Encode tag key as a single path segment in tag-policy and tag-assignment APIs#1716
Merged
Conversation
…ent APIs Governed tag keys may be hierarchical and contain "/" (e.g. "a/b"). The generated clients interpolate the key straight into the request path, so a raw "/" is treated as a path separator and the request resolves to no matching endpoint (404 / ENDPOINT_NOT_FOUND). Get, Delete, and Update are affected. Add hand-written overrides that url.PathEscape the tag-key path parameter before delegating to the generated impl; the server decodes it back to the original key. Covers: - tags.TagPoliciesAPI: Get/Delete/UpdateTagPolicy - tags.WorkspaceEntityTagAssignmentsAPI: Get/Delete/UpdateTagAssignment - catalog.EntityTagAssignmentsAPI: Get/Delete/Update Only the tag-key path parameter is encoded; entity_type/entity_id/entity_name are left untouched. The Create methods are intentionally not overridden -- they send the key in the JSON body, where "/" is valid and must be stored verbatim. Co-authored-by: Isaac Signed-off-by: Lizhen Xiang <lizhen.xiang@databricks.com>
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Contributor
Author
|
Hey @lizhenxiang-db, this is your #1713 with identical commits, pushed to an origin branch so CI gets OIDC tokens (fork PRs do not, which is why the tests jobs were failing at JFrog auth). I approved the original but GitHub will not let me approve a PR I opened. Can I have a quick stamp? |
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
renaudhartert-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
tanmay-db
approved these changes
Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Supersedes #1713 with identical commits, authored by @lizhenxiang-db. That PR was opened from a personal fork, and fork PRs do not receive GitHub Actions OIDC tokens, so the required
testschecks fail at JFrog authentication before running anything and the PR can never enter the merge queue. This PR carries the same branch pushed tooriginso CI can run.Summary
Percent-encode the governed tag key when it travels as a URL path parameter across the tag-policy and entity-tag-assignment APIs, so keys containing
/route to the correct endpoint.Why
Governed tag keys may be hierarchical and contain
/(e.g.a/b). The generated clients interpolate the key straight into the request path (e.g.fmt.Sprintf("/api/2.1/tag-policies/%v", request.TagKey)), so a raw/is treated as a path separator and the request resolves to no matching endpoint (404/ENDPOINT_NOT_FOUND).Get,Delete, andUpdateare affected.A concrete consequence: the Terraform provider cannot refresh a
databricks_tag_policywhose key contains/: every plan reads it as missing and tries to recreate it, which then fails because the policy already exists.Createdoes not have this problem: it sends the key in the JSON request body, where/is valid and must be stored verbatim.What changed
Interface changes
None. Method signatures are unchanged; only the encoding of the existing request path differs.
Behavioral changes
The tag-key path parameter is now
url.PathEscaped (/becomes%2F) before the request is sent, in:tags.TagPoliciesAPI:GetTagPolicy,DeleteTagPolicy,UpdateTagPolicytags.WorkspaceEntityTagAssignmentsAPI:GetTagAssignment,DeleteTagAssignment,UpdateTagAssignmentcatalog.EntityTagAssignmentsAPI:Get,Delete,UpdateThe server decodes the key back to its original value, so behavior is unchanged for keys without special characters and fixed for keys that contain them. Only the tag-key parameter is encoded;
entity_type/entity_id/entity_nameare left untouched. TheCreatemethods are intentionally not overridden (they send the key in the body).Internal changes
service/tags/ext_impl.go: hand-written overrides forTagPoliciesAPIandWorkspaceEntityTagAssignmentsAPI.service/catalog/ext_entity_tag_assignments.go: hand-written overrides forEntityTagAssignmentsAPI.NEXT_CHANGELOG.md: Bug Fixes entry.How is this tested?
qa.HTTPFixturesunit tests inservice/tags/ext_impl_test.goandservice/catalog/ext_entity_tag_assignments_test.goassert the request path is encoded (/becomes%2F) for the tag-policy and both entity-tag-assignment APIs. The fullmake testsuite (1439 tests) andmake lintpass locally on this branch merged with latestmain.