databricks-sdk-py icon indicating copy to clipboard operation
databricks-sdk-py copied to clipboard

Published 20 hours ago verified publisher icon databricks

[ISSUE] groups API uses an outdated endpoint

Open jdavidheiser opened this issue 11 months ago • 1 comments

Description

The SDK is using an outdated preview endpoint for groups management, which does not work with the new public preview feature that allows us to specify group managers who are not workspace admins but who do have access to manage groups.

the SDK uses the URL

/api/2.0/preview/scim/v2/Groups/

while the correct path should be, according to https://docs.databricks.com/api/account/accountgroups/patch

/api/2.0/accounts/{account_id}/scim/v2/Groups for account admins and /api/2.0/account/scim/v2/Groups for workspace admins

Reproduction the following works to update groups:

class GroupsAPI(databricks.sdk.service.iam.GroupsAPI):
    def patch(self,
                id: str,
                *,
                operations = None,
                schemas = None):
        body = {}
        if operations is not None: body['Operations'] = [v.as_dict() for v in operations]
        if schemas is not None: body['schemas'] = [v.value for v in schemas]
        headers = {'Accept': 'application/json', 'Content-Type': 'application/json', }
        # this is the only change, I updated the api endpoint
        self._api.do('PATCH', f'/api/2.0/account/scim/v2/Groups/{id}', body=body, headers=headers)

groups_api = GroupsAPI(workspace_client.api_client)
groups_api.patch(
    id=group_id,
    operations=[        
        databricks.sdk.service.iam.Patch(
            op=databricks.sdk.service.iam.PatchOp.ADD,
            value=json.dumps({
                "members": [
                    {
                        "value": user_id
                    }
                ]
            })
        ),
    ]
)

Expected behavior A clear and concise description of what you expected to happen.

Is it a regression? Did this work in a previous version of the SDK? If so, which versions did you try?

Debug Logs The SDK logs helpful debugging information when debug logging is enabled. Set the log level to debug by adding logging.basicConfig(level=logging.DEBUG) to your program, and include the logs here.

Other Information

  • OS: [e.g. macOS]
  • Version: [e.g. 0.1.0]

Additional context Add any other context about the problem here.

jdavidheiser avatar Mar 13 '24 18:03 jdavidheiser

I'm experiencing this issue too.

There should be option at override Group api path, or to use API path starts with /api/2.0/account/scim/v2/Groups.

yb-yu avatar Mar 18 '24 02:03 yb-yu

Is no one interested in this?

I want to allow Group Manager to manage Groups using the Workspace Client with workspace-domain, but currently, this is impossible with the SDK because the API Class enforces the path.

https://docs.databricks.com/en/admin/users-groups/groups.html#manage-account-groups-using-the-api

According to the document above, the Workspace Client should use {workspace-domain}/api/2.0/account/scim/v2/ , and the Account Client should use {account-domain}/api/2.1/accounts/{account_id}/scim/v2/. The Group Manager can only use the former. This is also mentioned at the issue description.

How about adding a path selection feature to AccountGroupsAPI and including it as account_groups in the WorkspaceClient?

yb-yu avatar Oct 07 '24 04:10 yb-yu