From 4bd5abc7ee8e863f607582ee91a7c09edaf4a76e Mon Sep 17 00:00:00 2001 From: Omer Lachish Date: Fri, 15 May 2026 07:39:44 +0000 Subject: [PATCH 1/2] exclude entitlements from CurrentWorkspaceID Me probe CurrentWorkspaceID issues `GET /api/2.0/preview/scim/v2/Me` to read the X-Databricks-Org-Id response header. The Me endpoint computes User.Entitlements by default - a scan whose cost scales with the total number of entitlement grants in the workspace - and CurrentWorkspaceID never reads the body at all. Ask the server to skip the attribute. --- workspace_functions.go | 1 + workspace_functions_test.go | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/workspace_functions.go b/workspace_functions.go index 675e29830..7e0fbb5a6 100644 --- a/workspace_functions.go +++ b/workspace_functions.go @@ -19,6 +19,7 @@ func (w *WorkspaceClient) CurrentWorkspaceID(ctx context.Context) (int64, error) var workspaceIdStr string opts := []httpclient.DoOption{ httpclient.WithResponseHeader("X-Databricks-Org-Id", &workspaceIdStr), + httpclient.WithRequestData(map[string]string{"excludedAttributes": "entitlements"}), } if w.Config != nil && w.Config.WorkspaceID != "" { opts = append(opts, httpclient.WithRequestHeader("X-Databricks-Org-Id", w.Config.WorkspaceID)) diff --git a/workspace_functions_test.go b/workspace_functions_test.go index f580cf165..eccf7106a 100644 --- a/workspace_functions_test.go +++ b/workspace_functions_test.go @@ -42,6 +42,30 @@ func TestCurrentWorkspaceIDSendsOrgIdHeaderWhenConfigHasWorkspaceID(t *testing.T assert.Equal(t, "7474644166319138", gotOrgIdHeader) } +func TestCurrentWorkspaceIDExcludesEntitlements(t *testing.T) { + var gotRawQuery string + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.URL.Path == "/api/2.0/preview/scim/v2/Me" { + gotRawQuery = r.URL.RawQuery + w.Header().Set("X-Databricks-Org-Id", "7474644166319138") + w.Write([]byte(`{}`)) + return + } + http.NotFound(w, r) + })) + defer server.Close() + + w, err := NewWorkspaceClient(&Config{ + Host: server.URL, + Token: "token", + }) + require.NoError(t, err) + + _, err = w.CurrentWorkspaceID(t.Context()) + require.NoError(t, err) + assert.Equal(t, "excludedAttributes=entitlements", gotRawQuery) +} + func TestCurrentWorkspaceIDOmitsOrgIdHeaderWhenConfigMissingWorkspaceID(t *testing.T) { // On legacy workspace hosts the host itself identifies the workspace, so // no routing header is needed. When Config.WorkspaceID is empty we send From ce52818d422101f52078aa3e7df2201b1365d413 Mon Sep 17 00:00:00 2001 From: Omer Lachish Date: Fri, 22 May 2026 08:51:36 +0000 Subject: [PATCH 2/2] add NEXT_CHANGELOG.md entry --- NEXT_CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md index 95f79f472..6a5654bfe 100644 --- a/NEXT_CHANGELOG.md +++ b/NEXT_CHANGELOG.md @@ -12,4 +12,8 @@ ### Internal Changes +* Pass `excludedAttributes=entitlements` on the SCIM `/Me` request made by `WorkspaceClient.CurrentWorkspaceID` ([#1681](https://github.com/databricks/databricks-sdk-go/pull/1681)). + + `CurrentWorkspaceID` only reads the `X-Databricks-Org-Id` response header and discards the body, so it has no use for the `User.Entitlements` field. Skipping that attribute avoids an expensive `getEffectivePermissions` scan on the SCIM backend, which has caused incidents on workspaces with large grant counts. + ### API Changes