege names to their

corresponding DependencyMap objects, which describe the dependencies of each privilege.

group_membership (Optional[List[str]]): A list of group names that the principal is a member of. members (Optional[List[str]]): A list of member identifiers (user, service principal, or group) associated with the principal.

_abc_impl = <_abc._abc_data object>

group_membership: List[str] | None

maps: Dict[str, DependencyMap] | None

members: List[str] | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

principal: str | None

type: IamType | None

class policyweaver.plugins.databricks.model.PrivilegedObject(*, id: str | None = None, name: str | None = None, privileges: List[Privilege] | None = None)

Bases: BaseObject

Represents an object that has privileges associated with it. This class extends BaseObject to include privileges that can be granted to principals. Attributes:

privileges (Optional[List[Privilege]]): A list of privileges associated with the object.

This allows the object to define what access rights are granted to different principals.

_abc_impl = <_abc._abc_data object>

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

privileges: List[Privilege] | None

class policyweaver.plugins.databricks.model.RowFilterDetailGroup(*, group_name: str | None = None, return_value: str | None = None)

Bases: CommonBaseModel

Represents a group within a row filter, including its name and return value. Attributes:

group_name (Optional[str]): The name of the group associated with the row filter. return_value (Optional[str]): The value returned by the row filter for this group.

_abc_impl = <_abc._abc_data object>

group_name: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

return_value: str | None

class policyweaver.plugins.databricks.model.RowFilterDetails(*, groups: List[RowFilterDetailGroup] | None = None, row_filter_type: RowFilterType | None = None, default_value: str | None = None)

Bases: CommonBaseModel

Represents the extraction of a row filter from a SQL definition. This class is used to capture the details of a row filter, including the group name and condition for others. Attributes:

group_name (Optional[str]): The name of the group associated with the row filter. row_filter_type (Optional[RowFilterType]): The type of the row filter (e.g., EXPLICIT_GROUP_MEMBERSHIP). default_value (Optional[str]): The default value returned by the row filter when no group matches.

_abc_impl = <_abc._abc_data object>

default_value: str | None

groups: List[RowFilterDetailGroup] | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

row_filter_type: RowFilterType | None

class policyweaver.plugins.databricks.model.RowFilterFunctionInfo(*, fullname: str | None = None, name: str | None = None, full_data_type: str | None = None, routine_definition: str | None = None)

Bases: CommonBaseModel

_abc_impl = <_abc._abc_data object>

full_data_type: str | None

fullname: str | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

name: str | None

routine_definition: str | None

class policyweaver.plugins.databricks.model.Schema(*, id: str | None = None, name: str | None = None, privileges: List[Privilege] | None = None, table: List[Table] | None = None, mask_functions: List[Function] | None = None)

Bases: PrivilegedObject

Represents a schema within a catalog in the Databricks workspace. This class extends PrivilegedObject to include tables and mask functions associated with the schema. Attributes:

catalog (Optional[str]): The name of the catalog that contains the schema. tables (Optional[List[Table]]): A list of tables within the schema. mask_functions (Optional[List[Function]]): A list of functions that define masking behavior

for data in the schema.

This allows the schema to define its structure and the functions that can be applied to its data.

_abc_impl = <_abc._abc_data object>

mask_functions: List[Function] | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

tables: List[Table] | None

class policyweaver.plugins.databricks.model.Table(*, id: str | None = None, name: str | None = None, privileges: List[Privilege] | None = None, column_masks: List[DatabricksColumnMask] | None = None, row_filter: DatabricksRowFilter | None = None)

Bases: PrivilegedObject

Represents a table in the Databricks workspace. This class extends PrivilegedObject to include additional attributes specific to tables. Attributes:

catalog (Optional[str]): The name of the catalog that contains the table. schema (Optional[str]): The schema within the catalog that contains the table. column_masks (Optional[List[FunctionMap]]): A list of function maps that define how

functions apply to specific columns in the table.

row_filter (Optional[FunctionMap]): A function map that defines a filter to be applied

to the rows of the table.

