@databricks/sdk-uc-abacpolicies 0.0.0-dev → 0.1.0-dev.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,503 @@
1
+ // Code generated from API definition by Databricks SDK Generator. DO NOT EDIT.
2
+
3
+ import {FieldMask} from '@databricks/sdk-core/wkt';
4
+ import type {FieldMaskSchema} from '@databricks/sdk-core/wkt';
5
+ import {z} from 'zod';
6
+
7
+ export enum PolicyType {
8
+ /** For detecting field not being set to a supported value */
9
+ POLICY_TYPE_UNSPECIFIED = 'POLICY_TYPE_UNSPECIFIED',
10
+ POLICY_TYPE_ROW_FILTER = 'POLICY_TYPE_ROW_FILTER',
11
+ POLICY_TYPE_COLUMN_MASK = 'POLICY_TYPE_COLUMN_MASK',
12
+ }
13
+
14
+ /** The type of Unity Catalog securable. */
15
+ export enum SecurableType {
16
+ CATALOG = 'CATALOG',
17
+ SCHEMA = 'SCHEMA',
18
+ TABLE = 'TABLE',
19
+ STORAGE_CREDENTIAL = 'STORAGE_CREDENTIAL',
20
+ EXTERNAL_LOCATION = 'EXTERNAL_LOCATION',
21
+ FUNCTION = 'FUNCTION',
22
+ SHARE = 'SHARE',
23
+ PROVIDER = 'PROVIDER',
24
+ RECIPIENT = 'RECIPIENT',
25
+ CLEAN_ROOM = 'CLEAN_ROOM',
26
+ METASTORE = 'METASTORE',
27
+ PIPELINE = 'PIPELINE',
28
+ VOLUME = 'VOLUME',
29
+ CONNECTION = 'CONNECTION',
30
+ CREDENTIAL = 'CREDENTIAL',
31
+ EXTERNAL_METADATA = 'EXTERNAL_METADATA',
32
+ /** TODO: [UC-2980] Staging tables aren't full-fleged securables yet. */
33
+ STAGING_TABLE = 'STAGING_TABLE',
34
+ }
35
+
36
+ export interface ColumnMaskOptions {
37
+ /**
38
+ * The fully qualified name of the column mask function.
39
+ * The function is called on each row of the target table.
40
+ * The function's first argument and its return type should match the type of the masked column.
41
+ * Required on create and update.
42
+ */
43
+ functionName?: string | undefined;
44
+ /**
45
+ * The alias of the column to be masked. The alias must refer to one of matched columns.
46
+ * The values of the column is passed to the column mask function as the first argument.
47
+ * Required on create and update.
48
+ */
49
+ onColumn?: string | undefined;
50
+ /**
51
+ * Optional list of column aliases or constant literals to be passed as additional arguments to the column mask function.
52
+ * The type of each column should match the positional argument of the column mask function.
53
+ */
54
+ using?: FunctionArgument[] | undefined;
55
+ }
56
+
57
+ export interface CreatePolicyRequest {
58
+ /** Required. The policy to create. */
59
+ policyInfo?: PolicyInfo | undefined;
60
+ }
61
+
62
+ export interface DeletePolicyRequest {
63
+ /** Required. The type of the securable to delete the policy from. */
64
+ onSecurableType?: string | undefined;
65
+ /** Required. The fully qualified name of the securable to delete the policy from. */
66
+ onSecurableFullname?: string | undefined;
67
+ /** Required. The name of the policy to delete */
68
+ name?: string | undefined;
69
+ }
70
+
71
+ // eslint-disable-next-line @typescript-eslint/naming-convention, @typescript-eslint/no-empty-object-type -- Proto-style nested message name.
