I want to connect Superset to a Databricks for querying the tables. Superset uses SQLAlchemy to connect to databases which requires a PAT (Personal Access Token) to access.
It is possible to connect and run queries when I use the PAT I generated on my account through Databricks web UI? But I do not want to use my personal token in a production env. Even so, I was not able to find how to generate a PAT like token for a Service Principal.
The working SQLAlchemy URI is looks like this:
databricks+pyhive://token:XXXXXXXXXX#aaa-111111111111.1.azuredatabricks.net:443/default?http_path=sql%2Fprotocolv1%qqq%wwwwwwwwwww1%eeeeeeee-1111111-foobar00
After checking the Azure docs, there are two ways on how to run queries between Databricks and another service:
Create a PAT for a Service Principal to be associated with Superset.
Create a user AD account for Superset.
For the first and preferred method, I was able to advance, but I was not able to generate the Service Principal's PAT:
I was able to register an app on Azure's AD.
So I got the tenant ID, client ID and create a secret for the registered app.
With this info, I was able to curl Azure and receive a JWT token for that app.
But all the tokens referred in the docs are JTW's OAUTH2 tokens, which does not seems to work with SQLAlchemy URI.
I know it's possible to generate a PAT for a Service Principal since there is a mention on how to read, update and delete a Service Principal's PAT on the documentation. But it has no information on how to create a PAT for a Service Principal.
I prefer to avoid using the second method (creating an AD user for Superset) since I am not allowed to create/manage users for the AD.
In summary, I have a working SQLAlchemy URI, but I want to use a generated token, associated with a Service Principal, instead of using my PAT. But I can't find how to generate that token (I only found documentation on how to generate OAUTH2 tokens).
You can create PAT for service principal as following (examples are taken from docs, do export DATABRICKS_HOST="https://hostname" before executing):
Add service principal into the Databricks workspace using SCIM API (doc):
curl -X POST '$DATABRICKS_HOST/api/2.0/preview/scim/v2/ServicePrincipals' \
--header 'Content-Type: application/scim+json' \
--header 'Authorization: Bearer <personal-access-token>' \
--data-raw '{
"schemas":[
"urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal"
],
"applicationId":"<application-id>",
"displayName": "test-sp",
"entitlements":[
{
"value":"allow-cluster-create"
}
]
}'
Get AAD Token for service principal (doc, another option is to use az-cli):
export DATABRICKS_TOKEN=$(curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<client-id>&resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d&client_secret=<application-secret>' \
https://login.microsoftonline.com/<tenant-id>/oauth2/token|jq -r .accessToken)
Generate token using the AAD Token (doc):
curl -s -n -X POST "$DATABRICKS_HOST/api/2.0/token/create" --data-raw '{
"lifetime_seconds": 100,
"comment": "token for superset"
}' -H "Authorization: Bearer $DATABRICKS_TOKEN"
I am having problems with CouchDB 3.1.0 on Windows. I have installed it, during the installation created a admin user (admin:admin) and then created a user as the documentation states:
$ curl -X PUT http://admin:admin#localhost:5984/_users/org.couchdb.user:jan \
> -H "Accept: application/json" \
> -H "Content-Type: application/json" \
> -d '{"name": "jan", "password": "apple", "roles": [], "type": "user"}'
{"ok":true,"id":"org.couchdb.user:jan","rev":"1-fd5a90118f51fb895d594f2fdfa9b12f"}
Fine. Now let me get the user doc:
$ curl -X GET http://jan:apple#localhost:5984/_users/org.couchdb.user:jan
{"error":"forbidden","reason":"You are not allowed to access this db."}
What am I doing wrong? What did I miss?
It did work in CouchDB 2.3, surely.
Thanks.
The documentation for CouchDB 3.x is unfortunately out of date. As of today, the Authentication Database section in the security documentation states:
Users may only access (GET /_users/org.couchdb.user:Jan) or modify
(PUT /_users/org.couchdb.user:Jan) documents that they own
However, it does not state that users by default do not have access to any documents in the _users database.
In order to allow access, one must first change the users_db_security_editable flag to true in the settings, and then clear the members -> roles list in the _users security object. This list has _admin in it by default. Alternatively, you could add a role to your users and add that role to the members -> roles instead.
