Users and groups

The API exposes key parts of the DSS access control management: users and groups. All these can be created, modified and deleted through the API.

Example use cases

In all examples, client is a dataikuapi.DSSClient, obtained either using :methd:`dataikuapi.DSSClient.__init__` or dataiku.api_client()

Listing users

client = DSSClient(host, apiKey)
dss_users = client.list_users()
# dss_users is a list of dict. Each item represents one user
prettyprinter.pprint(dss_users)

outputs

[   {   'activeWebSocketSesssions': 0,
        'codeAllowed': True,
        'displayName': 'Administrator',
        'groups': ['administrators', 'data_scientists'],
        'login': 'admin',
        'objectImgHash': 0,
        'sourceType': 'LOCAL'},
    ...
]

Creating a user

A local user with a password

new_user = client.create_user('test_login', 'test_password', display_name='a test user', groups=['all_powerful_group'])

new_user is a dataikuapi.dss.admin.DSSUser

A user who will login through LDAP

Note that it is not usually required to manually create users who will login through LDAP as they can be automatically provisionned

new_user = client.create_user('test_login', password=None, display_name='a test user', source_type="LDAP", groups=['all_powerful_group'], profile="DESIGNER")

A user who will login through SSO

This is only for non-LDAP users that thus will not be automatically provisioned, buut should still be able to log in through SSO.

new_user = client.create_user('test_login', password=None, display_name='a test user', source_type="LOCAL_NO_AUTH", groups=['all_powerful_group'], profile="DESIGNER")

Modifying a user’s display name, groups, profile, email, …

To modify the settings of a user, get a handle through dataikuapi.DSSClient.get_user(), then use dataikuapi.dss.admin.DSSUser.get_settings()

user = client.get_user("theuserslogin")

settings = user.get_settings()

# Modify the settings in the `get_raw()` dict
settings.get_raw()["displayName"] = "DSS Lover"
settings.get_raw()["email"] = "[email protected]"
settings.get_raw()["userProfile"] = "DESIGNER"
settings.get_raw()["groups"] = "group1,group2,group3" # This completely overrides previous groups

# Save the modifications
settings.save()

Deleting a user

user = client.get_user('test_login')
user.delete()

Modifying user and admin properties

user = client.get_user("test_login")
settings = user.get_settings()
settings.user_properties["myprop"] = "myvalue"
settings_admin_properties["myadminprop"] = "myadminvalue"
settings.save()

Modifying user secrets

user = client.get_user("test_login")
settings = user.get_settings()
settings.add_secret("secretname", "secretvalue")
settings.save()

Entering a per-user-credential for a connection

user = client.get_user('test_login')
settings = user.get_settings()
settings.set_basic_connection_credential("myconnection", "username", "password")
settings.save()

Entering a per-user-credential for a plugin preset

user = client.get_user('test_login')
settings = user.get_settings()
settings.set_basic_plugin_credential("myplugin", "my_paramset_id", "mypreset_id", "param_name", "username", "password")
settings.save()

Impersonating another user

As a DSS administrator, it can be useful to be able to perform API calls on behalf of another user.

user = client.get_user("the_user_to_impersonate")
client_as_user = user.get_client_as()

# All calls done using `client_as_user` will appear as being performed by `the_user_to_impersonate` and will inherit
# its permissions

Modifying user secrets

user = client.get_user("an_user")
settings = user.get_settings()
settings.add_secret("secretname", "secretvalue")
settings.save()

Listing groups

A list of the groups can by obtained with the list_groups method:

client = DSSClient(host, apiKey)
# dss_groups is a list of dict. Each group contains at least a "name" attribute
dss_groups = client.list_groups()
prettyprinter.pprint(dss_groups)

outputs

[   {   'admin': True,
        'description': 'DSS administrators',
        'name': 'administrators',
        'sourceType': 'LOCAL'},
    {   'admin': False,
        'description': 'Read-write access to projects',
        'name': 'data_scientists',
        'sourceType': 'LOCAL'},
    {   'admin': False,
        'description': 'Read-only access to projects',
        'name': 'readers',
        'sourceType': 'LOCAL'}]

Creating a group

new_group = client.create_group('test_group', description='test group', source_type='LOCAL')

Modifying settings of a group

First, retrieve the group definition with a get_definition call, alter the definition, and set it back into DSS:

group_definition = new_group.get_definition()
group_definition['admin'] = True
group_definition['ldapGroupNames'] = 'group1,group2'
new_group.set_definition(group_definition)table