72
+ export interface DeletePolicyRequest_Response {}
73
+
74
+ export interface FunctionArgument {
75
+ /** A positional argument pass to a row filter or column mask function. */
76
+ arg?:
77
+ | {
78
+ $case: 'alias';
79
+ /** The alias of a matched column. */
80
+ alias: string;
81
+ }
82
+ | {
83
+ $case: 'constant';
84
+ /** A constant literal. */
85
+ constant: string;
86
+ }
87
+ | undefined;
88
+ }
89
+
90
+ export interface GetPolicyRequest {
91
+ /** Required. The type of the securable to retrieve the policy for. */
92
+ onSecurableType?: string | undefined;
93
+ /** Required. The fully qualified name of securable to retrieve policy for. */
94
+ onSecurableFullname?: string | undefined;
95
+ /** Required. The name of the policy to retrieve. */
96
+ name?: string | undefined;
97
+ }
98
+
99
+ export interface ListPoliciesRequest {
100
+ /** Required. The type of the securable to list policies for. */
101
+ onSecurableType?: string | undefined;
102
+ /** Required. The fully qualified name of securable to list policies for. */
103
+ onSecurableFullname?: string | undefined;
104
+ /**
105
+ * Optional. Whether to include policies defined on parent securables.
106
+ * By default, the inherited policies are not included.
107
+ */
108
+ includeInherited?: boolean | undefined;
109
+ /**
110
+ * Optional. Maximum number of policies to return on a single page (page length).
111
+ * - When not set or set to 0, the page length is set to a server configured value (recommended);
112
+ * - When set to a value greater than 0, the page length is the minimum of this value and a server configured value;
113
+ */
114
+ maxResults?: number | undefined;
115
+ /** Optional. Opaque pagination token to go to next page based on previous query. */
116
+ pageToken?: string | undefined;
117
+ }
118
+
119
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
120
+ export interface ListPoliciesRequest_Response {
121
+ /** The list of retrieved policies. */
122
+ policies?: PolicyInfo[] | undefined;
123
+ /**
124
+ * Optional opaque token for continuing pagination. `page_token` should be set to this value for
125
+ * the next request to retrieve the next page of results.
126
+ */
127
+ nextPageToken?: string | undefined;
128
+ }
129
+
130
+ export interface MatchColumn {
131
+ /** The condition expression used to match a table column. */
132
+ condition?: string | undefined;
133
+ /** Optional alias of the matched column. */
134
+ alias?: string | undefined;
135
+ }
136
+
137
+ export interface PolicyInfo {
138
+ /** Unique identifier of the policy. This field is output only and is generated by the system. */
139
+ id?: string | undefined;
140
+ /**
141
+ * Type of the securable on which the policy is defined.
142
+ * Only `CATALOG`, `SCHEMA` and `TABLE` are supported at this moment.
143
+ * Required on create.
144
+ */
145
+ onSecurableType?: SecurableType | undefined;
146
+ /**
147
+ * Full name of the securable on which the policy is defined.
148
+ * Required on create.
149
+ */
150
+ onSecurableFullname?: string | undefined;
151
+ /**
152
+ * Name of the policy. Required on create and optional on update.
153
+ * To rename the policy, set `name` to a different value on update.
154
+ */
155
+ name?: string | undefined;
156
+ /** Optional description of the policy. */
157
+ comment?: string | undefined;
158
+ /**
159
+ * List of user or group names that the policy applies to.
160
+ * Required on create and optional on update.
161
+ */
162
+ toPrincipals?: string[] | undefined;
163
+ /** Optional list of user or group names that should be excluded from the policy. */
164
+ exceptPrincipals?: string[] | undefined;
165
+ /**
166
+ * Type of securables that the policy should take effect on.
167
+ * Only `TABLE` is supported at this moment.
168
+ * Required on create and optional on update.
169
+ */
170
+ forSecurableType?: SecurableType | undefined;
171
+ /** Optional condition when the policy should take effect. */
172
+ whenCondition?: string | undefined;
173
+ /** Type of the policy. Required on create. */
174
+ policyType?: PolicyType | undefined;
175
+ /**
176
+ * (--[Create:REQ Update:OPT] Type-specific options for the Policy--)
177
+ * Type-specific options for the policy.
178
+ */
179
+ options?:
180
+ | {
181
+ $case: 'rowFilter';
182
+ /**
183
+ * Options for row filter policies. Valid only if `policy_type` is `POLICY_TYPE_ROW_FILTER`.
184
+ * Required on create and optional on update. When specified on update,
185
+ * the new options will replace the existing options as a whole.
186
+ */
187
+ rowFilter: RowFilterOptions;
188
+ }
189
+ | {
190
+ $case: 'columnMask';
191
+ /**
192
+ * Options for column mask policies. Valid only if `policy_type` is `POLICY_TYPE_COLUMN_MASK`.
