You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-> Note This resource has an evolving API, which may change in the upcoming versions.
This resource manages data object access control lists in Databricks workspaces for things like tables, views, databases, and more. In order to enable Table Access control, you have to login to the workspace as administrator, go to Admin Console, pick Access Control tab, click on Enable button in Table Access Control section, and click Confirm. The security guarantees of table access control will only be effective if cluster access control is also turned on. Please make sure that no users can create clusters in your workspace and all databricks_cluster have approximately the following configuration:
The following resource definition will enforce access control on a table by executing the following SQL queries on a special auto-terminating cluster it would create for this operation:
SHOW GRANT ON TABLE `default`.`foo`
REVOKE ALL PRIVILEGES ON TABLE `default`.`foo` FROM ... every group and user that has access to it ...
GRANT MODIFY, SELECT ON TABLE `default`.`foo` TO `serge@example.com`
GRANT SELECT ON TABLE `default`.`foo` TO `special group`
The following arguments are available to specify the data object you need to enforce access controls on. You must specify only one of those arguments (except for table and view), otherwise resource creation will fail.
database - Name of the database. Has default value of default.
table - Name of the table. Can be combined with database.
view - Name of the view. Can be combined with database.
catalog - (Boolean) If this access control for the entire catalog. Defaults to false.
any_file - (Boolean) If this access control for reading any file. Defaults to false.
anonymous_function - (Boolean) If this access control for using anonymous function. Defaults to false.
privilege_assignments blocks
You must specify one or many privilege_assignments configuration blocks to declare privileges to a principal, which corresponds to display_name of databricks_group or databricks_user. Terraform would ensure that only those principals and privileges defined in the resource are applied for the data object and would remove anything else. It would not remove any transitive privileges. DENY statements are intentionally not supported. Every privilege_assignments has the following required arguments:
@alexott it's that SP test - started failing after ADAL updated to a more recent version. The problem is that it tries now to go and see if there's MSI endpoint available and fail otherwise. Does not really affect the normal case scenarios with Azure SP, though. Will test with make test-azsp.
hey @nfx does this use a shared cluster and what is the throughput of the changes? Quick question also around does parallelism cause any funky behavior when you are applying grants/denys? Typically in notebook everything is run sequentially.
nfx
changed the title
[RESOURCE] databricks_table_acl to manage data object access control lists
[RESOURCE] databricks_sql_permissions to manage data object access control lists
Apr 21, 2021
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
nfx
changed the title
subcategory: "Security"
databricks_sql_permissions Resource
-> Note This resource has an evolving API, which may change in the upcoming versions.
This resource manages data object access control lists in Databricks workspaces for things like tables, views, databases, and more. In order to enable Table Access control, you have to login to the workspace as administrator, go to
Admin Console, pickAccess Controltab, click onEnablebutton inTable Access Controlsection, and clickConfirm. The security guarantees of table access control will only be effective if cluster access control is also turned on. Please make sure that no users can create clusters in your workspace and all databricks_cluster have approximately the following configuration:Example Usage
The following resource definition will enforce access control on a table by executing the following SQL queries on a special auto-terminating cluster it would create for this operation:
SHOW GRANT ON TABLE `default`.`foo`REVOKE ALL PRIVILEGES ON TABLE `default`.`foo` FROM ... every group and user that has access to it ...GRANT MODIFY, SELECT ON TABLE `default`.`foo` TO `serge@example.com`GRANT SELECT ON TABLE `default`.`foo` TO `special group`Argument Reference
The following arguments are available to specify the data object you need to enforce access controls on. You must specify only one of those arguments (except for
tableandview), otherwise resource creation will fail.database- Name of the database. Has default value ofdefault.table- Name of the table. Can be combined withdatabase.view- Name of the view. Can be combined withdatabase.catalog- (Boolean) If this access control for the entire catalog. Defaults tofalse.any_file- (Boolean) If this access control for reading any file. Defaults tofalse.anonymous_function- (Boolean) If this access control for using anonymous function. Defaults tofalse.privilege_assignmentsblocksYou must specify one or many
privilege_assignmentsconfiguration blocks to declareprivilegesto aprincipal, which corresponds todisplay_nameof databricks_group or databricks_user. Terraform would ensure that only those principals and privileges defined in the resource are applied for the data object and would remove anything else. It would not remove any transitive privileges.DENYstatements are intentionally not supported. Everyprivilege_assignmentshas the following required arguments:principal-display_nameof databricks_group or databricks_user.privileges- set of available privilege names in upper case.Available privilege names are:
SELECT- gives read access to an object.CREATE- gives the ability to create an object (for example, a table in a database).MODIFY- gives the ability to add, delete, and modify data to or from an object.USAGE- do not give any abilities, but is an additional requirement to perform any action on a database object.READ_METADATA- gives the ability to view an object and its metadata.CREATE_NAMED_FUNCTION- gives the ability to create a named UDF in an existing catalog or database.MODIFY_CLASSPATH- gives the ability to add files to the Spark class path.ALL PRIVILEGES- gives all privileges (is translated into all the above privileges).Import
The resource can be imported using a synthetic identifier. Examples of valid synthetic identifiers are:
table/default.foo- tablefooin adefaultdatabase. Database is always mandatory.view/bar.foo- viewfooinbardatabase.database/bar-bardatabase.catalog/- entire catalog./suffix is mandatory.any file/- direct access to any file./suffix is mandatory.anonymous function/- anonymous function./suffix is mandatory.