
<div style="text-align: center; line-height: 0; padding-top: 9px;">
  <img src="https://databricks.com/wp-content/uploads/2018/03/db-academy-rgb-1200px.png" alt="Databricks Learning" style="width: 600px">
</div>

## Automating Identity Management

In this demo, we will explore how to automate identity management using the Databricks SDK for Python. We will learn how to manage users, service principals, and groups programmaticaly within a Databricks workspace. Through the Account Client component of the Databricks SDK library, we will demonstrate key tasks such as creating and querying users, service principals, and groups, as well as managing group membership. Additionally, we will cover how to assign administrative roles and delete resources, ensuring efficient resource management within your Databricks environment.

### Classroom Setup

In [None]:
%run ./Includes/Classroom-Setup-01

## Overview
Databricks provides comprehensive funcionality through its Python SDK, enabling seamless interaction with various Databricks resources. In this demo, we will focus on using the Account Client library of the Databricks SDK for Python to programmaticaly manage users, service principals, and groups within a Databricks account.

There are a number of ways to leverage the Databricks SDK with the Account Client:
- Utilize the SDK to directly invoke methods for managing users, groups, and service principals without needing to manually construct HTTP requests.
- Automate resource management by integrating the Account Client library into Python scripts, streamlining operations such as onboarding users or configuring service principals.
- Incorporate the SDK into larger automation frameworks, leveraging its intuitive API design to manage Databricks resources efficiently.

Regardless of which approach you take to utilize the Account Client library of the Databricks SDK, you need the following from the account console:
- The account ID of a user with account admin privileges.
- The client ID and client secret token generated for a service principal with account privileges.

Depending on the operation, you may need to provide additional parameters of payloads to fulfill the request, such as user details or group configurations.

### Creating a Service Principal with Admin Privileges

In [None]:
DA.get_credentials_for_SDK()

### Configuring account client object with Databricks SDK

In [None]:
import os
from databricks.sdk import WorkspaceClient

a = AccountClient(
    host=os.getenv("DATABRICKS_HOST"),
    account_id=os.getenv("DATABRICKS_ACCOUNT_ID"),
    client_id=os.getenv("DATABRICKS_CLIENT_ID"),
    client_secret=os.getenv("DATABRICKS_CLIENT_SECRET"),
    debug_truncate_bytes=1024,
    debug_headers=False
)

### Queryng Users

In [None]:
import json # Pretty printing

# List of users in the account
try:
    user_details = {} # Nested dictionary to store user details
    users = a.users.list() # Fetch current batch of users
    
    for idx, user in enumerate(users, start=1):
        # Process each user's id, userName and displayName
        user_id = user.id
        user_name = user.user_name
        display_name = user.display_name
        
        # Add the group details to dictionary
        user_details["User_"+str(idx)] = {
            "ID: ": user_id,
            "User Name: ": user_name,
            "Display Name": display_name
        }
        
    # Pretty print the nested dictionary of users
    print("Users Organized in Nested Dictionary:")
    print(json.dumps(user_details, indent=4), end="\n\n") # Pretty print with 4-space indentation
    
    print("All users processed.")
except Exception as e:
    print("Error occurred while processing users: ", str{e})

### Creating a user

In [None]:
import json # Importing json for pretty printing

# Create a user in the account
my_name = "testuser2@maildrop.cc"
my_display_name = "Test User 2"

try:
    # Create the user - Test 2
    user = a.users.create(
        user_name=my_name, # The user's username (email or ID)
        display_name=my_display_name, # The user's display name
    )
    
    # Create a dictionary to store new user details
    new_user_details = {
        "ID: ": user.id,
        "User Name: ": user.user_name,
        "Display Name": user.display_name
    }
    
    # Pretty print the new user dictionary
    print("User created successfully:")
    print(json.dumps(new_user_details, indent=4)) # Pretty print with 4-space indentation
except Exception as e:
    print("Error occurred while creating user: ", str(e))

### Querying service principals

In [None]:
import json # Importing json for pretty printing

# List of service principals in the account
try:
    sp_details = {} # Nested dictionary to store service principal details
    service_principals = a.service_principals.list() # Fetch current batch of service principals
    
    for idx, sp in enumerate(service_principals, start=1):
        # Process each service principal's id, appId and displayName
        sp_id = sp.id
        sp_name = sp.display_name
        application_id = sp.application_id
        roles = sp.roles
        
        # Add the service principal details to the dictionary
        sp_details["SP_"+str(idx)] = {
            "ID": sp_id,
            "Display Name": sp_name,
            "Application ID": application_id,
            "Roles: ": [cv.value for cv in roles] if roles else [] # Convert roles to a list of strings
        }
        
    # Pretty print the nested dictionary of service principals
    print("Service Principals Organized in Nested Dictionary:")
    print(json.dumps(sp_details, indent=4), end="\n\n") # Pretty print with 4-space indentation
    print("All service principals processed.")
except Exception as e:
    print("Error occurred while processing service principals: ", str(e))

