Users and groups¶

The API exposes key parts of the DSS access control management: users and groups. All these can be created, modified and deleted through the API.

Example use cases
Reference documentation

Example use cases ¶

In all examples, client is a dataikuapi.DSSClient, obtained either using dataikuapi.DSSClient.__init__() or dataiku.api_client()

Listing users ¶

client = DSSClient(host, apiKey)
dss_users = client.list_users()
# dss_users is a list of dict. Each item represents one user
prettyprinter.pprint(dss_users)

outputs

[   {   'activeWebSocketSesssions': 0,
        'codeAllowed': True,
        'displayName': 'Administrator',
        'groups': ['administrators', 'data_scientists'],
        'login': 'admin',
        'objectImgHash': 0,
        'sourceType': 'LOCAL'},
    ...
]

Creating a user ¶

A local user with a password ¶

new_user = client.create_user('test_login', 'test_password', display_name='a test user', groups=['all_powerful_group'])

new_user is a dataikuapi.dss.admin.DSSUser

A user who will login through LDAP ¶

Note that it is not usually required to manually create users who will login through LDAP as they can be automatically provisionned

new_user = client.create_user('test_login', password=None, display_name='a test user', source_type="LDAP", groups=['all_powerful_group'], profile="DESIGNER")

A user who will login through SSO ¶

This is only for non-LDAP users that thus will not be automatically provisioned, buut should still be able to log in through SSO.

new_user = client.create_user('test_login', password=None, display_name='a test user', source_type="LOCAL_NO_AUTH", groups=['all_powerful_group'], profile="DESIGNER")

Modifying a user’s display name, groups, profile, email, …¶

To modify the settings of a user, get a handle through dataikuapi.DSSClient.get_user(), then use dataikuapi.dss.admin.DSSUser.get_settings()

user = client.get_user("theuserslogin")

settings = user.get_settings()

# Modify the settings in the `get_raw()` dict
settings.get_raw()["displayName"] = "DSS Lover"
settings.get_raw()["email"] = "[email protected]"
settings.get_raw()["userProfile"] = "DESIGNER"
settings.get_raw()["groups"] = "group1,group2,group3" # This completely overrides previous groups

# Save the modifications
settings.save()

Deleting a user ¶

user = client.get_user('test_login')
user.delete()

Modifying user and admin properties ¶

user = client.get_user("test_login")
settings = user.get_settings()
settings.user_properties["myprop"] = "myvalue"
settings_admin_properties["myadminprop"] = "myadminvalue"
settings.save()

Modifying user secrets ¶

user = client.get_user("test_login")
settings = user.get_settings()
settings.add_secret("secretname", "secretvalue")
settings.save()

Entering a per-user-credential for a connection ¶

user = client.get_user('test_login')
settings = user.get_settings()
settings.set_basic_connection_credential("myconnection", "username", "password")
settings.save()

Entering a per-user-credential for a plugin preset ¶

user = client.get_user('test_login')
settings = user.get_settings()
settings.set_basic_plugin_credential("myplugin", "my_paramset_id", "mypreset_id", "param_name", "username", "password")
settings.save()

Impersonating another user ¶

As a DSS administrator, it can be useful to be able to perform API calls on behalf of another user.

user = client.get_user("the_user_to_impersonate")
client_as_user = user.get_client_as()

# All calls done using `client_as_user` will appear as being performed by `the_user_to_impersonate` and will inherit
# its permissions

Modifying user secrets ¶

user = client.get_user("an_user")
settings = user.get_settings()
settings.add_secret("secretname", "secretvalue")
settings.save()

Listing groups ¶

A list of the groups can by obtained with the list_groups method:

client = DSSClient(host, apiKey)
# dss_groups is a list of dict. Each group contains at least a "name" attribute
dss_groups = client.list_groups()
prettyprinter.pprint(dss_groups)

outputs

[   {   'admin': True,
        'description': 'DSS administrators',
        'name': 'administrators',
        'sourceType': 'LOCAL'},
    {   'admin': False,
        'description': 'Read-write access to projects',
        'name': 'data_scientists',
        'sourceType': 'LOCAL'},
    {   'admin': False,
        'description': 'Read-only access to projects',
        'name': 'readers',
        'sourceType': 'LOCAL'}]

Creating a group ¶

new_group = client.create_group('test_group', description='test group', source_type='LOCAL')

Modifying settings of a group ¶

First, retrieve the group definition with a get_definition call, alter the definition, and set it back into DSS:

group_definition = new_group.get_definition()
group_definition['admin'] = True
group_definition['ldapGroupNames'] = 'group1,group2'
new_group.set_definition(group_definition)table