193
+ * Required on create and optional on update. When specified on update,
194
+ * the new options will replace the existing options as a whole.
195
+ */
196
+ columnMask: ColumnMaskOptions;
197
+ }
198
+ | undefined;
199
+ /**
200
+ * Optional list of condition expressions used to match table columns.
201
+ * Only valid when `for_securable_type` is `TABLE`.
202
+ * When specified, the policy only applies to tables whose columns satisfy all match conditions.
203
+ */
204
+ matchColumns?: MatchColumn[] | undefined;
205
+ /** Time at which the policy was created, in epoch milliseconds. Output only. */
206
+ createdAt?: bigint | undefined;
207
+ /** Username of the user who created the policy. Output only. */
208
+ createdBy?: string | undefined;
209
+ /** Time at which the policy was last modified, in epoch milliseconds. Output only. */
210
+ updatedAt?: bigint | undefined;
211
+ /** Username of the user who last modified the policy. Output only. */
212
+ updatedBy?: string | undefined;
213
+ }
214
+
215
+ export interface RowFilterOptions {
216
+ /**
217
+ * The fully qualified name of the row filter function.
218
+ * The function is called on each row of the target table. It should return a boolean value
219
+ * indicating whether the row should be visible to the user.
220
+ * Required on create and update.
221
+ */
222
+ functionName?: string | undefined;
223
+ /**
224
+ * Optional list of column aliases or constant literals to be passed as arguments to the row filter function.
225
+ * The type of each column should match the positional argument of the row filter function.
226
+ */
227
+ using?: FunctionArgument[] | undefined;
228
+ }
229
+
230
+ export interface UpdatePolicyRequest {
231
+ /** Required. The type of the securable to update the policy for. */
232
+ onSecurableType?: string | undefined;
233
+ /** Required. The fully qualified name of the securable to update the policy for. */
234
+ onSecurableFullname?: string | undefined;
235
+ /** Required. The name of the policy to update. */
236
+ name?: string | undefined;
237
+ /**
238
+ * Optional fields to update. This is the request body for updating a policy.
239
+ * Use `update_mask` field to specify which fields in the request is to be updated.
240
+ * - If `update_mask` is empty or "*", all specified fields will be updated.
241
+ * - If `update_mask` is specified, only the fields specified in the `update_mask` will be updated.
242
+ * If a field is specified in `update_mask` and not set in the request, the field will be cleared.
243
+ * Users can use the update mask to explicitly unset optional fields such as
244
+ * `exception_principals` and `when_condition`.
245
+ */
246
+ policyInfo?: PolicyInfo | undefined;
247
+ /**
248
+ * Optional. The update mask field for specifying user intentions on which
249
+ * fields to update in the request.
250
+ */
251
+ updateMask?: FieldMask<PolicyInfo> | undefined;
252
+ }
253
+
254
+ export const unmarshalColumnMaskOptionsSchema: z.ZodType<ColumnMaskOptions> = z
255
+ .object({
256
+ function_name: z.string().optional(),
257
+ on_column: z.string().optional(),
258
+ using: z.array(z.lazy(() => unmarshalFunctionArgumentSchema)).optional(),
259
+ })
260
+ .transform(d => ({
261
+ functionName: d.function_name,
262
+ onColumn: d.on_column,
263
+ using: d.using,
264
+ }));
265
+
266
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
267
+ export const unmarshalDeletePolicyRequest_ResponseSchema: z.ZodType<DeletePolicyRequest_Response> =
268
+ z.object({});
269
+
270
+ export const unmarshalFunctionArgumentSchema: z.ZodType<FunctionArgument> = z
271
+ .object({
272
+ alias: z.string().optional(),
273
+ constant: z.string().optional(),
274
+ })
275
+ .transform(d => ({
276
+ arg:
277
+ d.alias !== undefined
278
+ ? {$case: 'alias' as const, alias: d.alias}
279
+ : d.constant !== undefined
280
+ ? {$case: 'constant' as const, constant: d.constant}
281
+ : undefined,
282
+ }));
283
+
284
+ // eslint-disable-next-line @typescript-eslint/naming-convention -- Proto-style nested message name.