### Crating a service principal

In [None]:
import json # Importing json for pretty printing
from databricks.sdk import AccountClient

# Initialize the Databricks Account Client
account_client = AccountClient()

# Define service principal details
service_principal_display_name = "test_sp_2"

# List of service principals in the account
try:
    # Create the service principal using the Account Client
    service_principal = account_client.service_principals.create(
        display_name=service_principal_display_name, # The service principal's display name
    )
    
    # Create a dictionary to store new service principal details
    new_sp_details = {
        "ID: ": service_principal.id,
        "Display Name: ": service_principal.display_name
    }
        
    # Pretty print the nested dictionary of service principals
    print("Service Principals created successfully:")
    print(json.dumps(new_sp_details, indent=4)) # Pretty print with 4-space indentation
except Exception as e:
    print("Error occurred while processing service principals: ", str(e))

### Groups - Querying groups

In [None]:
import json # Importing json for pretty printing

# List of service principals in the account
try:
    group_details = {} # Nested dictionary to store service principal details
    groups = a.groups.list() # Fetch current batch of service principals
    
    for idx, group in enumerate(groups, start=1):
        # Process each group's id, displayName and source of creation
        group_id = group.id
        group_name = group.display_name
        
        # Add the service principal details to the dictionary
        group_details["Group_"+str(idx)] = {
            "ID": group_id,
            "Display Name": group_name
        }
        
    # Pretty print the nested dictionary of service principals
    print("Groups Organized in Nested Dictionary:")
    print(json.dumps(group_details, indent=4), end="\n\n") # Pretty print with 4-space indentation
    print("All service principals processed.")
except Exception as e:
    print("Error occurred while processing service principals: ", str(e))

### Creating a group

In [None]:
import json # Importing json for pretty printing

# Define group details
group_display_name = "analysts_test_2"

try:
    # Create the group
    group = a.groups.create(
        display_name=group_display_name, # The group's display name
    )
    
    # Create a dictionary to store new group details
    new_group_details = {
        "ID: ": group.id,
        "Display Name: ": group.display_name
    }
        
    # Pretty print the nested dictionary of service principals
    print("Group created successfully:")
    print(json.dumps(new_sp_details, indent=4)) # Pretty print with 4-space indentation
except Exception as e:
    print("Error occurred while processing service principals: ", str(e))

### Assigning Members to a Group

In [None]:
import json # Importing json for pretty printing
from databricks.sdk.service.iam import Patch, PatchOp, PatchSchema

# Configuration
group_name = "analysts_test_2"
user_name = "testuser2@maildrop.cc"
service_principal_name = "test_sp_2"

try:
    # Step 1: Fecth the group details by name
    groups = a.groups.list() # Fetch current batch of groups
    group_id = None
    for group in groups:
        if group.display_name == group_name:
            group_id = group.id
            break
        
    if not group_id:
        raise ValueError(f"Group '{group_name}' does not exist. Please create it first.")
    
    # Step 2: Fecth the user and service principal details
    users = a.users.list() # Fetch current batch of users
    user_id = next((user.id for user in users if user.user_name == user_name), None)
    if not user_id:
        raise ValueError(f"User '{user_name}' does not exist.")
    
    service_principals = a.service_principals.list() # Fetch current batch of service principals
    service_principal_id = next(
        (sp.id for sp in service_principals if sp.display_name == service_principal_name), None
    )
    if not service_principal_id:
        raise ValueError(f"Service Principal '{service_principal_name}' does not exist.")
    
    # Step 3: Add user and service principal to the group
    a.groups.patch(
        id=group_id,
        operations=[Patch(
            op=PatchOp.ADD,
            value={"Members": [{
                "value": user_id,
            },{
                "value": service_principal_id,
            }]},
        )],
        schemas = [PatchSchema.URN_IETF_PARAMS_SCIM_API_MESSAGES_2_0_PATCH_OP],
    )
    
    # Step 4: Display confirmation
    assigned_details = {
        "Group Name": group_name,
        "User Added": {
            "User Name: ": user_name,
            "User ID: ": user_id
        },
        "Service Principal Added": {
            "Service Principal Name: ": service_principal_name,
            "Service Principal ID: ": service_principal_id
        }
    }
    
    # Pretty print the nested dictionary of service principals
    print("Service Principals created successfully:")
    print(json.dumps(assigned_details, indent=4)) # Pretty print with 4-space indentation
except Exception as e:
    print("Error occurred while processing service principals: ", str(e))

### Querying group members

In [None]:
import json # Importing json for pretty printing

# Configuration
group_name = "analysts_test_2"

try:
    # Step 1: Fecth the group details by name
    groups = a.groups.list() # Fetch current batch of service principals
    group_id = None
    
    for group in groups:
        if group.display_name == group_name:
            group_id = group.id
            break
    
    if not group_id:
        raise ValueError(f"Group '{group_name}' does not exist. Please create it first.")
    