This allows the table to define its structure and how functions can be applied to its data.

_abc_impl = <_abc._abc_data object>

column_masks: List[DatabricksColumnMask] | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

row_filter: DatabricksRowFilter | None

class policyweaver.plugins.databricks.model.TableObject(*, catalog_name: str | None = None, schema_name: str | None = None, table_name: str | None = None, privileges: List[Privilege] | None = None, columns: List[str] | None = None)

Bases: CommonBaseModel

_abc_impl = <_abc._abc_data object>

catalog_name: str | None

columns: List[str] | None

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

privileges: List[Privilege] | None

schema_name: str | None

table_name: str | None

class policyweaver.plugins.databricks.model.Workspace(*, id: str | None = None, name: str | None = None, catalog: Catalog | None = None, users: List[DatabricksUser] | None = None, groups: List[DatabricksGroup] | None = None, service_principals: List[DatabricksServicePrincipal] | None = None)

Bases: BaseObject

Represents a Databricks workspace. This class extends BaseObject to include the catalog and identities associated with the workspace. Attributes:

id (Optional[str]): The unique identifier for the workspace. name (Optional[str]): The name of the workspace. catalog (Optional[Catalog]): The catalog associated with the workspace, which contains schemas and tables. users (Optional[List[DatabricksUser]]): A list of users in the workspace. groups (Optional[List[DatabricksGroup]]): A list of groups in the workspace. service_principals (Optional[List[DatabricksServicePrincipal]]): A list of service principals in the workspace.

This allows the workspace to define its structure and the identities that have access to it.

_abc_impl = <_abc._abc_data object>

catalog: Catalog | None

get_user_groups(object_id: str) → List[str]

Returns a list of group names that the user with the given object ID is a member of. This method recursively flattens group memberships to ensure that all nested group memberships are included. Args:

object_id (str): The unique identifier of the user for whom to retrieve group memberships.

Returns:

List[str]: A list of group names that the user is a member of, including nested group memberships.

get_workspace_identities(include_groups: bool = False, include_entra_groups: bool = False) → List[str]

Returns a list of identities associated with the workspace. This includes user emails, service principal application IDs, and optionally group names. Args:

include_groups (bool): If True, include group names in the list of identities.

Returns:

List[str]: A list of identities associated with the workspace.

groups: List[DatabricksGroup] | None

lookup_group_by_name(name: str) → DatabricksGroup

Looks up a group by its name in the workspace. Args:

name (str): The name of the group to look up.

Returns:

DatabricksUser: The group object if found, otherwise None.

lookup_object_id(principal: str, type: IamType) → str

Looks up the object ID for a given principal based on its type. Args:

principal (str): The identifier of the principal (email for user, application ID for service principal, or group name). type (IamType): The type of the principal (USER, SERVICE_PRINCIPAL, or GROUP).

Returns:

str: The object ID of the principal if found, otherwise None.

lookup_service_principal_by_id(id: str) → DatabricksServicePrincipal

Looks up a service principal by its application ID in the workspace. Args:

id (str): The application ID of the service principal to look up.

Returns:

DatabricksServicePrincipal: The service principal object if found, otherwise None.

lookup_user_by_email(email: str) → DatabricksUser

Looks up a user by their email address in the workspace. Args:

email (str): The email address of the user to look up.

Returns:

DatabricksUser: The user object if found, otherwise None.

lookup_user_by_id(id: str) → DatabricksUser

Looks up a user by their unique identifier in the workspace. Args:

id (str): The unique identifier of the user to look up.

Returns:

DatabricksUser: The user object if found, otherwise None.

model_config: ClassVar[ConfigDict] = {'arbitrary_types_allowed': True, 'exclude_none': True, 'exclude_unset': True, 'populate_by_name': True, 'use_enum_values': True, 'validate_by_alias': True, 'validate_by_name': True}

Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

service_principals: List[DatabricksServicePrincipal] | None

users: List[DatabricksUser] | None