285
+ export const unmarshalListPoliciesRequest_ResponseSchema: z.ZodType<ListPoliciesRequest_Response> =
286
+ z
287
+ .object({
288
+ policies: z.array(z.lazy(() => unmarshalPolicyInfoSchema)).optional(),
289
+ next_page_token: z.string().optional(),
290
+ })
291
+ .transform(d => ({
292
+ policies: d.policies,
293
+ nextPageToken: d.next_page_token,
294
+ }));
295
+
296
+ export const unmarshalMatchColumnSchema: z.ZodType<MatchColumn> = z
297
+ .object({
298
+ condition: z.string().optional(),
299
+ alias: z.string().optional(),
300
+ })
301
+ .transform(d => ({
302
+ condition: d.condition,
303
+ alias: d.alias,
304
+ }));
305
+
306
+ export const unmarshalPolicyInfoSchema: z.ZodType<PolicyInfo> = z
307
+ .object({
308
+ id: z.string().optional(),
309
+ on_securable_type: z.enum(SecurableType).optional(),
310
+ on_securable_fullname: z.string().optional(),
311
+ name: z.string().optional(),
312
+ comment: z.string().optional(),
313
+ to_principals: z.array(z.string()).optional(),
314
+ except_principals: z.array(z.string()).optional(),
315
+ for_securable_type: z.enum(SecurableType).optional(),
316
+ when_condition: z.string().optional(),
317
+ policy_type: z.enum(PolicyType).optional(),
318
+ row_filter: z.lazy(() => unmarshalRowFilterOptionsSchema).optional(),
319
+ column_mask: z.lazy(() => unmarshalColumnMaskOptionsSchema).optional(),
320
+ match_columns: z.array(z.lazy(() => unmarshalMatchColumnSchema)).optional(),
321
+ created_at: z
322
+ .union([z.number(), z.bigint()])
323
+ .transform(v => BigInt(v))
324
+ .optional(),
325
+ created_by: z.string().optional(),
326
+ updated_at: z
327
+ .union([z.number(), z.bigint()])
328
+ .transform(v => BigInt(v))
329
+ .optional(),
330
+ updated_by: z.string().optional(),
331
+ })
332
+ .transform(d => ({
333
+ id: d.id,
334
+ onSecurableType: d.on_securable_type,
335
+ onSecurableFullname: d.on_securable_fullname,
336
+ name: d.name,
337
+ comment: d.comment,
338
+ toPrincipals: d.to_principals,
339
+ exceptPrincipals: d.except_principals,
340
+ forSecurableType: d.for_securable_type,
341
+ whenCondition: d.when_condition,
342
+ policyType: d.policy_type,
343
+ options:
344
+ d.row_filter !== undefined
345
+ ? {$case: 'rowFilter' as const, rowFilter: d.row_filter}
346
+ : d.column_mask !== undefined
347
+ ? {$case: 'columnMask' as const, columnMask: d.column_mask}
348
+ : undefined,
349
+ matchColumns: d.match_columns,
350
+ createdAt: d.created_at,
351
+ createdBy: d.created_by,
352
+ updatedAt: d.updated_at,
353
+ updatedBy: d.updated_by,
354
+ }));
355
+
356
+ export const unmarshalRowFilterOptionsSchema: z.ZodType<RowFilterOptions> = z
357
+ .object({
358
+ function_name: z.string().optional(),
359
+ using: z.array(z.lazy(() => unmarshalFunctionArgumentSchema)).optional(),
360
+ })
361
+ .transform(d => ({
362
+ functionName: d.function_name,
363
+ using: d.using,
364
+ }));
365
+
366
+ export const marshalColumnMaskOptionsSchema: z.ZodType = z
367
+ .object({
368
+ functionName: z.string().optional(),
369
+ onColumn: z.string().optional(),
370
+ using: z.array(z.lazy(() => marshalFunctionArgumentSchema)).optional(),
371
+ })
372
+ .transform(d => ({
373
+ function_name: d.functionName,
374
+ on_column: d.onColumn,
375
+ using: d.using,
376
+ }));
377
+
378
+ export const marshalFunctionArgumentSchema: z.ZodType = z
379
+ .object({
380
+ arg: z
381
+ .discriminatedUnion('$case', [
