w.token_management: Token management¶
- class databricks.sdk.service.settings.TokenManagementAPI¶
Enables administrators to get all tokens and delete tokens for other users. Admins can either get every token, get a specific token by ID, or get all tokens for a particular user.
- create_obo_token(application_id: str [, autoscope_enabled: Optional[bool], comment: Optional[str], lifetime_seconds: Optional[int], scopes: Optional[List[str]]]) CreateOboTokenResponse¶
Usage:
import time from databricks.sdk import WorkspaceClient from databricks.sdk.service import iam w = WorkspaceClient() groups = w.groups.group_display_name_to_id_map(iam.ListGroupsRequest()) spn = w.service_principals.create( display_name=f"sdk-{time.time_ns()}", groups=[iam.ComplexValue(value=groups["admins"])], ) obo = w.token_management.create_obo_token(application_id=spn.application_id, lifetime_seconds=60) # cleanup w.service_principals.delete(id=spn.id) w.token_management.delete(token_id=obo.token_info.token_id)
Creates a token on behalf of a service principal.
- Parameters:
application_id – str Application ID of the service principal.
autoscope_enabled – bool (optional) Whether to enable autoscoping for this token.
comment – str (optional) Comment that describes the purpose of the token.
lifetime_seconds – int (optional) The number of seconds before the token expires.
scopes – List[str] (optional)
- Returns:
- delete(token_id: str)¶
Deletes a token, specified by its ID.
- Parameters:
token_id – str The ID of the token to revoke.
- get(token_id: str) GetTokenResponse¶
Usage:
import time from databricks.sdk import WorkspaceClient from databricks.sdk.service import iam w = WorkspaceClient() groups = w.groups.group_display_name_to_id_map(iam.ListGroupsRequest()) spn = w.service_principals.create( display_name=f"sdk-{time.time_ns()}", groups=[iam.ComplexValue(value=groups["admins"])], ) obo = w.token_management.create_obo_token(application_id=spn.application_id, lifetime_seconds=60) by_id = w.token_management.get(token_id=obo.token_info.token_id) # cleanup w.service_principals.delete(id=spn.id) w.token_management.delete(token_id=obo.token_info.token_id)
Gets information about a token, specified by its ID.
- Parameters:
token_id – str The ID of the token to get.
- Returns:
- get_permission_levels() GetTokenPermissionLevelsResponse¶
Gets the permission levels that a user can have on an object.
- Returns:
- get_permissions() TokenPermissions¶
Gets the permissions of all tokens. Tokens can inherit permissions from their root object.
- Returns:
- list([, created_by_id: Optional[int], created_by_username: Optional[str]]) Iterator[TokenInfo]¶
Usage:
from databricks.sdk import WorkspaceClient from databricks.sdk.service import settings w = WorkspaceClient() all = w.token_management.list(settings.ListTokenManagementRequest())
Lists all tokens associated with the specified workspace or user.
- Parameters:
created_by_id – int (optional) User ID of the user that created the token.
created_by_username – str (optional) Username of the user that created the token.
- Returns:
Iterator over
TokenInfo
- set_permissions([, access_control_list: Optional[List[TokenAccessControlRequest]]]) TokenPermissions¶
Sets permissions on an object, replacing existing permissions if they exist. Deletes all direct permissions if none are specified. Objects can inherit permissions from their root object.
- Parameters:
access_control_list – List[
TokenAccessControlRequest] (optional)- Returns:
- update_permissions([, access_control_list: Optional[List[TokenAccessControlRequest]]]) TokenPermissions¶
Updates the permissions on all tokens. Tokens can inherit permissions from their root object.
- Parameters:
access_control_list – List[
TokenAccessControlRequest] (optional)- Returns:
- update_token_management(token_id: str, token: TokenInfo, update_mask: FieldMask) TokenInfo¶
Updates a token, specified by its ID.
- Parameters:
token_id – str ID of the token.
token –
TokenInfoupdate_mask –
FieldMask A list of field name under token, For example, {“update_mask”: “comment,scopes”}
The field mask must be a single string, with multiple fields separated by commas (no spaces). The field path is relative to the resource object, using a dot (
.) to navigate sub-fields (e.g.,author.given_name). Specification of elements in sequence or map fields is not allowed, as only the entire collection field can be specified. Field names must exactly match the resource field names.A field mask of
*indicates full replacement. It’s recommended to always explicitly list the fields being updated and avoid using*wildcards, as it can lead to unintended results if the API changes in the future.
- Returns: