Users and groups¶
The API exposes key parts of the DSS access control management: users and groups. All these can be created, modified and deleted through the API.
- Example use cases
- Listing users
- Creating a user
- Modifying a user’s display name, groups, profile, email, …
- Deleting a user
- Modifying user and admin properties
- Modifying user secrets
- Entering a per-user-credential for a connection
- Entering a per-user-credential for a plugin preset
- Impersonating another user
- Modifying user secrets
- Listing groups
- Creating a group
- Modifying settings of a group
- Deleting a group
- Reference documentation
Example use cases¶
In all examples, client is a dataikuapi.DSSClient
, obtained either using dataikuapi.DSSClient.__init__()
or dataiku.api_client()
Listing users¶
client = DSSClient(host, apiKey)
dss_users = client.list_users()
# dss_users is a list of dict. Each item represents one user
prettyprinter.pprint(dss_users)
outputs
[ { 'activeWebSocketSesssions': 0,
'codeAllowed': True,
'displayName': 'Administrator',
'groups': ['administrators', 'data_scientists'],
'login': 'admin',
'objectImgHash': 0,
'sourceType': 'LOCAL'},
...
]
Creating a user¶
A local user with a password¶
new_user = client.create_user('test_login', 'test_password', display_name='a test user', groups=['all_powerful_group'])
new_user is a dataikuapi.dss.admin.DSSUser
A user who will login through LDAP¶
Note that it is not usually required to manually create users who will login through LDAP as they can be automatically provisionned
new_user = client.create_user('test_login', password=None, display_name='a test user', source_type="LDAP", groups=['all_powerful_group'], profile="DESIGNER")
A user who will login through SSO¶
This is only for non-LDAP users that thus will not be automatically provisioned, buut should still be able to log in through SSO.
new_user = client.create_user('test_login', password=None, display_name='a test user', source_type="LOCAL_NO_AUTH", groups=['all_powerful_group'], profile="DESIGNER")
Modifying a user’s display name, groups, profile, email, …¶
To modify the settings of a user, get a handle through dataikuapi.DSSClient.get_user()
, then use dataikuapi.dss.admin.DSSUser.get_settings()
user = client.get_user("theuserslogin")
settings = user.get_settings()
# Modify the settings in the `get_raw()` dict
settings.get_raw()["displayName"] = "DSS Lover"
settings.get_raw()["email"] = "[email protected]"
settings.get_raw()["userProfile"] = "DESIGNER"
settings.get_raw()["groups"] = "group1,group2,group3" # This completely overrides previous groups
# Save the modifications
settings.save()
Deleting a user¶
user = client.get_user('test_login')
user.delete()
Modifying user and admin properties¶
user = client.get_user("test_login")
settings = user.get_settings()
settings.user_properties["myprop"] = "myvalue"
settings_admin_properties["myadminprop"] = "myadminvalue"
settings.save()
Modifying user secrets¶
user = client.get_user("test_login")
settings = user.get_settings()
settings.add_secret("secretname", "secretvalue")
settings.save()
Entering a per-user-credential for a connection¶
user = client.get_user('test_login')
settings = user.get_settings()
settings.set_basic_connection_credential("myconnection", "username", "password")
settings.save()
Entering a per-user-credential for a plugin preset¶
user = client.get_user('test_login')
settings = user.get_settings()
settings.set_basic_plugin_credential("myplugin", "my_paramset_id", "mypreset_id", "param_name", "username", "password")
settings.save()
Impersonating another user¶
As a DSS administrator, it can be useful to be able to perform API calls on behalf of another user.
user = client.get_user("the_user_to_impersonate")
client_as_user = user.get_client_as()
# All calls done using `client_as_user` will appear as being performed by `the_user_to_impersonate` and will inherit
# its permissions
Modifying user secrets¶
user = client.get_user("an_user")
settings = user.get_settings()
settings.add_secret("secretname", "secretvalue")
settings.save()
Listing groups¶
A list of the groups can by obtained with the list_groups method:
client = DSSClient(host, apiKey)
# dss_groups is a list of dict. Each group contains at least a "name" attribute
dss_groups = client.list_groups()
prettyprinter.pprint(dss_groups)
outputs
[ { 'admin': True,
'description': 'DSS administrators',
'name': 'administrators',
'sourceType': 'LOCAL'},
{ 'admin': False,
'description': 'Read-write access to projects',
'name': 'data_scientists',
'sourceType': 'LOCAL'},
{ 'admin': False,
'description': 'Read-only access to projects',
'name': 'readers',
'sourceType': 'LOCAL'}]
Creating a group¶
new_group = client.create_group('test_group', description='test group', source_type='LOCAL')
Modifying settings of a group¶
First, retrieve the group definition with a get_definition call, alter the definition, and set it back into DSS:
group_definition = new_group.get_definition()
group_definition['admin'] = True
group_definition['ldapGroupNames'] = 'group1,group2'
new_group.set_definition(group_definition)table
Deleting a group¶
group = client.get_group('test_group')
group.delete()
Reference documentation¶
-
class
dataikuapi.dss.admin.
