Clients hitting an inflection point in the scale of their developer communities often face a high burden on provisioning pipeline projects.
They want to maintain a review/QC/Governance/Usage supervisory hand on project creation, but even with templates in place, they end up having to click to create Datasource, Transform, Ontology, and Workflow projects and manually think about metadata, perms, and documentation. Since orgs have different ideas of how they use projects in the platform for pipelines/teamspaces etc, there’s probably not a core product solution option that would suit everyone, a quick self build utilising platform APIs and project templates (configured in Contol Panel) feels proportionate.
I’m aiming to build an action based workflow to support dev space request/approval that automates this.
The issues I’m hitting on are as follows, all seem fixable with a file creation API update:
- CBAC isn’t supported in the project creation api as far as docs tell me
- There are v thin parameters on the project creation api docs, so I can’t use templates for uniformity, and I’d have to chain another API call to add coherent permission groups
- Related to 2, in order to have this run from a service user, I need to chain an API call to remove the service user as owner on the projects in order for this to be secure. Could this be solved with an optional Owner parameter to override the service user with a nominated user?
Broader idea to solve this bit - there should be a first class solution for hitting platform APIs from functions (and therefore actions) using the end-user’s credentials rather than a service user.
1 Like
You can do this through Slate today or using outbound applications (however you would manually need to list all required scopes, which is more or less impossible to get right as a non Palantir employee).
Are you aware of „Project Bootstrapper“? It’s an app Palantir added on our stack that can bootstrap Projects with different configurations. The Downside is the execution user needs Namespace Editor permissions…
I fully agree with all your points. There needs to be an open, documented and flexible way to bootstrap all kind of projects and artifacts in projects, from within foundry as well as from outside (e.g. terraform/pulumi…)
Thanks for the response! I am aware of bootstrapper - my understanding from product teams is that templates is the preferred supported solution moving forward instead so my client has just shifted project creation over to this.
I think both are p similar in how they support our current goals.
On your slate/third party app suggestion, interesting point, as in if Pal add support for hitting the file system API? Only the ontology/dataset/ontology v2 endpoints are there by default as far as I can see
Could be an interim solution if supported, albeit meaning a single UI across a p multi-org stack…I’d love to have this in reusable ontology assets
Looks like other stacks may have other Service APIs enabled perhaps so I’ll explore this
The API is still probably too limited to be usable for the use case unfortunately
Which Service API is enabled in Slate depends on your stack config. At least on our stack we have e.g. Compass available which enables a lot of workflows.
From outbound applications you can call any (internal) API as long as you know which scopes you‘ll need as there is not catch all scope in the authorization code grant oauth flow.