Skip to content

ensures default views are owned by group, so anyone can drop/replace them#240

Closed
tomjemmett wants to merge 5 commits intomainfrom
fix_default_view_owners
Closed

ensures default views are owned by group, so anyone can drop/replace them#240
tomjemmett wants to merge 5 commits intomainfrom
fix_default_view_owners

Conversation

@tomjemmett
Copy link
Copy Markdown
Member

@tomjemmett tomjemmett commented Mar 31, 2026

No description provided.

@tomjemmett tomjemmett requested a review from a team as a code owner March 31, 2026 12:50
Copilot AI review requested due to automatic review settings March 31, 2026 12:50
@tomjemmett tomjemmett added bug Something isn't working priority: must labels Mar 31, 2026
@tomjemmett tomjemmett self-assigned this Mar 31, 2026
@tomjemmett tomjemmett requested a review from yiwen-h March 31, 2026 12:50
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the default view-creation scripts to ensure the created/replaced views are reassigned to a shared owning group (so group members can manage/drop/replace them consistently).

Changes:

  • Update create(...) to accept an object_owner_group and run ALTER VIEW ... OWNER TO ... after view creation.
  • Update CLIs (main()) to use get_spark() and fetch object_owner_group from Databricks secrets via DBUtils.
  • Fix/correct main() docstrings for the affected default view scripts.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
src/nhp/data/default/apc.py Adds ownership reassignment for both APC views; main() now pulls group from secrets and uses get_spark().
src/nhp/data/default/ecds.py Adds ownership reassignment for the ECDS view; main() now pulls group from secrets and uses get_spark().
src/nhp/data/default/opa.py Adds ownership reassignment for the OPA view; main() now pulls group from secrets and uses get_spark().

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/nhp/data/default/apc.py Outdated
Comment thread src/nhp/data/default/apc.py Outdated
Comment thread src/nhp/data/default/apc.py Outdated
Comment thread src/nhp/data/default/ecds.py Outdated
Comment thread src/nhp/data/default/opa.py Outdated
@tomjemmett
Copy link
Copy Markdown
Member Author

tomjemmett commented Mar 31, 2026

@copilot can you re-review and check that prior noted issues are handled now? I've added some steps to prevent sql injection

Copy link
Copy Markdown

Copilot AI commented Mar 31, 2026

@copilot can you re-review and check that prior noted issues are handled now? I've added some steps to prevent sql injection

Re-reviewed the changes. Here's the status of the prior noted issues:

SQL injection (comments on apc.py:34-39, 41-46, ecds.py:25-30, opa.py:25-30): ✅ Addressed by the safe_ident() helper (strict ^[A-Za-z0-9_\.]+$ regex for table/view names) and .replace("", "``")` backtick-escaping for the owner group name.

Missing secret error handling (comment on apc.py:13): was still unhandled. Fixed in fee7080 — added a get_object_owner_group() helper in _default_view.py that wraps dbutils.secrets.get() with a try/except, raising a clear RuntimeError with actionable guidance if the secret is missing or inaccessible. All three entry-point files now use this helper.

@tomjemmett
fixes bug with how we created safe identifiers
4a4b2ae 
was converting a multi-part object name like a.b.c into `a.b.c`, rather than `a`.`b`.`c`.

I think it's fine to just leave the identifier as is, other than the small amount of validation to ensure it is a valid identifier
@tomjemmett
Copy link
Copy Markdown
Member Author

tomjemmett commented Apr 9, 2026

closing this, approach doesn't work as the views when owned by the group can't read the data

@tomjemmett tomjemmett closed this Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@yiwen-h yiwen-h Awaiting requested review from yiwen-h

Assignees

@tomjemmett tomjemmett

Labels

bug Something isn't working priority: must

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tomjemmett