diff --git a/backend/dataall/modules/dataset_sharing/services/share_managers/lf_share_manager.py b/backend/dataall/modules/dataset_sharing/services/share_managers/lf_share_manager.py index 455788dc5..902952dbf 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_managers/lf_share_manager.py +++ b/backend/dataall/modules/dataset_sharing/services/share_managers/lf_share_manager.py @@ -214,25 +214,6 @@ def grant_principals_database_permissions_to_shared_database(self): ) return True - def grant_principals_permissions_to_source_table(self, table: DatasetTable): - """ - Grants 'DESCRIBE' 'SELECT' Lake Formation permissions to target account to the original table in source account - :param table: DatasetTable - :return: True if it is successful - """ - # HAD TO REMOVE QUICKSIGHT BECAUSE IT IS NOT SUPPORTED! Blocker - principals = [p for p in self.principals if "arn:aws:quicksight" not in p] - self.lf_client_in_source.grant_permissions_to_table( - principals=principals, - database_name=table.GlueDatabaseName, - table_name=table.GlueTableName, - catalog_id=self.source_environment.AwsAccountId, - permissions=['DESCRIBE', 'SELECT'] - ) - time.sleep(2) - return True - - def grant_target_account_permissions_to_source_table(self, table: DatasetTable): """ Grants 'DESCRIBE' 'SELECT' Lake Formation permissions to target account to the original table in source account @@ -384,27 +365,6 @@ def revoke_external_account_access_on_source_account(self, table: DatasetTable) ) return True - def revoke_principals_access_on_source_account(self, table: DatasetTable) -> [dict]: - """ - Revokes 'DESCRIBE' 'SELECT' Lake Formation permissions to target account to the original table in source account - If the table is not shared with any other team in the environment, - it deletes resource_shares on RAM associated to revoked table - :param table: DatasetTable - :return: True if it is successful - """ - # HAD TO REMOVE QUICKSIGHT BECAUSE IT IS NOT SUPPORTED! Blocker - principals = [p for p in self.principals if "arn:aws:quicksight" not in p] - - self.lf_client_in_source.revoke_permissions_from_table_with_columns( - principals=principals, - database_name=table.GlueDatabaseName, - table_name=table.GlueTableName, - catalog_id=self.source_environment.AwsAccountId, - permissions=['DESCRIBE', 'SELECT'], - permissions_with_grant_options=['DESCRIBE', 'SELECT'] - ) - return True - def handle_share_failure( self, table: DatasetTable, diff --git a/backend/dataall/modules/dataset_sharing/services/share_processors/lakeformation_process_share.py b/backend/dataall/modules/dataset_sharing/services/share_processors/lakeformation_process_share.py index 95d65dbc3..3d6221da2 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_processors/lakeformation_process_share.py +++ b/backend/dataall/modules/dataset_sharing/services/share_processors/lakeformation_process_share.py @@ -94,10 +94,7 @@ def process_approved_shares(self) -> bool: log.info(f'Processing cross-account permissions for table {table.GlueTableName}...') # TODO: old shares, add if exists, use LFV3 self.revoke_iam_allowed_principals_from_table(table) - if self.is_new_share: - self.grant_principals_permissions_to_source_table(table) - else: - self.grant_target_account_permissions_to_source_table(table) + self.grant_target_account_permissions_to_source_table(table) ( retry_share_table, failed_invitations, @@ -120,8 +117,8 @@ def process_approved_shares(self) -> bool: source_table=table ) self.check_if_exists_and_create_resource_link_table_in_shared_database(table) - if self.cross_account and not self.is_new_share: - self.grant_principals_permissions_to_table_in_target(table) + if self.cross_account: + self.grant_principals_permissions_to_table_in_target(table) # TODO WITH LFV3 we might be able to remove this self.grant_principals_permissions_to_resource_link_table(table) new_state = shared_item_SM.run_transition(ShareItemActions.Success.value) @@ -185,8 +182,7 @@ def process_revoked_shares(self) -> bool: if resource_link_table_exists: log.info(f'Revoking access to resource link table for: {table.GlueTableName} ') self.revoke_principals_permissions_to_resource_link_table(table) - if not self.is_new_share: - self.revoke_principals_permissions_to_table_in_target(table, other_table_shares_in_env) + self.revoke_principals_permissions_to_table_in_target(table, other_table_shares_in_env) if (self.is_new_share and not other_table_shares_in_env) or not self.is_new_share: log.info(f'Deleting resource link table for: {table.GlueTableName} ') @@ -195,10 +191,7 @@ def process_revoked_shares(self) -> bool: if not other_table_shares_in_env: log.info(f'Revoking access from target account to table: {table.GlueTableName} ') - if self.is_new_share: - self.revoke_principals_access_on_source_account(table) - else: - self.revoke_external_account_access_on_source_account(table) + self.revoke_external_account_access_on_source_account(table) new_state = revoked_item_SM.run_transition(ShareItemActions.Success.value) revoked_item_SM.update_state_single_item(self.session, share_item, new_state)