382
+ z.object({$case: z.literal('alias'), alias: z.string()}),
383
+ z.object({$case: z.literal('constant'), constant: z.string()}),
384
+ ])
385
+ .optional(),
386
+ })
387
+ .transform(d => ({
388
+ ...(d.arg?.$case === 'alias' && {alias: d.arg.alias}),
389
+ ...(d.arg?.$case === 'constant' && {constant: d.arg.constant}),
390
+ }));
391
+
392
+ export const marshalMatchColumnSchema: z.ZodType = z
393
+ .object({
394
+ condition: z.string().optional(),
395
+ alias: z.string().optional(),
396
+ })
397
+ .transform(d => ({
398
+ condition: d.condition,
399
+ alias: d.alias,
400
+ }));
401
+
402
+ export const marshalPolicyInfoSchema: z.ZodType = z
403
+ .object({
404
+ id: z.string().optional(),
405
+ onSecurableType: z.enum(SecurableType).optional(),
406
+ onSecurableFullname: z.string().optional(),
407
+ name: z.string().optional(),
408
+ comment: z.string().optional(),
409
+ toPrincipals: z.array(z.string()).optional(),
410
+ exceptPrincipals: z.array(z.string()).optional(),
411
+ forSecurableType: z.enum(SecurableType).optional(),
412
+ whenCondition: z.string().optional(),
413
+ policyType: z.enum(PolicyType).optional(),
414
+ options: z
415
+ .discriminatedUnion('$case', [
416
+ z.object({
417
+ $case: z.literal('rowFilter'),
418
+ rowFilter: z.lazy(() => marshalRowFilterOptionsSchema),
419
+ }),
420
+ z.object({
421
+ $case: z.literal('columnMask'),
422
+ columnMask: z.lazy(() => marshalColumnMaskOptionsSchema),
423
+ }),
424
+ ])
425
+ .optional(),
426
+ matchColumns: z.array(z.lazy(() => marshalMatchColumnSchema)).optional(),
427
+ createdAt: z.bigint().optional(),
428
+ createdBy: z.string().optional(),
429
+ updatedAt: z.bigint().optional(),
430
+ updatedBy: z.string().optional(),
431
+ })
432
+ .transform(d => ({
433
+ id: d.id,
434
+ on_securable_type: d.onSecurableType,
435
+ on_securable_fullname: d.onSecurableFullname,
436
+ name: d.name,
437
+ comment: d.comment,
438
+ to_principals: d.toPrincipals,
439
+ except_principals: d.exceptPrincipals,
440
+ for_securable_type: d.forSecurableType,
441
+ when_condition: d.whenCondition,
442
+ policy_type: d.policyType,
443
+ ...(d.options?.$case === 'rowFilter' && {row_filter: d.options.rowFilter}),
444
+ ...(d.options?.$case === 'columnMask' && {
445
+ column_mask: d.options.columnMask,
446
+ }),
447
+ match_columns: d.matchColumns,
448
+ created_at: d.createdAt,
449
+ created_by: d.createdBy,
450
+ updated_at: d.updatedAt,
451
+ updated_by: d.updatedBy,
452
+ }));
453
+
454
+ export const marshalRowFilterOptionsSchema: z.ZodType = z
455
+ .object({
456
+ functionName: z.string().optional(),
457
+ using: z.array(z.lazy(() => marshalFunctionArgumentSchema)).optional(),
458
+ })
459
+ .transform(d => ({
460
+ function_name: d.functionName,
461
+ using: d.using,
462
+ }));
463
+
464
+ const columnMaskOptionsFieldMaskSchema: FieldMaskSchema = {
465
+ functionName: {wire: 'function_name'},
466
+ onColumn: {wire: 'on_column'},
467
+ using: {wire: 'using'},
468
+ };
469
+
470
+ const policyInfoFieldMaskSchema: FieldMaskSchema = {
471
+ columnMask: {
472
+ wire: 'column_mask',
473
+ children: () => columnMaskOptionsFieldMaskSchema,
474
+ },
475
+ comment: {wire: 'comment'},
476
+ createdAt: {wire: 'created_at'},
477
+ createdBy: {wire: 'created_by'},
478
+ exceptPrincipals: {wire: 'except_principals'},
479
+ forSecurableType: {wire: 'for_securable_type'},
480
+ id: {wire: 'id'},
481
