Public/Set-DatabricksPermission.ps1

<#
 
.SYNOPSIS
    Add permissions to objects
 
.DESCRIPTION
    Add permissions to objects
 
.PARAMETER BearerToken
    Your Databricks Bearer token to authenticate to your workspace (see User Settings in Databricks WebUI)
 
.PARAMETER Region
    Azure Region - must match the URL of your Databricks workspace, example northeurope
 
.PARAMETER Principal
    The name of the "user","group","service_principal" that will be added to the object.
     
.PARAMETER PrincipalType
  Which type of pricipal do you want to add to the object.
  Valid values for this parameter are:
  "user_name"​​ || ​"group_name"​ ​|| "service_principal_name"
 
.PARAMETER PermissionLevel
    See Get-DatabricksPermissionLevels
    For Secret Scopes this value must be READ, WRITE or MANAGE
 
.PARAMETER DatabricksObjectType
    Job, Cluster, secretScope or Instance-pool
 
.PARAMETER DatabricksObjectId
    JobId, ClusterId, secretScope or Instance-poolId
 
.EXAMPLE
    C:\PS> Set-DatabricksPermission -BearerToken $BearerToken -Region $Region -Principal "MyTestGroup" -PermissionLevel 'CAN_MANAGE' -DatabricksObjectType 'Cluster' -DatabricksObjectId "tubby-1234"
 
    This adds the permission CAN_MANAGE to a cluster for all users in the MyTestGroup
 
.NOTES
    Author: Simon D'Morias / Data Thirst Ltd
 
#>


Function Set-DatabricksPermission
{
    [cmdletbinding()]
    param (
        [parameter(Mandatory=$false)][string]$BearerToken,
        [parameter(Mandatory=$false)][string]$Region,
        [parameter(Mandatory=$true)][string]$Principal,
        [parameter(Mandatory=$false)][ValidateSet('user_name','group_name','service_principal_name')][string]$PrincipalType = 'user_name',
        [Parameter(Mandatory=$true)][string]$PermissionLevel,
        [Parameter(Mandatory=$true)][ValidateSet('job','cluster','instance-pool', 'secretScope')][string]$DatabricksObjectType,
        [Parameter(Mandatory=$true)][string]$DatabricksObjectId
    )

    $Headers = GetHeaders $PSBoundParameters

    if ($DatabricksObjectType -eq "secretScope"){
        $URI = "$global:DatabricksURI/api/2.0/secrets/acls/put"
        $Body = @{scope=$DatabricksObjectId; principal=$Principal; permission=$PermissionLevel} | ConvertTo-Json -Depth 10
        try{
            Write-Verbose $Body
            $Response = Invoke-RestMethod -Method POST -Body $Body -Uri $URI -Headers $Headers
        }
        catch{
            $err = $_.ErrorDetails.Message
            if ($err.Contains('exists'))
            {
                Write-Verbose $err
            }
            else
            {
                throw $err
            }
        }
        return $Response
    }
    else {
        $BasePath = "$global:DatabricksURI/api/2.0/preview"
        $URI =  "$BasePath/permissions/$DatabricksObjectType" + "s/$DatabricksObjectId"
    
    
        switch ($PrincipalType) 
        { 
            "user_name" {$acl = @(@{"user_name"= $Principal; "permission_level"=$PermissionLevel})} 
            "group_name" {$acl = @(@{"group_name"= $Principal; "permission_level"=$PermissionLevel})} 
            "service_principal_name" {$acl = @(@{"service_principal_name"= $Principal; "permission_level"=$PermissionLevel})} 
        }
        
        $Body = @{"access_control_list"= $acl} | ConvertTo-Json -Depth 10

        Write-Verbose $Body
        $Response = Invoke-RestMethod -Method PATCH -Body $Body -Uri $URI -Headers $Headers
    }
    
    return $Response
}