Add FGAC policy governance to Unity Catalog skill#98
Open
SREERAMTHOOM wants to merge 33 commits intodatabricks-solutions:mainfrom
Open
Add FGAC policy governance to Unity Catalog skill#98SREERAMTHOOM wants to merge 33 commits intodatabricks-solutions:mainfrom
SREERAMTHOOM wants to merge 33 commits intodatabricks-solutions:mainfrom
Conversation
calreynolds
requested changes
Feb 12, 2026
Collaborator
calreynolds
left a comment
calreynolds
left a comment
There was a problem hiding this comment.
Hey Sreeram! thanks for the PR 👍
Can you remove the .claude skills you contributed, the FGAC_README.md in the main folder? otherwise looks good
New `uc-abac-governance` skill with 4 reference files covering governed tags, masking UDFs, column mask/row filter policies, SQL generation patterns, Python SDK (`w.policies.*`) CRUD examples, 12 MCP tools reference, and human-in-the-loop governance workflow. Adds SDK example `6-abac-policies.py`. Updates `install_skills.sh` and `databricks-python-sdk/SKILL.md`. Content derived from companion UCABAC repo (drift detection excluded).
Implement 9 ABAC policy functions (list, get, create, update, delete, get_table_policies, get_masking_functions, check_policy_quota, preview_policy_changes) using Databricks Python SDK v0.85.0 policies API. Add 24 integration tests with programmatic governed tag creation/cleanup via Tag Policies API. Update UC __init__.py exports, conftest fixtures (cleanup_policies, cleanup_governed_tags), and MCP tools reference docs.
…mes, ACLs, FGAC Add new UC ACL reference file (10-uc-acls.md) covering GRANT/REVOKE, ownership, privilege hierarchy, SDK patterns, and common role-based access patterns. Restructure SKILL.md with clear category separations and per-category quick starts, reference tables, and best practices.
…roup check - Add HMAC-SHA256 approval token: preview_policy_changes() returns a cryptographic token binding params + timestamp; create/update/delete reject calls without a valid, unexpired token - Add admin group check: mutating operations verify the caller belongs to a configurable admin group (default: admins) via current_user API - Update MCP tool wrapper to pass approval_token through to mutations - Add TestApprovalTokenEnforcement and TestAdminGroupCheck test classes - Update existing CRUD tests to use preview-then-execute token flow - Update conftest cleanup fixture to use SDK directly (bypass guardrails) - Update conftest warehouse fixture to auto-start stopped serverless warehouses - Update skill docs (both mirrors) with guardrails section and new signatures - Add FGAC_GUARDRAILS.md with architecture diagrams and workflow documentation
Add udf_catalog/udf_schema params to MCP tool for discovering masking UDFs in a different catalog/schema than the policy scope. Update core function docstrings and skill docs with cross-catalog examples.
Covers SQL generation (column mask, row filter, masking UDF, cross-catalog), Python SDK (create policy, list policies, row filter), MCP workflows (human-in-the-loop, cross-catalog discovery), and error handling (invalid SQL like SHOW POLICIES).
FGAC SDK examples are now covered by the databricks-unity-catalog skill in 9-fgac-sdk-and-tools.md.
…ts and SDK docs - Delete old uc-fgac-governance skill from both .claude/skills/ and databricks-skills/ - Delete DEV_CHANGELOG.md and PLAN_UC_FGAC_SKILLS.md (no longer needed) - Add 7 FGAC routing test cases to _routing/ground_truth.yaml - Register fgac_policies tool in MCP server - Update databricks-python-sdk SKILL.md with correct SDK types and all scope levels - Add COMMIT_REVIEW.md to .gitignore
…oc, gitignore .claude/ - Remove FGAC section from databricks-python-sdk SKILL.md (covered by databricks-unity-catalog skill) - Delete FGAC_GUARDRAILS.md (guardrails documented in 9-fgac-sdk-and-tools.md) - Add .claude/ to .gitignore (local skill installs)
Consolidates all FGAC feature details into a single root-level readme: governed tags, tag assignments, masking UDFs, policy management, Python SDK reference, MCP tools, and the full human-in-the-loop governance workflow with approval token internals and threat model.
- Update databricks-unity-catalog skill description to include access controls and FGAC policy governance in CLAUDE.md and setup.sh - Remove model-serving from CLAUDE.md skill list - Add 10-uc-acls.md to unity-catalog skill extra files in install_skills.sh
These files should not be in the repo - .claude/skills are local and FGAC_README.md is not needed at the root level.
SREERAMTHOOM
force-pushed
the
feature/uc-fgac-governance
branch
from
d4e9784 to
c6f4154
Compare
SREERAMTHOOM
added
documentation
Collaborator
Author
Changed per suggestion and refreshed the PR along with the lint checks. |
Accidentally removed in earlier commit. Unrelated to FGAC changes.
… tests Reviewer noted the combined test could pass for the wrong reason. Now tests token validation and admin group check independently.
Reorder create/update/delete_fgac_policy to validate token and params before calling _check_admin_group(). Updated tests to match new validation order.
Generate a unique HMAC secret per process via os.urandom(32).hex() when FGAC_APPROVAL_SECRET env var is not set. Prevents token forgery in the default configuration.
Token only lives within a single MCP process — no need for a configurable secret. Simplifies setup and eliminates any risk of a leaked/guessable default.
The token ensures preview-mutation parameter integrity, but actual human-in-the-loop confirmation depends on the MCP client behavior (e.g., Claude Code prompts between tool calls). Added clear notes in module docstring and skill documentation.
Implement 5 new functions for the FGAC analysis workflow: - get_column_tags_api: query column-level tags via information_schema - get_schema_info / get_catalog_info: retrieve UC metadata - list_table_policies_in_schema: enumerate tables with their policies - analyze_fgac_coverage: cross-reference tags, policies, and UDFs to identify coverage gaps and suggest policy creation Wire up MCP dispatcher actions, export from __init__.py, document return schemas in skill docs, and add integration tests.
- Add Optional[] to all None-defaulted params in MCP dispatcher - Add tests for expired tokens and cross-action replay attacks - Fix GCP-specific docs URL to AWS-specific
Add 4 ground truth test cases for UC ACL operations: read-only access, data engineer access, revoke/show grants, and SDK grant/revoke patterns. Add 3 routing test cases to route ACL prompts to the databricks-unity-catalog skill.
- Add distinct error messages for each token validation failure mode - Remove redundant _validate_identifier calls in create/update/delete - Document why get_table_policies uses raw REST API (SDK lacks effective_masks) - Move routing_multi_004 to single-skill section as routing_fgac_007 - Extract TAG_PROPAGATION_DELAY_SECONDS constant and module-level tag helpers - Remove unused cleanup_governed_tags fixture from conftest - Use PermissionsChange/Privilege/SecurableType in SDK grant examples - Add 8 ground truth test cases (tags, drop, governed tags, quotas, etc.)
Add DDL/DCL keywords (ALTER, DROP, GRANT, REVOKE, etc.) to SQL validation in executor and universal scorer. Add UC governance routing triggers. Fix admin group test to reliably trigger PermissionError and accept SDK-prefixed policy_type values.
Collaborator
Author
|
Refreshed the PR with changes based on the feedback. |
Add check_policy_quota to skill docs. Add FGAC tools section to MCP server README with architecture diagram update. Update root, tools-core, and unity-catalog skill READMEs to reference FGAC governance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
test_fgac_policies.py)