Encode tag key as a single path segment in tag-policy and tag-assignment APIs#1713
Closed
lizhenxiang-db wants to merge 1 commit into
Closed
Encode tag key as a single path segment in tag-policy and tag-assignment APIs#1713lizhenxiang-db wants to merge 1 commit into
lizhenxiang-db wants to merge 1 commit into
Conversation
lizhenxiang-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
…ent APIs Governed tag keys may be hierarchical and contain "/" (e.g. "a/b"). The generated clients interpolate the key straight into the request path, so a raw "/" is treated as a path separator and the request resolves to no matching endpoint (404 / ENDPOINT_NOT_FOUND). Get, Delete, and Update are affected. Add hand-written overrides that url.PathEscape the tag-key path parameter before delegating to the generated impl; the server decodes it back to the original key. Covers: - tags.TagPoliciesAPI: Get/Delete/UpdateTagPolicy - tags.WorkspaceEntityTagAssignmentsAPI: Get/Delete/UpdateTagAssignment - catalog.EntityTagAssignmentsAPI: Get/Delete/Update Only the tag-key path parameter is encoded; entity_type/entity_id/entity_name are left untouched. The Create methods are intentionally not overridden -- they send the key in the JSON body, where "/" is valid and must be stored verbatim. Co-authored-by: Isaac Signed-off-by: Lizhen Xiang <lizhen.xiang@databricks.com>
lizhenxiang-db
force-pushed
the
tag-policy-encode-path-key
branch
from
dba604c to
a336c9b
Compare
lizhenxiang-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
lizhenxiang-db
changed the title
renaudhartert-db
approved these changes
Jun 11, 2026
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Contributor
|
For context, the failing checks here are not caused by the change: this PR is opened from a personal fork, and fork PRs do not receive GitHub Actions OIDC tokens, so |
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Contributor
|
Merged via #1716 (identical commits, squashed into main as part of the merge queue). Closing this one since fork PRs cannot pass the OIDC-gated required checks. Thanks for the fix @lizhenxiang-db. |
alexott
pushed a commit
to alexott/databricks-sdk-go
that referenced
this pull request
Jun 17, 2026
…ent APIs (databricks#1716) > [!NOTE] > Supersedes databricks#1713 with identical commits, authored by @lizhenxiang-db. That PR was opened from a personal fork, and fork PRs do not receive GitHub Actions OIDC tokens, so the required `tests` checks fail at JFrog authentication before running anything and the PR can never enter the merge queue. This PR carries the same branch pushed to `origin` so CI can run. ## Summary Percent-encode the governed tag key when it travels as a URL *path* parameter across the tag-policy and entity-tag-assignment APIs, so keys containing `/` route to the correct endpoint. ## Why Governed tag keys may be hierarchical and contain `/` (e.g. `a/b`). The generated clients interpolate the key straight into the request path (e.g. `fmt.Sprintf("/api/2.1/tag-policies/%v", request.TagKey)`), so a raw `/` is treated as a path separator and the request resolves to no matching endpoint (`404` / `ENDPOINT_NOT_FOUND`). `Get`, `Delete`, and `Update` are affected. A concrete consequence: the Terraform provider cannot refresh a `databricks_tag_policy` whose key contains `/`: every plan reads it as missing and tries to recreate it, which then fails because the policy already exists. `Create` does not have this problem: it sends the key in the JSON request body, where `/` is valid and must be stored verbatim. ## What changed ### Interface changes None. Method signatures are unchanged; only the encoding of the existing request path differs. ### Behavioral changes The tag-key path parameter is now `url.PathEscape`d (`/` becomes `%2F`) before the request is sent, in: - **`tags.TagPoliciesAPI`**: `GetTagPolicy`, `DeleteTagPolicy`, `UpdateTagPolicy` - **`tags.WorkspaceEntityTagAssignmentsAPI`**: `GetTagAssignment`, `DeleteTagAssignment`, `UpdateTagAssignment` - **`catalog.EntityTagAssignmentsAPI`**: `Get`, `Delete`, `Update` The server decodes the key back to its original value, so behavior is unchanged for keys without special characters and fixed for keys that contain them. Only the tag-key parameter is encoded; `entity_type` / `entity_id` / `entity_name` are left untouched. The `Create` methods are intentionally not overridden (they send the key in the body). ### Internal changes - `service/tags/ext_impl.go`: hand-written overrides for `TagPoliciesAPI` and `WorkspaceEntityTagAssignmentsAPI`. - `service/catalog/ext_entity_tag_assignments.go`: hand-written overrides for `EntityTagAssignmentsAPI`. - `NEXT_CHANGELOG.md`: Bug Fixes entry. ## How is this tested? `qa.HTTPFixtures` unit tests in `service/tags/ext_impl_test.go` and `service/catalog/ext_entity_tag_assignments_test.go` assert the request path is encoded (`/` becomes `%2F`) for the tag-policy and both entity-tag-assignment APIs. The full `make test` suite (1439 tests) and `make lint` pass locally on this branch merged with latest `main`. Signed-off-by: Lizhen Xiang <lizhen.xiang@databricks.com> Co-authored-by: Lizhen Xiang <lizhen.xiang@databricks.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Percent-encode the governed tag key when it travels as a URL path parameter across the tag-policy and entity-tag-assignment APIs, so keys containing
/route to the correct endpoint.Why
Governed tag keys may be hierarchical and contain
/(e.g.a/b). The generated clients interpolate the key straight into the request path (e.g.fmt.Sprintf("/api/2.1/tag-policies/%v", request.TagKey)), so a raw/is treated as a path separator and the request resolves to no matching endpoint (404/ENDPOINT_NOT_FOUND).Get,Delete, andUpdateare affected.A concrete consequence: the Terraform provider cannot refresh a
databricks_tag_policywhose key contains/— every plan reads it as missing and tries to recreate it, which then fails because the policy already exists.Createdoes not have this problem: it sends the key in the JSON request body, where/is valid and must be stored verbatim.What changed
Interface changes
None. Method signatures are unchanged; only the encoding of the existing request path differs.
Behavioral changes
The tag-key path parameter is now
url.PathEscaped (/→%2F) before the request is sent, in:tags.TagPoliciesAPI—GetTagPolicy,DeleteTagPolicy,UpdateTagPolicytags.WorkspaceEntityTagAssignmentsAPI—GetTagAssignment,DeleteTagAssignment,UpdateTagAssignmentcatalog.EntityTagAssignmentsAPI—Get,Delete,UpdateThe server decodes the key back to its original value, so behavior is unchanged for keys without special characters and fixed for keys that contain them. Only the tag-key parameter is encoded —
entity_type/entity_id/entity_nameare left untouched. TheCreatemethods are intentionally not overridden (they send the key in the body).Internal changes
service/tags/ext_impl.go— hand-written overrides forTagPoliciesAPIandWorkspaceEntityTagAssignmentsAPI.service/catalog/ext_entity_tag_assignments.go— hand-written overrides forEntityTagAssignmentsAPI.NEXT_CHANGELOG.md— Bug Fixes entry.How is this tested?
qa.HTTPFixturesunit tests inservice/tags/ext_impl_test.goandservice/catalog/ext_entity_tag_assignments_test.goassert the request path is encoded (/→%2F) for the tag-policy and both entity-tag-assignment APIs.go build,go vet, andgo testpass locally for both packages.This pull request and its description were written by Isaac.