Skip to content

Add serving endpoint permissions management (get and update ACLs)#416

Open
jralfonsog wants to merge 4 commits intodatabricks-solutions:mainfrom
jralfonsog:feat/serving-permissions
Open

Add serving endpoint permissions management (get and update ACLs)#416
jralfonsog wants to merge 4 commits intodatabricks-solutions:mainfrom
jralfonsog:feat/serving-permissions

Conversation

@jralfonsog
Copy link
Copy Markdown

@jralfonsog jralfonsog commented Apr 2, 2026

Summary

  • Get permissions: get_serving_endpoint_permissions() retrieves the full ACL for a serving endpoint, including inherited permissions (e.g. admins group)
  • Update permissions: update_serving_endpoint_permissions() grants or modifies permissions using PATCH (additive merge) — existing permissions not in the list are left unchanged
  • Name-to-ID resolution: Permissions API requires endpoint ID (hex string), not name. Both tools auto-resolve via get(name).id

Permission levels

Level Description
CAN_VIEW View endpoint metadata (model names, versions, config)
CAN_QUERY Query the endpoint + view metadata
CAN_MANAGE Full control: view, edit, query, delete, manage permissions

Principal types

Supports user_name (email), group_name, and service_principal_name.

Changes

Layer File What changed
Core serving/endpoints.py +get_serving_endpoint_permissions(), +update_serving_endpoint_permissions(), +_resolve_endpoint_id() helper
Core serving/__init__.py Export new functions
MCP tools/serving.py +2 @mcp.tool(timeout=30) wrappers
Tests tests/unit/test_serving_permissions.py 6 unit tests: get (user/group/SP/empty/not-found), update (success/not-found)

Design decisions

  • PATCH over PUT: update_permissions uses the SDK's PATCH method (additive merge) instead of PUT (full replace) to avoid accidentally removing existing permissions
  • Structured output: Raw SDK ACL entries are flattened into {principal, principal_type, permission_level, inherited} dicts for LLM readability
  • Typed exceptions: Uses ResourceDoesNotExist/NotFound for clean error messages

Test plan

  • 6 unit tests pass (get + update, all principal types, not-found)
  • Ruff lint + format pass (line-length=120, py311)
  • Integration tested get_permissions against aws-fe workspace — returned 2 ACL entries (user + inherited admins group)
  • Not-found returns clean error via typed SDK exceptions
  • Skipped live update_permissions test to avoid modifying shared endpoint ACLs

This pull request was AI-assisted by Isaac

@jralfonsog
feat(serving): add endpoint permissions get and update functions
9dc5b31 
Supports reading ACLs and granting/modifying permissions for users,
groups, and service principals. Uses PATCH (additive merge) for
safety over PUT (full replace).

Co-authored-by: Isaac
@jralfonsog
feat(serving): add MCP tool wrappers for endpoint permissions
ae6f0d7 
Co-authored-by: Isaac
@jralfonsog
test(serving): add unit tests for endpoint permissions
4b39b2f 
Co-authored-by: Isaac
@jralfonsog
style: align with maintainer code patterns
fd82eff 
- Docstrings: opening """ on its own line
- Returns sections: bullet list format for dict keys

Co-authored-by: Isaac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jralfonsog