search

databricks / databricks-sdk-py

Databricks SDK for Python (Beta)
https://databricks-sdk-py.readthedocs.io/
Apache License 2.0
358 stars 121 forks source link

[ISSUE] groups API uses an outdated endpoint #583

Open jdavidheiser opened 7 months ago

jdavidheiser commented 7 months ago

Description

The SDK is using an outdated preview endpoint for groups management, which does not work with the new public preview feature that allows us to specify group managers who are not workspace admins but who do have access to manage groups.

the SDK uses the URL

/api/2.0/preview/scim/v2/Groups/

while the correct path should be, according to https://docs.databricks.com/api/account/accountgroups/patch

/api/2.0/accounts/{account_id}/scim/v2/Groups for account admins and /api/2.0/account/scim/v2/Groups for workspace admins

Reproduction the following works to update groups:

class GroupsAPI(databricks.sdk.service.iam.GroupsAPI):
    def patch(self,
                id: str,
                *,
                operations = None,
                schemas = None):
        body = {}
        if operations is not None: body['Operations'] = [v.as_dict() for v in operations]
        if schemas is not None: body['schemas'] = [v.value for v in schemas]
        headers = {'Accept': 'application/json', 'Content-Type': 'application/json', }
        # this is the only change, I updated the api endpoint
        self._api.do('PATCH', f'/api/2.0/account/scim/v2/Groups/{id}', body=body, headers=headers)

groups_api = GroupsAPI(workspace_client.api_client)
groups_api.patch(
    id=group_id,
    operations=[        
        databricks.sdk.service.iam.Patch(
            op=databricks.sdk.service.iam.PatchOp.ADD,
            value=json.dumps({
                "members": [
                    {
                        "value": user_id
                    }
                ]
            })
        ),
    ]
)

Expected behavior A clear and concise description of what you expected to happen.

Is it a regression? Did this work in a previous version of the SDK? If so, which versions did you try?

Debug Logs The SDK logs helpful debugging information when debug logging is enabled. Set the log level to debug by adding logging.basicConfig(level=logging.DEBUG) to your program, and include the logs here.

Other Information

Additional context Add any other context about the problem here.

yb-yu commented 7 months ago

I'm experiencing this issue too.

There should be option at override Group api path, or to use API path starts with /api/2.0/account/scim/v2/Groups.

yb-yu commented 3 weeks ago

Is no one interested in this?

I want to allow Group Manager to manage Groups using the Workspace Client with workspace-domain, but currently, this is impossible with the SDK because the API Class enforces the path.

https://docs.databricks.com/en/admin/users-groups/groups.html#manage-account-groups-using-the-api

According to the document above, the Workspace Client should use {workspace-domain}/api/2.0/account/scim/v2/ , and the Account Client should use {account-domain}/api/2.1/accounts/{account_id}/scim/v2/. The Group Manager can only use the former. This is also mentioned at the issue description.

How about adding a path selection feature to AccountGroupsAPI and including it as account_groups in the WorkspaceClient?