Note that this will allow users read and write access to their user document.
There is an open Github issue to amend the documentation.
Other sources:
https://github.com/apache/couchdb/issues/2881
https://github.com/apache/couchdb/issues/2730
I'm trying to make a GitHub App that can view the private repositories and members of my organization that it's installed on. It has read access to "checks, members and metadata" on the installed apps page of the organization.
I can use the request curl -i -H "Authorization: token {token}" -H "Accept: application/vnd.github.machine-man-preview+json" https://api.github.com/installation/repositories to list the repositories and that seems to work, although I don't have private repositories on it right now to verify, but it does list the public ones.
However I can't seem to find an endpoint that lists the organization's private members for the installation, which is what I'm authenticated as. https://api.github.com/orgs/{org}/members shows just the public members of my organization, and if I try /members/{private member} I get a 302, which means my app is not a member of the organization. What am I doing wrong?
The access will be granted to user who is registered with the specific organization and similarly the application needs to have scope to access.
Refer scope in Organization Settings->Developer Settings-> Personal Access Tokens
Please find the reference below which are tested GITHUB APIs, please change the endpoint urls as per below suggestions.
Note: replace <> with your appropriate email, org details accordingly.
For accessing all the members(public & private):
curl -u "<user email address>" https://api.github.com/orgs/<organization name>/members
For accessing all the repos(public & private):
curl -u "<user email address>" https://api.github.com/orgs/<organization name>/repos?type=all
How can I get contributions.json of myself in a Gitlab CI pipeline with private contributions if "show private contributions" is off in the settings?
https://gitlab.com/users/GITLAB_USERNAME/calendar.json shows both public and private contributions if the logged in user is GITLAB_USERNAME.
https://gitlab.com/users/GITLAB_USERNAME/calendar.json shows only public contributions if the logged in user is not GITLAB_USERNAME and "show private contributions" is off for GITLAB_USERNAME.
I can do this with curl --cookie "_gitlab_session=..." https://gitlab.com/users/GITLAB_USERNAME/calendar.json where I have obtained the cookie by logging in through the web interface. The session cookie expires after 1 week by default.
I want an automated way to do this through a CI pipeline without simulating a log in and storing my password as a variable (insecure, and if I change my password, I need to update all of them).
I have tried using CI_JOB_TOKEN for authentication (like I do with API: curl --header "PRIVATE-TOKEN: $CI_JOB_TOKEN" "https://gitlab.com/api/v4/projects"), but only the public contributions are showing up.
You can't do it using calendar.json endpoint. You need to use events api.
You can collect all your events using personal token and events api curl --header "PRIVATE-TOKEN: <your_access_token>" https://gitlab.com/api/v4/users/:id/events
User id can be found using: https://gitlab.com/api/v4/users?username=YOUR_USERNAME
Instead of job token use personal access token to get access to gitlab api.
To filter out your results use parameters according to your needs. There is a lot more data than when gathering from https://gitlab.com/users/GITLAB_USERNAME/calendar.json url so you would need to process it.
NOTE:
https://gitlab.com/users/GITLAB_USERNAME/calendar.json is not api url but gitlab endpoint so gitlab token won't work for it.
I want to use Groovy, HttpBuilder and REST API to access our company's onsidte GitHub appliance.
The GitHub developer's site: https://developer.github.com/v3/, shows this URL: https://api.github.com. So if my company's GitHub URL is: http://github.mycompany.com, what is my REST API endpoint URL? e.g. if I want to list all users, what's the correct URL?
When I access this URL: https://github.mycompany.com/api/v3, it gives me an error:
github.mycompany.com refused to connect.
ERR_CONNECTION_REFUSED
According to "API Enterprise 2.5":
All API endpoints—except Management Console API endpoints—are prefixed with the following URL:
https://hostname/api/v3/
But you need to authenticate:
Authentication
Your Enterprise installation's API endpoints accept the same authentication methods as the GitHub.com API. Specifically, you can authenticate yourself with OAuth tokens (which can be created using the Authorizations API) or basic authentication.
Every Enterprise API endpoint is only accessible to GitHub Enterprise site administrators, with the exception of the Management Console API, which is only accessible via the Management Console password.