    # Step 2: Fetch the group's members
    group = a.groups.get(id=group_id) # Fetch the group details
    members = group.members # Get the members of the group
    
    # Step 3: Display group members
    member_details = {
        "Group Name": group_name,
        "Members": []
    }
    
    for member in members:
        member_type = "User" if hasattr(member, "user_name") else "Service Principal"
        member_details["Members"].append({
            "Member Name": member.display,
            "Member Type": member_type # Convert enum to string
        })
        
    # Pretty print the nested dictionary of service principals
    print("Group Member Details:")
    print(json.dumps(member_details, indent=4)) # Pretty print with 4-space indentation
    print("All groups processed.")
except Exception as e:
    print("Error occurred while processing grops members: ", str(e))

### Removing Members from a Group

In [None]:
import json # Importing json for pretty printing

# Configuration
group_name = "analysts_test_2"
user_name = "testuser2@maildrop.cc"
service_principal_name = "test_sp_2"

try:
    # Step 1: Fecth the group details by name
    groups = a.groups.list() # Fetch current batch of service principals
    group_id = None
    for group in groups:
        if group.display_name == group_name:
            group_id = group.id
            break
    
    if not group_id:
        raise ValueError(f"Group '{group_name}' does not exist. Please create it first.")
    
    # Step 2: Fetch the user and service principal details
    users = a.users.list() # Fetch the group details
    user_id = next((user.id for user in users if user.user_name == user_name), None) # Get the members of the group
    if not user_id:
        raise ValueError(f"User '{user_name}' does not exist.")
    
    service_principals = a.service_principals.list() # Fetch current batch of service principals
    service_principal_id = next(
        (sp.id for sp in service_principals if sp.display_name == service_principal_name), None
    )
    if not service_principal_id:
        raise ValueError(f"Service Principal '{service_principal_name}' does not exist.")
    
    # Step 3: Remove the user and service principal from the group
    a.groups.patch(
        id=group_id,
        operations=[Patch(
            op=PatchOp.REMOVE,
            path="members", 
            value=[{
                "value": user_id,
            },{
                "value": service_principal_id,
            }],
        )],
        schemas = [PatchSchema.URN_IETF_PARAMS_SCIM_API_MESSAGES_2_0_PATCH_OP],
    )
        
    # Step 4: Fetch the group details again to get the remaining members
    group = a.groups.get(id=group_id) # Fetch the group details
    members = group.members # Get the members of the group
    
    # Organize group member details
    member_details = {
        "Group Name": group_name,
        "Members": []
    }
    for member in members:
        member_type = "User" if hasattr(member, "user_name") else "Service Principal"
        member_details["Members"].append({
            "Member Name": member.display,
            "Member Type": member_type # Convert enum to string
        })
        
    # Pretty print the nested dictionary of service principals
    print("Group Member Details:")
    print(json.dumps(member_details, indent=4)) # Pretty print with 4-space indentation
    print("All groups processed.")
except Exception as e:
    print("Error occurred while processing grops members: ", str(e))

### Cleanup - Deleting Group

In [None]:
# Configuration
group_name = "analysts_test_2"

try:
    # Step 1: Fecth the group details by name
    groups = a.groups.list() # Fetch current batch of service principals
    group_id = next(
        (group.id for group in groups if group.display_name == group_name), None
    )
    if not group_id:
        raise ValueError(f"Group '{group_name}' does not exist. Please create it first.")
    
    # Step 2: Delete the group
    a.groups.delete(id=group_id) # Delete the group
    print(f"Group '{group_name}' deleted successfully.")
except Exception as e:
    print("Error occurred while processing groups: ", str(e))

### Deleting Service Principal

In [None]:
# Configuration
service_principal_name = "test_sp_2"

try:
    # Step 1: Fecth the service principal details by name
    service_principals = a.service_principals.list() # Fetch current batch of service principals
    service_principal_id = next(
        (sp.id for sp in service_principals if sp.display_name == service_principal_name), None
    )
    if not service_principal_id:
        raise ValueError(f"Service Principal '{service_principal_name}' does not exist.")
    
    # Step 2: Delete the service principal
    a.service_principals.delete(id=service_principal_id) # Delete the service principal
    print(f"Service Principal '{service_principal_name}' deleted successfully.")
except Exception as e:
    print("Error occurred while processing service principals: ", str(e))

### Deleting User

In [None]:
# Configuration
user_name = "testuser2@maildrop.cc"

try:
    # Step 1: Fecth the user details by name
    users = a.users.list() # Fetch current batch of users
    user_id = next((user.id for user in users if user.user_name == user_name), None)
    if not user_id:
        raise ValueError(f"User '{user_name}' does not exist.")
    
    # Step 2: Delete the user
    a.users.delete(id=user_id) # Delete the user
    print(f"User '{user_name}' deleted successfully.")
except Exception as e:
    print("Error occurred while processing users: ", str(e))

### Conclusion