Source code for arize.resource_restrictions.client
"""Client implementation for managing resource restrictions in the Arize platform."""
from __future__ import annotations
import logging
from typing import TYPE_CHECKING
from arize.pre_releases import ReleaseStage, prerelease_endpoint
if TYPE_CHECKING:
from arize._generated.api_client.api_client import ApiClient
from arize.config import SDKConfiguration
from arize.resource_restrictions.types import ResourceRestriction
logger = logging.getLogger(__name__)
[docs]
class ResourceRestrictionsClient:
"""Client for managing Arize resource restrictions.
This class is primarily intended for internal use within the SDK. Users are
highly encouraged to access resource-specific functionality via
:class:`arize.ArizeClient`.
Resource restrictions prevent roles bound at higher hierarchy levels (space,
org, account) from granting access to the restricted resource. Only space
admins or users with the ``PROJECT_RESTRICT`` permission can restrict or
unrestrict a resource.
Currently only ``PROJECT`` resources are supported.
The resource restrictions client is a thin wrapper around the generated REST
API client, using the shared generated API client owned by
:class:`arize.config.SDKConfiguration`.
"""
def __init__(
self, *, sdk_config: SDKConfiguration, generated_client: ApiClient
) -> None:
"""
Args:
sdk_config: Resolved SDK configuration.
generated_client: Shared generated API client instance.
""" # noqa: D205, D212
self._sdk_config = sdk_config
# Import at runtime so it's still lazy and extras-gated by the parent
from arize._generated import api_client as gen
# Use the provided client directly
self._api = gen.ResourceRestrictionsApi(generated_client)
[docs]
@prerelease_endpoint(
key="resource_restrictions.restrict", stage=ReleaseStage.ALPHA
)
def restrict(self, *, resource_id: str) -> ResourceRestriction:
"""Mark a resource as restricted.
Restricting a resource prevents roles bound at higher hierarchy levels
(space, org, account) from granting access. Only space admins or users
with the ``PROJECT_RESTRICT`` permission can perform this action.
This operation is idempotent — restricting an already-restricted resource
returns the existing restriction without error.
Currently only ``PROJECT`` resources are supported.
Args:
resource_id: Global ID of the resource to restrict. Must encode a
project resource ID.
Returns:
The resource restriction object.
Raises:
ApiException: If the API request fails (for example, unsupported
resource type or insufficient permissions).
"""
from arize._generated import api_client as gen
body = gen.ResourceRestrictionCreate(resource_id=resource_id)
return self._api.resource_restrictions_create(body).resource_restriction
[docs]
@prerelease_endpoint(
key="resource_restrictions.unrestrict", stage=ReleaseStage.ALPHA
)
def unrestrict(self, *, resource_id: str) -> None:
"""Remove restriction from a resource.
Removing a restriction means that roles bound at other levels of the
hierarchy (space, org, account) can once again grant access to the
resource.
Args:
resource_id: Global ID of the resource to unrestrict.
Raises:
ApiException: If the API request fails (for example, resource is
not restricted, or insufficient permissions).
"""
return self._api.resource_restrictions_delete(resource_id=resource_id)