DSSUser
(client, login)¶ A handle for a user on the DSS instance. Do not create this directly, use
dataikuapi.DSSClient.get_user()
-
delete
()¶ Deletes the user
-
get_settings
()¶ Gets the settings of the user :rtype:
DSSUserSettings
-
get_definition
()¶ Deprecated, use get_settings instead
Get the user’s definition (login, type, display name, permissions, …)
Returns: the user’s definition, as a dict
-
set_definition
(definition)¶ Deprecated, use get_settings instead
Set the user’s definition. Note: this call requires an API key with admin rights
You should only
set_definition()
using an object that you obtained throughget_definition()
, not create a new dict.The fields that may be changed in a user definition are:
- displayName
- groups
- userProfile
- password
Parameters: definition (dict) – the definition for the user, as a dict
-
get_client_as
()¶ Gets a
dataikuapi.DSSClient
that has the permissions of this user.This allows administrators to impersonate actions on behalf of other users, in order to perform actions on their behalf
-
-
class
dataikuapi.dss.admin.
DSSUserSettings
(client, login, settings)¶ Settings for a DSS user
-
admin_properties
¶ The user properties (not editable by the user) for this user. Do not set this property, modify the dict in place
:rtype dict
-
enabled
¶ Whether this user is enabled :rtype boolean
-
save
()¶ Saves the settings
-
add_secret
(name, value)¶ Adds a user secret. If there was already a secret with the same name, it is replaced
-
get_raw
()¶ Returns: the raw settings of the user, as a dict. Modifications made to the returned object are reflected when saving :rtype: dict
-
remove_connection_credential
(connection)¶ Removes per-user-credentials for a connection
-
remove_plugin_credential
(plugin_id, param_set_id, preset_id, param_name)¶ Removes per-user-credentials for a plugin preset
-
remove_secret
(name)¶ Removes a user secret based on its name
-
set_basic_connection_credential
(connection, user, password)¶ Sets per-user-credentials for a connection that takes a user/password pair
-
set_basic_plugin_credential
(plugin_id, param_set_id, preset_id, param_name, user, password)¶ Sets per-user-credentials for a plugin preset that takes a user/password pair
-
set_oauth2_plugin_credential
(plugin_id, param_set_id, preset_id, param_name, refresh_token)¶ Sets per-user-credentials for a plugin preset that takes a OAuth refresh token
-
user_properties
¶ The user properties (editable by the user) for this user. Do not set this property, modify the dict in place
:rtype dict
-
-
class
dataikuapi.dss.admin.
DSSOwnUser
(client)¶ A handle to interact with your own user Do not create this directly, use
dataikuapi.DSSClient.get_own_user()
-
get_settings
()¶ Get your own settings
Return type: DSSOwnUserSettings
-
-
class
dataikuapi.dss.admin.
DSSOwnUserSettings
(client, settings)¶ Settings for the current DSS user
-
save
()¶ Saves the settings
-
add_secret
(name, value)¶ Adds a user secret. If there was already a secret with the same name, it is replaced
-
get_raw
()¶ Returns: the raw settings of the user, as a dict. Modifications made to the returned object are reflected when saving :rtype: dict
-
remove_connection_credential
(connection)¶ Removes per-user-credentials for a connection
-
remove_plugin_credential
(plugin_id, param_set_id, preset_id, param_name)¶ Removes per-user-credentials for a plugin preset
-
remove_secret
(name)¶ Removes a user secret based on its name
-
set_basic_connection_credential
(connection, user, password)¶ Sets per-user-credentials for a connection that takes a user/password pair
-
set_basic_plugin_credential
(plugin_id, param_set_id, preset_id, param_name, user, password)¶ Sets per-user-credentials for a plugin preset that takes a user/password pair
-
set_oauth2_plugin_credential
(plugin_id, param_set_id, preset_id, param_name, refresh_token)¶ Sets per-user-credentials for a plugin preset that takes a OAuth refresh token
-
user_properties
¶ The user properties (editable by the user) for this user. Do not set this property, modify the dict in place
:rtype dict
-
-
class
dataikuapi.dss.admin.
DSSGroup
(client, name)¶ A group on the DSS instance. Do not create this directly, use
dataikuapi.DSSClient.get_group()
-
delete
()¶ Deletes the group
-
get_definition
()¶ Get the group’s definition (name, description, admin abilities, type, ldap name mapping)
Returns: the group’s definition, as a dict
-
set_definition
(definition)¶ Set the group’s definition.
You should only
set_definition()
using an object that you obtained throughget_definition()
, not create a new dict.- Args:
- definition: the definition for the group, as a dict
-