TLTR; These are the endpoints
+----+------------------------------------------+--------------------------------+
| | Enterprise | GitHub |
+----+------------------------------------------+--------------------------------+
| v3 | https://[YOUR_HOST]/api/v3 | https://api.github.com |
| v4 | https://[YOUR_HOST]/api/graphql | https://api.github.com/graphql |
+----+------------------------------------------+--------------------------------+
Examples
Here you have some examples in case you want to try them. You'll need to create an ACCESS_TOKEN
Enterprise
curl -H "Authorization: bearer [ACCESS_TOKEN]" https://[YOUR_HOST]/api/v3/organizations
curl -H "authorization: bearer [ACCESS_TOKEN]" https://[YOUR_HOST]/api/graphql -d "{\"query\": \"query { viewer { login } }\"}"
GitHub
curl -H "Authorization: bearer [ACCESS_TOKEN]" https://api.github.com/organizations
curl -H "authorization: bearer [ACCESS_TOKEN]" https://api.github.com/graphql -d "{\"query\": \"query { viewer { login } }\"}"
If you are not using https, it's "http://github.mycompany.com/api/v3/".
You're getting that message because the request is not authenticated.
First you have to figure out what kind of auth your server accepts and then incorporate that into the header or the (query string) of your request.
For example, this is how I get a list (using the header approach) of organizations I can access:
`url -k -H "Authorization: token xxxxxx...xxx" \ https://git.acme.com/api/v3/organizations`
Note that xxxxx...xxx is a place holder for a personal access token I created with read-only access to my repos. The docs refer to this as OAUTH_TOKEN. You can opt for inserting the token as a query string. In neither case do you have to enter a user name because the server figures that out from the token.
if you need https://github.com/google/shaka-player it would be
https://api.github.com/repos/google/shaka-player
more info at https://api.github.com/
"current_user_url": "https://api.github.com/user",
"current_user_authorizations_html_url": https://github.com/settings/connections/applications{/client_id}",
"authorizations_url": "https://api.github.com/authorizations",
"code_search_url": "https://api.github.com/search/code?q={query}{&page,per_page,sort,order}",
"commit_search_url": "https://api.github.com/search/commits?q={query}{&page,per_page,sort,order}",
"emails_url": "https://api.github.com/user/emails",
"emojis_url": "https://api.github.com/emojis",
"events_url": "https://api.github.com/events",
"feeds_url": "https://api.github.com/feeds",
"followers_url": "https://api.github.com/user/followers",
"following_url": "https://api.github.com/user/following{/target}",
"gists_url": "https://api.github.com/gists{/gist_id}",
"hub_url": "https://api.github.com/hub",
"issue_search_url": "https://api.github.com/search/issues?q={query}{&page,per_page,sort,order}",
"issues_url": "https://api.github.com/issues",
"keys_url": "https://api.github.com/user/keys",
"label_search_url": "https://api.github.com/search/labels?q={query}&repository_id={repository_id}{&page,per_page}",
"notifications_url": "https://api.github.com/notifications",
"organization_url": "https://api.github.com/orgs/{org}",
"organization_repositories_url": "https://api.github.com/orgs/{org}/repos{?type,page,per_page,sort}",
"organization_teams_url": "https://api.github.com/orgs/{org}/teams",
"public_gists_url": "https://api.github.com/gists/public",
"rate_limit_url": "https://api.github.com/rate_limit",
"repository_url": "https://api.github.com/repos/{owner}/{repo}",
"repository_search_url": "https://api.github.com/search/repositories?q={query}{&page,per_page,sort,order}",
"current_user_repositories_url": "https://api.github.com/user/repos{?type,page,per_page,sort}",
"starred_url": "https://api.github.com/user/starred{/owner}{/repo}",
"starred_gists_url": "https://api.github.com/gists/starred",
"topic_search_url": "https://api.github.com/search/topics?q={query}{&page,per_page}",
"user_url": "https://api.github.com/users/{user}",
"user_organizations_url": "https://api.github.com/user/orgs",
"user_repositories_url": "https://api.github.com/users/{user}/repos{?type,page,per_page,sort}",
"user_search_url": "https://api.github.com/search/users?q={query}{&page,per_page,sort,order}"