+ matchColumns: {wire: 'match_columns'},
482
+ name: {wire: 'name'},
483
+ onSecurableFullname: {wire: 'on_securable_fullname'},
484
+ onSecurableType: {wire: 'on_securable_type'},
485
+ policyType: {wire: 'policy_type'},
486
+ rowFilter: {
487
+ wire: 'row_filter',
488
+ children: () => rowFilterOptionsFieldMaskSchema,
489
+ },
490
+ toPrincipals: {wire: 'to_principals'},
491
+ updatedAt: {wire: 'updated_at'},
492
+ updatedBy: {wire: 'updated_by'},
493
+ whenCondition: {wire: 'when_condition'},
494
+ };
495
+
496
+ export function policyInfoFieldMask(...paths: string[]): FieldMask<PolicyInfo> {
497
+ return FieldMask.build<PolicyInfo>(paths, policyInfoFieldMaskSchema);
498
+ }
499
+
500
+ const rowFilterOptionsFieldMaskSchema: FieldMaskSchema = {
501
+ functionName: {wire: 'function_name'},
502
+ using: {wire: 'using'},
503
+ };
@@ -0,0 +1,73 @@
1
+ // Code generated from API definition by Databricks SDK Generator. DO NOT EDIT.
2
+
3
+ import type {Credentials} from '@databricks/sdk-auth';
4
+ import {defaultCredentials} from '@databricks/sdk-auth/credentials';
5
+ import type {
6
+ HttpClient,
7
+ HttpRequest,
8
+ HttpResponse,
9
+ } from '@databricks/sdk-core/http';
10
+ import {newFetchHttpClient} from '@databricks/sdk-core/http';
11
+ import type {ClientOptions} from '@databricks/sdk-options/client';
12
+
13
+ /** Creates a new HTTP client with the given options. */
14
+ export function newHttpClient(options?: ClientOptions): HttpClient {
15
+ const opts = options ?? {};
16
+
17
+ // If an HTTP client is provided, use it as-is. Throw if other options are
18
+ // also set, since they would be silently ignored.
19
+ if (opts.httpClient !== undefined) {
20
+ if (opts.credentials !== undefined || opts.timeout !== undefined) {
21
+ throw new Error(
22
+ 'httpClient cannot be combined with credentials or timeout'
23
+ );
24
+ }
25
+ return opts.httpClient;
26
+ }
27
+
28
+ const credentials = opts.credentials ?? defaultCredentials();
29
+
30
+ const base = newFetchHttpClient();
31
+ let client: HttpClient = new AuthHttpClient(base, credentials);
32
+
33
+ if (opts.timeout !== undefined) {
34
+ client = new TimeoutHttpClient(client, opts.timeout);
35
+ }
36
+
37
+ return client;
38
+ }
39
+
40
+ /** Wraps an HttpClient and adds authentication headers to requests. */
41
+ class AuthHttpClient implements HttpClient {
42
+ constructor(
43
+ private readonly base: HttpClient,
44
+ private readonly credentials: Credentials
45
+ ) {}
46
+
47
+ async send(request: HttpRequest): Promise<HttpResponse> {
48
+ const authHeaders = await this.credentials.authHeaders();
49
+ // Do not modify the original request.
50
+ const headers = new Headers(request.headers);
51
+ for (const h of authHeaders) {
52
+ headers.set(h.key, h.value);
53
+ }
54
+ return this.base.send({...request, headers});
55
+ }
56
+ }
57
+
58
+ /** Wraps an HttpClient and applies a default timeout to requests. */
59
+ class TimeoutHttpClient implements HttpClient {
60
+ constructor(
61
+ private readonly base: HttpClient,
62
+ private readonly timeout: number
63
+ ) {}
64
+
65
+ async send(request: HttpRequest): Promise<HttpResponse> {
66
+ const timeoutSignal = AbortSignal.timeout(this.timeout);
67
+ const signal =
68
+ request.signal !== undefined
69
+ ? AbortSignal.any([request.signal, timeoutSignal])
70
+ : timeoutSignal;
71
+ return this.base.send({...request, signal});
72
+ }
73
+ }