Adding support for serving endpoints (#990)

## Changes
Assessment did not crawled permissions for serving endpoints, this PR
aims to fix it

### Tests
- [X] added integration tests

Author: william-conti

src/databricks/labs/ucx/mixins/fixtures.py

@@ -18,6 +18,7 @@
 from databricks.sdk.errors import NotFound, ResourceConflict
 from databricks.sdk.retries import retried
 from databricks.sdk.service import compute, iam, jobs, pipelines, sql, workspace
+from databricks.sdk.service._internal import Wait
 from databricks.sdk.service.catalog import (
     AzureServicePrincipal,
     CatalogInfo,
@@ -28,6 +29,12 @@
     TableInfo,
     TableType,
 )
+from databricks.sdk.service.serving import (
+    EndpointCoreConfigInput,
+    ServedModelInput,
+    ServedModelInputWorkloadSize,
+    ServingEndpointDetailed,
+)
 from databricks.sdk.service.sql import (
     CreateWarehouseRequestWarehouseType,
     GetResponse,
@@ -1095,3 +1102,27 @@ def remove(storage_credential: StorageCredentialInfo):
         ws.storage_credentials.delete(storage_credential.name, force=True)
 
     yield from factory("storage_credential_from_spn", create, remove)
+
+
+@pytest.fixture
+def make_serving_endpoint(ws, make_random, make_model):
+    def create() -> Wait[ServingEndpointDetailed]:
+        endpoint_name = make_random(4)
+        model = make_model()
+        endpoint = ws.serving_endpoints.create(
+            endpoint_name,
+            EndpointCoreConfigInput(
+                served_models=[
+                    ServedModelInput(model.name, "1", ServedModelInputWorkloadSize.SMALL, scale_to_zero_enabled=True)
+                ]
+            ),
+        )
+        return endpoint
+
+    def remove(endpoint_name: str):
+        try:
+            ws.serving_endpoints.delete(endpoint_name)
+        except RuntimeError as e:
+            logger.info(f"Can't remove endpoint {e}")
+
+    yield from factory("Serving endpoint", create, remove)

src/databricks/labs/ucx/workspace_access/manager.py

@@ -51,6 +51,7 @@ def factory(
             generic.Listing(ws.warehouses.list, "id", "sql/warehouses"),
             generic.Listing(ws.jobs.list, "job_id", "jobs"),
             generic.Listing(ws.pipelines.list_pipelines, "pipeline_id", "pipelines"),
+            generic.Listing(ws.serving_endpoints.list, "id", "serving-endpoints"),
             generic.Listing(generic.experiments_listing(ws), "experiment_id", "experiments"),
             generic.Listing(generic.models_listing(ws, num_threads), "id", "registered-models"),
             generic.Listing(generic.tokens_and_passwords, "object_id", "authorization"),

tests/integration/workspace_access/test_generic.py

@@ -411,3 +411,31 @@ def test_verify_permissions(ws, make_group, make_job, make_job_permissions):
     result = task()
 
     assert result
+
+
+@retried(on=[NotFound], timeout=timedelta(minutes=3))
+def test_endpoints(
+    ws, make_group, make_serving_endpoint, make_serving_endpoint_permissions
+):  # pylint: disable=invalid-name
+    group_a = make_group()
+    group_b = make_group()
+    endpoint = make_serving_endpoint()
+    make_serving_endpoint_permissions(
+        object_id=endpoint.response.id,
+        permission_level=PermissionLevel.CAN_MANAGE,
+        group_name=group_a.display_name,
+    )
+
+    generic_permissions = GenericPermissionsSupport(ws, [Listing(ws.serving_endpoints.list, "id", "serving-endpoints")])
+    before = generic_permissions.load_as_dict("serving-endpoints", endpoint.response.id)
+    assert before[group_a.display_name] == PermissionLevel.CAN_MANAGE
+
+    apply_tasks(
+        generic_permissions,
+        [
+            MigratedGroup.partial_info(group_a, group_b),
+        ],
+    )
+
+    after = generic_permissions.load_as_dict("serving-endpoints", endpoint.response.id)
+    assert after[group_b.display_name] == PermissionLevel.CAN_MANAGE

tests/unit/workspace_access/test_manager.py

@@ -214,6 +214,7 @@ def test_factory(mocker):
             "secrets",
             "entitlements",
             "roles",
+            'serving-endpoints',
             "ANY FILE",
             "FUNCTION",
             "ANONYMOUS FUNCTION",