Survey banner
The Dataiku Community is moving to a new home! We are temporary in read only mode: LEARN MORE

Enhancement of DSS Python API for Comprehensive Permission Management

0 Kudos

Hello,

A number of our data scientists, working in shared code environments, have tell me about a limitation in the permission management module, especially when dealing with access rights on file paths..

And after verification, the current function located in "dataiku/dataiku-dss-12.5.1/python/dataiku/code_env_resources/permissions.py" show below, responsible for granting permissions, seems only allows for the addition of rights. The regular expression permission_add_regex exclusively checks for the addition of rights as indicated by the "(+)" operator, such as in the example "g+rwx" to grant full rights to a group.

 

import os
import re
import subprocess


def grant_permissions(path, dirs_permission="u+rwx,go+rx", files_permission="u+rw,go+r", force=False):
    """
    Recursively grant permissions to directories and files in a given path, in a UIF setup.
    :param str path: relative or absolute path
    :param str dirs_permission: permission to add to directories, in symbolic chmod notation (e.g. u+rwx,go+rx)
    :param str files_permission: permission to add to files, in symbolic chmod notation (e.g. u+rw,go+r)
    :param bool force: if True, apply even if UIF is disabled (e.g. running in an API node)
    :return: True if successful, None if not in a UIF setup and check is not bypassed
    """

    if not force and os.environ.get("DKU_IMPERSONATION_ENABLED", "0") == "0":
        return

    _check_permission(dirs_permission)
    _check_permission(files_permission)

    for root, dirs, files in os.walk(path):
        for directory in dirs:
            subprocess.check_call(['chmod', dirs_permission, os.path.join(root, directory)])
        for file in files:
            subprocess.check_call(['chmod', files_permission, os.path.join(root, file)])

    return True


permission_add_regex = re.compile(r"^([augo]+\+[rwx]+,?)+$")


def _check_permission(permission):
    """
    Check if a permission string corresponds to a chmod addition in symbolic notation (e.g. u+rwx,go+rx)
    """
    if permission_add_regex.match(permission) is None:
        raise ValueError("'{}' does not correspond to a chmod addition in symbolic notation".format(permission))

 

Here's a practical issue demonstrated with a call to the current function:

 

grant_permissions(path=path,dirs_permission='u+rwx,go+rwx',files_permission='u+rw,go+rw',force = True)

 

 In this case, the user bestows complete write access to all sub-folders and files under the specified path.

In this case, the user bestows complete write access to all sub-folders and files under the specified path.

Consequence:

The primary issue arises after these permissions are assigned, as there is currently no function available that would permit the revocation or adjustment of access rights in our existing version of Dataiku DSS 12.5 On Premise.

In summary, we need the DSS Python API to:

  1. Include a function for revoking permissions - specifically allowing the removal of rights on file paths and directories.

As part of establishing a dedicated Dataiku project for monitoring, management, and alerting purposes, we require that the instructions for modifying permissions are atomic and transactional to ensure both the precision and reversibility of the applied rights.

Thank you for your time

1 Comment

Why do you need to grant permissions on code_env_resources? 

Why do you need to grant permissions on code_env_resources?