User/mingweihe/add enable data isolation support for workspace creation (Azure#30043)

* add enableDataIsolation support for workspace creation

* fix

* updated changelog

---------

Co-authored-by: Mingwei He <mingweihe@microsoft.com>

Author: mingweihe

sdk/ml/azure-ai-ml/CHANGELOG.md

@@ -21,6 +21,7 @@
 - Added Feature Store, its dedicated classes and updated the docstrings, now available in public interface. The classes added are `FeatureStoreOperations, FeatureSetOperations, FeatureStoreEntityOperations` with properties classes specific to the new features.
 - Support additional_includes in command component
 - Added experimental `distribution: ray` support in command job.
+- Added support to enable data isolation feature at workspace creation stage.
 
 ### Bugs Fixed
 

sdk/ml/azure-ai-ml/azure/ai/ml/_arm_deployments/arm_templates/workspace_base.json

@@ -475,6 +475,17 @@
             "metadata": {
                 "description": "Whether to set up materialization store"
             }
+        },
+        "enable_data_isolation": {
+            "type": "string",
+            "defaultValue": "false",
+            "allowedValues": [
+                "false",
+                "true"
+            ],
+            "metadata": {
+                "description": "A flag to determine if workspace has data isolation enabled. The flag can only be set at the creation phase, it can't be updated."
+            }
         }
     },
     "variables": {
@@ -650,7 +661,7 @@
         {
             "condition": "[variables('enablePE')]",
             "type": "Microsoft.MachineLearningServices/workspaces",
-            "apiVersion": "2022-12-01-preview",
+            "apiVersion": "2023-04-01-preview",
             "tags": "[parameters('tagValues')]",
             "name": "[parameters('workspaceName')]",
             "kind": "[parameters('kind')]",
@@ -692,7 +703,8 @@
                     },
                     "offlinestoreconnectionname": "[parameters('offline_store_connection_name')]",
                     "onlinestoreconnectionname": "[parameters('online_store_connection_name')]"
-                }
+                },
+                "enableDataIsolation": "[parameters('enable_data_isolation')]"
             }
         },
         {

sdk/ml/azure-ai-ml/azure/ai/ml/_arm_deployments/arm_templates/workspace_param.json

@@ -151,5 +151,8 @@
     },
     "online_store_connection_target" : {
         "value": ""
+    },
+    "enable_data_isolation": {
+        "value": "false"
     }
 }

sdk/ml/azure-ai-ml/azure/ai/ml/_schema/workspace/workspace.py

@@ -40,3 +40,4 @@ class WorkspaceSchema(PathAwareSchema):
     identity = NestedField(IdentitySchema)
     primary_user_assigned_identity = fields.Str()
     managed_network = ExperimentalField(NestedField(ManagedNetworkSchema, unknown=EXCLUDE))
+    enable_data_isolation = fields.Bool()

sdk/ml/azure-ai-ml/azure/ai/ml/entities/_workspace/workspace.py

@@ -45,6 +45,7 @@ def __init__(
         identity: Optional[IdentityConfiguration] = None,
         primary_user_assigned_identity: Optional[str] = None,
         managed_network: Optional[ManagedNetwork] = None,
+        enable_data_isolation: bool = False,
         **kwargs,
     ):
         """Azure ML workspace.
@@ -92,6 +93,9 @@ def __init__(
         :type primary_user_assigned_identity: str
         :param managed_network: workspace's Managed Network configuration
         :type managed_network: ManagedNetwork
+        :param enable_data_isolation: A flag to determine if workspace has data isolation enabled.
+            The flag can only be set at the creation phase, it can't be updated.
+        :type enable_data_isolation: bool
         :param kwargs: A dictionary of additional configuration parameters.
         :type kwargs: dict
         """
@@ -115,6 +119,7 @@ def __init__(
         self.identity = identity
         self.primary_user_assigned_identity = primary_user_assigned_identity
         self.managed_network = managed_network
+        self.enable_data_isolation = enable_data_isolation
 
     @property
     def discovery_url(self) -> str:
@@ -236,6 +241,7 @@ def _from_rest_object(cls, rest_obj: RestWorkspace) -> "Workspace":
             primary_user_assigned_identity=rest_obj.primary_user_assigned_identity,
             managed_network=managed_network,
             feature_store_settings=feature_store_settings,
+            enable_data_isolation=rest_obj.enable_data_isolation,
         )
 
     def _to_rest_object(self) -> RestWorkspace:
@@ -265,4 +271,5 @@ def _to_rest_object(self) -> RestWorkspace:
             if self.managed_network
             else None,  # pylint: disable=protected-access
             feature_store_Settings=feature_store_Settings,
+            enable_data_isolation=self.enable_data_isolation,
         )

sdk/ml/azure-ai-ml/azure/ai/ml/operations/_workspace_operations_base.py

@@ -463,6 +463,8 @@ def _populate_arm_paramaters(self, workspace: Workspace, **kwargs: Dict) -> Tupl
         else:
             managed_network = ManagedNetwork(IsolationMode.DISABLED)._to_rest_object()
         _set_val(param["managedNetwork"], managed_network)
+        if workspace.enable_data_isolation:
+            _set_val(param["enable_data_isolation"], "true")
 
         resources_being_deployed[workspace.name] = (ArmConstants.WORKSPACE, None)
         return template, param, resources_being_deployed