Source code for arize.resource_restrictions.client
"""Client implementation for managing resource restrictions in the Arize platform."""
from __future__ import annotations
import logging
from typing import TYPE_CHECKING
from arize.constants.config import DEFAULT_LIST_LIMIT
from arize.pre_releases import ReleaseStage, prerelease_endpoint
if TYPE_CHECKING:
from arize._generated.api_client.api_client import ApiClient
from arize.config import SDKConfiguration
from arize.resource_restrictions.types import (
ResourceRestriction,
ResourceRestrictionListResponse,
ResourceRestrictionType,
)
logger = logging.getLogger(__name__)
[docs]
class ResourceRestrictionsClient:
"""Client for managing Arize resource restrictions.
This class is primarily intended for internal use within the SDK. Users are
highly encouraged to access resource-specific functionality via
:class:`arize.ArizeClient`.
Resource restrictions prevent roles bound at higher hierarchy levels (space,
org, account) from granting access to the restricted resource. Only space
admins or users with the ``PROJECT_RESTRICT`` permission can restrict or
unrestrict a resource.
Currently only ``PROJECT`` resources are supported.
The resource restrictions client is a thin wrapper around the generated REST
API client, using the shared generated API client owned by
:class:`arize.config.SDKConfiguration`.
"""
def __init__(
self, *, sdk_config: SDKConfiguration, generated_client: ApiClient
) -> None:
"""
Args:
sdk_config: Resolved SDK configuration.
generated_client: Shared generated API client instance.
""" # noqa: D205, D212
self._sdk_config = sdk_config
# Import at runtime so it's still lazy and extras-gated by the parent
from arize._generated import api_client as gen
# Use the provided client directly
self._api = gen.ResourceRestrictionsApi(generated_client)
[docs]
@prerelease_endpoint(
key="resource_restrictions.list", stage=ReleaseStage.ALPHA
)
def list(
self,
*,
resource_type: ResourceRestrictionType | None = None,
limit: int = DEFAULT_LIST_LIMIT,
cursor: str | None = None,
) -> ResourceRestrictionListResponse:
"""List resource restrictions the caller is permitted to manage.
Only restrictions the caller can manage are returned — i.e. an
account/org admin, a holder of the ``PROJECT_RESTRICT`` permission in the
resource's space, or a holder of ``PROJECT_RESTRICT`` granted directly on
the resource.
Results are paginated. Because entries are authorization-filtered after a
page is read, a page may contain fewer items than ``limit`` (or be empty)
while ``pagination.has_more`` is still ``True``. Keep paging until
``pagination.has_more`` is ``False`` — do not stop on an empty page.
Currently only ``PROJECT`` resources are supported.
Args:
resource_type: Optional filter restricting results to a single
resource type. When omitted, restrictions of all supported
resource types are returned (currently only ``PROJECT``).
limit: Maximum number of restrictions to return per page. The server
enforces an upper bound.
cursor: Opaque pagination cursor returned from a previous response
(``pagination.next_cursor``). Treat it as an unreadable token; do
not attempt to parse or construct it.
Returns:
A response object with the resource restrictions and pagination
information.
Raises:
ApiException: If the API request fails (for example, invalid input
or insufficient permissions).
"""
return self._api.resource_restrictions_list(
resource_type=resource_type,
limit=limit,
cursor=cursor,
)
[docs]
@prerelease_endpoint(
key="resource_restrictions.restrict", stage=ReleaseStage.ALPHA
)
def restrict(self, *, resource_id: str) -> ResourceRestriction:
"""Mark a resource as restricted.
Restricting a resource prevents roles bound at higher hierarchy levels
(space, org, account) from granting access. Only space admins or users
with the ``PROJECT_RESTRICT`` permission can perform this action.
This operation is idempotent — restricting an already-restricted resource
returns the existing restriction without error.
Currently only ``PROJECT`` resources are supported.
Args:
resource_id: Global ID of the resource to restrict. Must encode a
project resource ID.
Returns:
The resource restriction object.
Raises:
ApiException: If the API request fails (for example, unsupported
resource type or insufficient permissions).
"""
from arize._generated import api_client as gen
body = gen.ResourceRestrictionCreate(resource_id=resource_id)
return self._api.resource_restrictions_create(body).resource_restriction
[docs]
@prerelease_endpoint(
key="resource_restrictions.unrestrict", stage=ReleaseStage.ALPHA
)
def unrestrict(self, *, resource_id: str) -> None:
"""Remove restriction from a resource.
Removing a restriction means that roles bound at other levels of the
hierarchy (space, org, account) can once again grant access to the
resource.
Args:
resource_id: Global ID of the resource to unrestrict.
Raises:
ApiException: If the API request fails (for example, resource is
not restricted, or insufficient permissions).
"""
return self._api.resource_restrictions_delete(resource_id=resource_id)