Deleting a group ¶

group = client.get_group('test_group')
group.delete()

Reference documentation ¶

class dataikuapi.dss.admin.DSSUser(client, login)¶

A handle for a user on the DSS instance. Do not create this directly, use dataikuapi.DSSClient.get_user()

delete()¶: Deletes the user

get_settings()¶: Gets the settings of the user :rtype: DSSUserSettings

get_definition()¶

Deprecated, use get_settings instead

Get the user’s definition (login, type, display name, permissions, …)

Returns: the user’s definition, as a dict

set_definition(definition)¶

Deprecated, use get_settings instead

Set the user’s definition. Note: this call requires an API key with admin rights

You should only set_definition() using an object that you obtained through get_definition(), not create a new dict.

The fields that may be changed in a user definition are:

email

displayName

groups

userProfile

password

Parameters: definition (dict) – the definition for the user, as a dict

get_client_as()¶

Gets a dataikuapi.DSSClient that has the permissions of this user.

This allows administrators to impersonate actions on behalf of other users, in order to perform actions on their behalf

class dataikuapi.dss.admin.DSSUserSettings(client, login, settings)¶

Settings for a DSS user

property admin_properties¶

The user properties (not editable by the user) for this user. Do not set this property, modify the dict in place

:rtype dict

property enabled¶: Whether this user is enabled :rtype boolean

save()¶: Saves the settings

add_secret(name, value)¶: Adds a user secret. If there was already a secret with the same name, it is replaced

get_raw()¶

Returns: the raw settings of the user, as a dict. Modifications made to the returned object

are reflected when saving :rtype: dict

remove_connection_credential(connection)¶: Removes per-user-credentials for a connection

remove_plugin_credential(plugin_id, param_set_id, preset_id, param_name)¶: Removes per-user-credentials for a plugin preset

remove_secret(name)¶: Removes a user secret based on its name

set_basic_connection_credential(connection, user, password)¶: Sets per-user-credentials for a connection that takes a user/password pair

set_basic_plugin_credential(plugin_id, param_set_id, preset_id, param_name, user, password)¶: Sets per-user-credentials for a plugin preset that takes a user/password pair

set_oauth2_plugin_credential(plugin_id, param_set_id, preset_id, param_name, refresh_token)¶: Sets per-user-credentials for a plugin preset that takes a OAuth refresh token

property user_properties¶

The user properties (editable by the user) for this user. Do not set this property, modify the dict in place

:rtype dict

class dataikuapi.dss.admin.DSSOwnUser(client)¶

A handle to interact with your own user Do not create this directly, use dataikuapi.DSSClient.get_own_user()

get_settings()¶

Get your own settings

Return type: DSSOwnUserSettings

class dataikuapi.dss.admin.DSSOwnUserSettings(client, settings)¶

Settings for the current DSS user

save()¶: Saves the settings

add_secret(name, value)¶: Adds a user secret. If there was already a secret with the same name, it is replaced

get_raw()¶

Returns: the raw settings of the user, as a dict. Modifications made to the returned object

are reflected when saving :rtype: dict

remove_connection_credential(connection)¶: Removes per-user-credentials for a connection

remove_plugin_credential(plugin_id, param_set_id, preset_id, param_name)¶: Removes per-user-credentials for a plugin preset

remove_secret(name)¶: Removes a user secret based on its name

set_basic_connection_credential(connection, user, password)¶: Sets per-user-credentials for a connection that takes a user/password pair

set_basic_plugin_credential(plugin_id, param_set_id, preset_id, param_name, user, password)¶: Sets per-user-credentials for a plugin preset that takes a user/password pair

set_oauth2_plugin_credential(plugin_id, param_set_id, preset_id, param_name, refresh_token)¶: Sets per-user-credentials for a plugin preset that takes a OAuth refresh token

property user_properties¶

The user properties (editable by the user) for this user. Do not set this property, modify the dict in place

:rtype dict

class dataikuapi.dss.admin.DSSGroup(client, name)¶

A group on the DSS instance. Do not create this directly, use dataikuapi.DSSClient.get_group()

delete()¶: Deletes the group

get_definition()¶

Get the group’s definition (name, description, admin abilities, type, ldap name mapping)

Returns: the group’s definition, as a dict

set_definition(definition)¶

Set the group’s definition.

You should only set_definition() using an object that you obtained through get_definition(), not create a new dict.

Args:: definition: the definition for the group, as a dict