Users and groups#

The API exposes key parts of the DSS access control management: users and groups. All these can be created, modified and deleted through the API.

Example use cases#

In all examples, client is a dataikuapi.dssclient.DSSClient, obtained either using dataikuapi.DSSClient() or api_client()

Listing users#

client = DSSClient(host, apiKey)
dss_users = client.list_users()
# dss_users is a list of dict. Each item represents one user
prettyprinter.pprint(dss_users)

outputs:

[   {   'activeWebSocketSesssions': 0,
        'codeAllowed': True,
        'displayName': 'Administrator',
        'groups': ['administrators', 'data_scientists'],
        'login': 'admin',
        'objectImgHash': 0,
        'sourceType': 'LOCAL'},
    ...
]

Listing connected users#

You can programmatically retrieve the list of connected users on a Dataiku instance, for example to check if you can safely turn off/restart the instance. This is possible by using the list_users() method of the Dataiku public API. That method returns a value for activeWebSocketSessionswhich indicates the number of sessions that a user is logged into at the moment. Anything other than 0 indicates that a user is connected to the instance.

import dataiku

client = dataiku.api_client()
user_list = []
dss_users = client.list_users()
for user in dss_users:
    if user.get("activeWebSocketSesssions",None):
        user_list.append(user["displayName"])
print(user_list)

Creating a user#

A local user with a password#

new_user = client.create_user('test_login', 'test_password', display_name='a test user', groups=['all_powerful_group'])

new_user is a dataikuapi.dss.admin.DSSUser

A user who will login through LDAP#

Note that it is not usually required to manually create users who will login through LDAP as they can be automatically provisionned

new_user = client.create_user('test_login', password=None, display_name='a test user', source_type="LDAP", groups=['all_powerful_group'], profile="DESIGNER")

A user who will login through SSO#

This is only for non-LDAP users that thus will not be automatically provisioned, buut should still be able to log in through SSO.

new_user = client.create_user('test_login', password=None, display_name='a test user', source_type="LOCAL_NO_AUTH", groups=['all_powerful_group'], profile="DESIGNER")

Modifying a user’s display name, groups, profile, email, …#

To modify the settings of a user, get a handle through get_user(), then use get_settings()

user = client.get_user("theuserslogin")

settings = user.get_settings()

# Modify the settings in the `get_raw()` dict
settings.get_raw()["displayName"] = "DSS Lover"
settings.get_raw()["email"] = "my.new.email@stuff.com"
settings.get_raw()["userProfile"] = "DESIGNER"
settings.get_raw()["groups"] = ["group1", "group2", "group3"] # This completely overrides previous groups

# Save the modifications
settings.save()

Deleting a user#

user = client.get_user('test_login')
user.delete()

Modifying user and admin properties#

user = client.get_user("test_login")
settings = user.get_settings()
settings.user_properties["myprop"] = "myvalue"
settings.admin_properties["myadminprop"] = "myadminvalue"
settings.save()

Modifying user secrets#

user = client.get_user("test_login")
settings = user.get_settings()
settings.add_secret("secretname", "secretvalue")
settings.save()

Entering a per-user-credential for a connection#

user = client.get_user('test_login')
settings = user.get_settings()
settings.set_basic_connection_credential("myconnection", "username", "password")
settings.save()

Entering a per-user-credential for a plugin preset#

user = client.get_user('test_login')
settings = user.get_settings()
settings.set_basic_plugin_credential("myplugin", "my_paramset_id", "mypreset_id", "param_name", "username", "password")
settings.save()

Impersonating another user#

As a DSS administrator, it can be useful to be able to perform API calls on behalf of another user.

user = client.get_user("the_user_to_impersonate")
client_as_user = user.get_client_as()

# All calls done using `client_as_user` will appear as being performed by `the_user_to_impersonate` and will inherit
# its permissions

Modifying user secrets#

user = client.get_user("an_user")
settings = user.get_settings()
settings.add_secret("secretname", "secretvalue")
settings.save()

Listing groups#

A list of the groups can by obtained with the list_groups() method:

client = DSSClient(host, apiKey)
# dss_groups is a list of dict. Each group contains at least a "name" attribute
dss_groups = client.list_groups()
prettyprinter.pprint(dss_groups)

outputs

[   {   'admin': True,
        'description': 'DSS administrators',
        'name': 'administrators',
        'sourceType': 'LOCAL'},
    {   'admin': False,
        'description': 'Read-write access to projects',
        'name': 'data_scientists',
        'sourceType': 'LOCAL'},
    {   'admin': False,
        'description': 'Read-only access to projects',
        'name': 'readers',
        'sourceType': 'LOCAL'}]

Creating a group#

new_group = client.create_group('test_group', description='test group', source_type='LOCAL')

Modifying settings of a group#

First, retrieve the group definition with a get_definition() call, alter the definition, and set it back into DSS:

group_definition = new_group.get_definition()
group_definition['admin'] = True
group_definition['ldapGroupNames'] = ['group1', 'group2']
new_group.set_definition(group_definition)

Deleting a group#

group = client.get_group('test_group')
group.delete()

Reference documentation#

dataikuapi.dss.admin.DSSUser(client, login)

A handle for a user on the DSS instance.

dataikuapi.dss.admin.DSSUserSettings(client, ...)

Settings for a DSS user.

dataikuapi.dss.admin.DSSOwnUser(client)

A handle to interact with your own user

dataikuapi.dss.admin.DSSOwnUserSettings(...)

Settings for the current DSS user.

dataikuapi.dss.admin.DSSUserActivity(client, ...)

Activity for a DSS user.

dataikuapi.dss.admin.DSSGroup(client, name)

A group on the DSS instance.

dataikuapi.dss.admin.DSSAuthorizationMatrix(...)

The authorization matrix of all groups and enabled users of the DSS instance.