Exclude entitlements from CurrentWorkspaceID Me probe (#1681)

This PR makes `WorkspaceClient.CurrentWorkspaceID` ask the SCIM server
to skip the `entitlements` attribute on the underlying `Me` call.

## Why

`CurrentWorkspaceID` issues a `GET /api/2.0/preview/scim/v2/Me` request
and reads the `X-Databricks-Org-Id` response header to identify the
workspace. The body of the response is discarded.

By default, however, the SCIM server computes the `User.Entitlements`
field for `/Me` responses - and that computation scans every entitlement
grant in the workspace, regardless of which user is calling. On
workspaces with a lot of accumulated grants, that's a meaningful amount
of server work for a value the SDK never looks at.

This change passes `?excludedAttributes=entitlements` on the request so
the server can skip the scan entirely. The endpoint already honors that
query parameter today.

## What changed

One option appended to the existing `Do` call:

```go
httpclient.WithRequestData(map[string]string{"excludedAttributes": "entitlements"})
```

And a doc-comment line on `CurrentWorkspaceID` explaining the why.

## Tests

New `TestCurrentWorkspaceIDExcludesEntitlements` stands up an `httptest`
server, captures `r.URL.RawQuery`, and asserts it's
`excludedAttributes=entitlements`. The two existing
`TestCurrentWorkspaceID*` tests in this file already match on
`r.URL.Path`, so they still pass.

---------

Co-authored-by: Omer Lachish <rauchy@users.noreply.github.com>

Author: rauchy

NEXT_CHANGELOG.md

@@ -12,6 +12,10 @@
 
 ### Internal Changes
 
+* Pass `excludedAttributes=entitlements` on the SCIM `/Me` request made by `WorkspaceClient.CurrentWorkspaceID` ([#1681](https://github.com/databricks/databricks-sdk-go/pull/1681)).
+
+  `CurrentWorkspaceID` only reads the `X-Databricks-Org-Id` response header and discards the body, so it has no use for the `User.Entitlements` field. Skipping that attribute avoids an expensive `getEffectivePermissions` scan on the SCIM backend, which has caused incidents on workspaces with large grant counts.
+
 ### API Changes
 * Add `Revert` method for [w.Lakeview](https://pkg.go.dev/github.com/databricks/databricks-sdk-go/service/dashboards#LakeviewAPI) workspace-level service.
 * Add `ParentPath` field for [dashboards.GenieUpdateSpaceRequest](https://pkg.go.dev/github.com/databricks/databricks-sdk-go/service/dashboards#GenieUpdateSpaceRequest).

workspace_functions.go

@@ -19,6 +19,7 @@ func (w *WorkspaceClient) CurrentWorkspaceID(ctx context.Context) (int64, error)
 	var workspaceIdStr string
 	opts := []httpclient.DoOption{
 		httpclient.WithResponseHeader("X-Databricks-Org-Id", &workspaceIdStr),
+		httpclient.WithRequestData(map[string]string{"excludedAttributes": "entitlements"}),
 	}
 	if w.Config != nil && w.Config.WorkspaceID != "" {
 		opts = append(opts, httpclient.WithRequestHeader("X-Databricks-Org-Id", w.Config.WorkspaceID))

workspace_functions_test.go

@@ -42,6 +42,30 @@ func TestCurrentWorkspaceIDSendsOrgIdHeaderWhenConfigHasWorkspaceID(t *testing.T
 	assert.Equal(t, "7474644166319138", gotOrgIdHeader)
 }
 
+func TestCurrentWorkspaceIDExcludesEntitlements(t *testing.T) {
+	var gotRawQuery string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/api/2.0/preview/scim/v2/Me" {
+			gotRawQuery = r.URL.RawQuery
+			w.Header().Set("X-Databricks-Org-Id", "7474644166319138")
+			w.Write([]byte(`{}`))
+			return
+		}
+		http.NotFound(w, r)
+	}))
+	defer server.Close()
+
+	w, err := NewWorkspaceClient(&Config{
+		Host:  server.URL,
+		Token: "token",
+	})
+	require.NoError(t, err)
+
+	_, err = w.CurrentWorkspaceID(t.Context())
+	require.NoError(t, err)
+	assert.Equal(t, "excludedAttributes=entitlements", gotRawQuery)
+}
+
 func TestCurrentWorkspaceIDOmitsOrgIdHeaderWhenConfigMissingWorkspaceID(t *testing.T) {
 	// On legacy workspace hosts the host itself identifies the workspace, so
 	// no routing header is needed. When Config.WorkspaceID is empty we send