feat: expose user publish preflight endpoint via workflow client (HYP-829)#950
Closed
rupeshatlan wants to merge 1 commit into
Closed
feat: expose user publish preflight endpoint via workflow client (HYP-829)#950rupeshatlan wants to merge 1 commit into
rupeshatlan wants to merge 1 commit into
Conversation
…-829) Adds client.workflow.user_publish_preflight(user_id, connection_qualified_name) to the v9 sync and async workflow clients, wrapping Heracles' POST /workflows/preflight/user-publish-check. The endpoint verifies the workflow creator's account is enabled and that they may publish (ENTITY_CREATE/UPDATE/DELETE) to the target connection; all checks — including the Keycloak impersonation — run server-side in Heracles, so callers only need their own service-account token (the endpoint is restricted to service-account callers). Follows the house pattern: API constant in pyatlan/client/constants.py, shared prepare/process logic in pyatlan/client/common/workflow.py, thin methods in pyatlan_v9 sync + aio clients. Unit tests cover the shared prepare_request/process_response logic. Consumer: atlanhq/application-sdk run_publish_preflight Temporal activity (first activity of every extract workflow) — per review feedback on atlanhq/application-sdk#1966 that new Heracles endpoints be exposed via pyatlan rather than called with raw httpx. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Closing for now per HYP-829 final decision: the SDK will not call this endpoint — the Automation Engine calls Heracles directly (own client stack). Can be reopened if a pyatlan consumer appears. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
client.workflow.user_publish_preflight(user_id, connection_qualified_name)to the v9 sync and async workflow clients, wrapping Heracles'POST /workflows/preflight/user-publish-check.The endpoint verifies the workflow creator's account is enabled and that they may publish (ENTITY_CREATE/UPDATE/DELETE) to the target connection. All checks — including the Keycloak impersonation/token-exchange — run server-side in Heracles, so callers only need their own service-account token; the endpoint is restricted to
service-account-*callers on the Heracles side (x-endpoint-type: service-account).Why
Per @cmgrote's review on atlanhq/application-sdk#1966 ("New Heracles endpoints should be exposed via pyatlan, and then the existing pyatlan bits used for the actual interactions"): the application-sdk's
run_publish_preflightTemporal activity — the first activity of every extract workflow (HYP-829) — currently calls this endpoint with raw httpx. With this wrapper the SDK switches to the pyatlan client and inherits its auth handling, observability headers, retries, and pooling.Deliberately not done client-side via
client.impersonate.user+/evaluates: that would require distributing impersonate-any-user credentials (CLIENT_ID/CLIENT_SECRET) to every connector app, including customer-deployed SDR runtimes. Keeping impersonation server-side in Heracles is the security boundary this design preserves (discussion: HYP-829).Changes (house pattern, +111/-0)
pyatlan/client/constants.pyUSER_PUBLISH_PREFLIGHTAPI constant (EndPoint.HERACLES)pyatlan/client/common/workflow.pyWorkflowUserPublishPreflightshared prepare/processpyatlan/client/common/__init__.pypyatlan_v9/client/workflow.pyuser_publish_preflight()pyatlan_v9/client/aio/workflow.pyuser_publish_preflight()tests/unit/test_workflow_client.pyRelated
Notes for reviewers
pyatlan_v9); happy to mirror onto the legacy v1WorkflowClientif wanted.dict({passed, failed_checks, message}); can switch to a typed response model if preferred.🤖 Generated with Claude Code