direct: grants: Fix "Duplicate privileges" error and drift on duplicates (#4801)

## Changes

- Fix grants implementation to correctly handle the case when
ALL_PRIVILEGES is passed. Previously it would send ALL_PRIVILEGES both
in Add and Remove sections and that would result in 400 /
INVALID_PARAMETER_VALUE/ Duplicate privileges to add and delete for
principal.
- Deduplicate privileges and principals in general. Previously we would
send it as is, the backend will deduplicate, causing drift in the plan.

## Tests
New acceptance (cloud+local) tests for the above cases. Updated
testservers to error like the cloud.

Author: denik

NEXT_CHANGELOG.md

@@ -8,6 +8,8 @@
 
 ### Bundles
 * engine/direct: Fix drift in grants resource due to privilege reordering ([#4794](https://github.com/databricks/cli/pull/4794))
+* engine/direct: Fix 400 error when deploying grants with ALL_PRIVILEGES ([#4801](https://github.com/databricks/cli/pull/4801))
+* Deduplicate grant entries with duplicate principals or privileges during initialization ([#4801](https://github.com/databricks/cli/pull/4801))
 
 ### Dependency updates
 

acceptance/bundle/resources/grants/schemas/all_privileges/databricks.yml.tmpl

@@ -0,0 +1,12 @@
+bundle:
+  name: schema-dup-grants-$UNIQUE_NAME
+
+resources:
+  schemas:
+    apps_schema:
+      name: schema_dup_grants_$UNIQUE_NAME
+      catalog_name: main
+      grants:
+        - principal: deco-test-user@databricks.com
+          privileges:
+            - ALL_PRIVILEGES

acceptance/bundle/resources/grants/schemas/all_privileges/out.requests.direct.txt

@@ -0,0 +1,14 @@
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "ALL_PRIVILEGES"
+        ],
+        "principal": "deco-test-user@databricks.com"
+      }
+    ]
+  }
+}

acceptance/bundle/resources/grants/schemas/all_privileges/out.requests.terraform.txt

@@ -0,0 +1,26 @@
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
+{
+  "method": "PATCH",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]",
+  "body": {
+    "changes": [
+      {
+        "add": [
+          "ALL_PRIVILEGES"
+        ],
+        "principal": "deco-test-user@databricks.com"
+      }
+    ]
+  }
+}
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}
+{
+  "method": "GET",
+  "path": "/api/2.1/unity-catalog/permissions/schema/main.schema_dup_grants_[UNIQUE_NAME]"
+}

acceptance/bundle/resources/grants/schemas/all_privileges/out.test.toml

@@ -0,0 +1,16 @@
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/schema-dup-grants-[UNIQUE_NAME]/default/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> [CLI] bundle destroy --auto-approve
+The following resources will be deleted:
+  delete resources.schemas.apps_schema
+
+This action will result in the deletion of the following UC schemas. Any underlying data may be lost:
+  delete resources.schemas.apps_schema
+
+All files and directories at the following location will be deleted: /Workspace/Users/[USERNAME]/.bundle/schema-dup-grants-[UNIQUE_NAME]/default
+
+Deleting files...
+Destroy complete!

acceptance/bundle/resources/grants/schemas/all_privileges/output.txt

@@ -0,0 +1,12 @@
+envsubst < databricks.yml.tmpl > databricks.yml
+
+cleanup() {
+    trace $CLI bundle destroy --auto-approve
+    rm -f out.requests.txt
+}
+trap cleanup EXIT
+
+# The direct engine puts ALL_PRIVILEGES in both the Add and Remove lists in the PATCH request,
+# which the backend rejects with "Duplicate privileges to add and delete".
+$CLI bundle deploy
+print_requests.py --get //permissions --keep > out.requests.$DATABRICKS_BUNDLE_ENGINE.txt

acceptance/bundle/resources/grants/schemas/all_privileges/script

@@ -0,0 +1 @@
+RecordRequests = true

acceptance/bundle/resources/grants/schemas/all_privileges/test.toml

@@ -0,0 +1,15 @@
+bundle:
+  name: schema-dup-grants-$UNIQUE_NAME
+
+resources:
+  schemas:
+    apps_schema:
+      name: schema_dup_grants_$UNIQUE_NAME
+      catalog_name: main
+      grants:
+        - principal: deco-test-user@databricks.com
+          privileges:
+            - CREATE_TABLE
+        - principal: deco-test-user@databricks.com
+          privileges:
+            - CREATE_TABLE

acceptance/bundle/resources/grants/schemas/duplicate_principals/databricks.yml.tmpl

@@ -0,0 +1,44 @@
+{
+  "plan_version": 2,
+  "cli_version": "[DEV_VERSION]",
+  "lineage": "[UUID]",
+  "serial": 1,
+  "plan": {
+    "resources.schemas.apps_schema": {
+      "action": "skip",
+      "remote_state": {
+        "browse_only": false,
+        "catalog_name": "main",
+        "catalog_type": "MANAGED_CATALOG",
+        "created_at": [UNIX_TIME_MILLIS][0],
+        "created_by": "[USERNAME]",
+        "full_name": "main.schema_dup_grants_[UNIQUE_NAME]",
+        "name": "schema_dup_grants_[UNIQUE_NAME]",
+        "owner": "[USERNAME]",
+        "updated_at": [UNIX_TIME_MILLIS][0],
+        "updated_by": "[USERNAME]"
+      }
+    },
+    "resources.schemas.apps_schema.grants": {
+      "depends_on": [
+        {
+          "node": "resources.schemas.apps_schema",
+          "label": "${resources.schemas.apps_schema.id}"
+        }
+      ],
+      "action": "skip",
+      "remote_state": {
+        "securable_type": "schema",
+        "full_name": "main.schema_dup_grants_[UNIQUE_NAME]",
+        "__embed__": [
+          {
+            "principal": "deco-test-user@databricks.com",
+            "privileges": [
+              "CREATE_TABLE"
+            ]
+          }
+        ]
+      }
+    }
+  }
+}