Deleting a group

group = client.get_group('test_group')
group.delete()

Reference documentation

class dataikuapi.dss.admin.DSSUser(client, login)

A handle for a user on the DSS instance. Do not create this directly, use dataikuapi.DSSClient.get_user()

delete()

Deletes the user

get_settings()

Gets the settings of the user :rtype: DSSUserSettings

get_definition()

Deprecated, use get_settings instead

Get the user’s definition (login, type, display name, permissions, …)

Returns:the user’s definition, as a dict
set_definition(definition)

Deprecated, use get_settings instead

Set the user’s definition. Note: this call requires an API key with admin rights

You should only set_definition() using an object that you obtained through get_definition(), not create a new dict.

The fields that may be changed in a user definition are:

  • email
  • displayName
  • groups
  • userProfile
  • password
Parameters:definition (dict) – the definition for the user, as a dict
get_client_as()

Gets a dataikuapi.DSSClient that has the permissions of this user.

This allows administrators to impersonate actions on behalf of other users, in order to perform actions on their behalf

class dataikuapi.dss.admin.DSSUserSettings(client, login, settings)

Settings for a DSS user

admin_properties

The user properties (not editable by the user) for this user. Do not set this property, modify the dict in place

:rtype dict

enabled

Whether this user is enabled :rtype boolean

save()

Saves the settings

add_secret(name, value)

Adds a user secret. If there was already a secret with the same name, it is replaced

get_raw()
Returns:the raw settings of the user, as a dict. Modifications made to the returned object

are reflected when saving :rtype: dict

remove_connection_credential(connection)

Removes per-user-credentials for a connection

remove_plugin_credential(plugin_id, param_set_id, preset_id, param_name)

Removes per-user-credentials for a plugin preset

remove_secret(name)

Removes a user secret based on its name

set_basic_connection_credential(connection, user, password)

Sets per-user-credentials for a connection that takes a user/password pair

set_basic_plugin_credential(plugin_id, param_set_id, preset_id, param_name, user, password)

Sets per-user-credentials for a plugin preset that takes a user/password pair

set_oauth2_plugin_credential(plugin_id, param_set_id, preset_id, param_name, refresh_token)

Sets per-user-credentials for a plugin preset that takes a OAuth refresh token

user_properties

The user properties (editable by the user) for this user. Do not set this property, modify the dict in place

:rtype dict

class dataikuapi.dss.admin.DSSOwnUser(client)

A handle to interact with your own user Do not create this directly, use dataikuapi.DSSClient.get_own_user()

get_settings()

Get your own settings

Return type:DSSOwnUserSettings
class dataikuapi.dss.admin.DSSOwnUserSettings(client, settings)

Settings for the current DSS user

save()

Saves the settings

add_secret(name, value)

Adds a user secret. If there was already a secret with the same name, it is replaced

get_raw()
Returns:the raw settings of the user, as a dict. Modifications made to the returned object

are reflected when saving :rtype: dict

remove_connection_credential(connection)

Removes per-user-credentials for a connection

remove_plugin_credential(plugin_id, param_set_id, preset_id, param_name)

Removes per-user-credentials for a plugin preset

remove_secret(name)

Removes a user secret based on its name

set_basic_connection_credential(connection, user, password)

Sets per-user-credentials for a connection that takes a user/password pair

set_basic_plugin_credential(plugin_id, param_set_id, preset_id, param_name, user, password)

Sets per-user-credentials for a plugin preset that takes a user/password pair

set_oauth2_plugin_credential(plugin_id, param_set_id, preset_id, param_name, refresh_token)

Sets per-user-credentials for a plugin preset that takes a OAuth refresh token

user_properties

The user properties (editable by the user) for this user. Do not set this property, modify the dict in place

:rtype dict

class dataikuapi.dss.admin.DSSGroup(client, name)

A group on the DSS instance. Do not create this directly, use dataikuapi.DSSClient.get_group()

delete()

Deletes the group

get_definition()

Get the group’s definition (name, description, admin abilities, type, ldap name mapping)

Returns:the group’s definition, as a dict
set_definition(definition)

Set the group’s definition.

You should only set_definition() using an object that you obtained through get_definition(), not create a new dict.

Args:
definition: the definition for the group, as a dict