如何使用REST API编辑Databricks查询的权限?

huangapple go评论66阅读模式
英文:

How to edit permissions of Databricks queries with REST API?

问题

  1. 目前可以通过编程方式在(Azure)Databricks 中更改查询权限吗?
  2. 如果可以,应该如何操作?
英文:

I am trying to give CAN_MANAGE permission to other users for a given set of SQL queries on Azure Databricks.

Browsing Databricks REST API reference, under the Databricks SQL > ACL / Permissions section there are both Get object ACL and Set object ACL endpoints available.

I am able to use the Get object ACL to return the current permissions however, using the Set object ACL does not work.

After further investigation I find that the docs state that:

> The SQL Permissions API is similar to the endpoints of the Permissions/Set. However, this exposes only one endpoint, which gets the Access Control List for a given object. You cannot modify any permissions using this API.
>
> There are three levels of permission:
>
> CAN_VIEW: Allows read-only access
>
> CAN_RUN: Allows read access and run access (superset of CAN_VIEW)
>
> CAN_MANAGE: Allows all actions: read, run, edit, delete, modify permissions (superset of CAN_RUN)

As such, I then moved to try the Identity and Access Management > Permissions APIs however both Get object permissions and Set permissions rely upon passing a request_object_type value.

Looking at the documentation it seems that queries aren't supported:

> The Permissions API lets you manage permissions for:
>
> - Clusters
> - Cluster policies
> - Delta Live Tables
> - pipelines
> - Directories
> - Jobs
> - MLflow experiments
> - MLflow registered models
> - Notebooks
> - Pools
> - Repos
> - Databricks SQL warehouses
> - Tokens

Payload:

request_object_id = <QUERY_ID>
request_object_type = "sql/queries" # Tested these values also: "queries", "sql_query_id", "query"
generic_permissions_url = f"https://<DATABRICKS_HOST>/api/2.0/permissions/{request_object_type}/{request_object_id}"

generic_permissions_url_response_get = requests.get(generic_permissions_url, headers=HEADERS)

if generic_permissions_url_response_get.status_code == 200:
    print('Data retrieved succesfully.')
    generic_permissions_url_get_parsed = json.loads(generic_permissions_url_response_get.text)
else:
    print('Error retrieving data: ', generic_permissions_url_response_get.text)

Response:

Error retrieving data:  {"error_code":"BAD_REQUEST","message":"Invalid Object Type"}

As such:

  1. Is it currently possible to alter query permissions programmatically in (Azure) Databricks?
  2. If so, how?

答案1

得分: 1

如果你查看对应的文档部分,你会看到你需要使用另一个URL:/api/2.0/preview/sql/permissions/{objectType}/{objectId},而不是/api/2.0/permissions/{objectType}/{objectId}。另外,objectType 应该是 queries,而不是 sql/queries。以下是一个使用curl获取查询的可用命令:

curl -s -H "Authorization: Bearer $DATABRICKS_TOKEN" -H 'Accept: application/json' 
  "$DATABRICKS_HOST/api/2.0/preview/sql/permissions/queries/$QUERY_ID"

返回:

{
  "object_id": "queries/<....>",
  "object_type": "query",
  "access_control_list": [
    {
      "user_name": "....@domain.com",
      "permission_level": "CAN_MANAGE"
    },
    {
      "group_name": "users",
      "permission_level": "CAN_VIEW"
    },
    {
      "group_name": "admins",
      "permission_level": "CAN_MANAGE"
    }
  ]
}
英文:

If you look into corresponding documentation section, then you will see that you need to use another URL: /api/2.0/preview/sql/permissions/{objectType}/{objectId} instead of /api/2.0/permissions/{objectType}/{objectId}. Also, objectType should be queries, not the sql/queries. Here is a working command for getting queries using curl:

curl -s -H "Authorization: Bearer $DATABRICKS_TOKEN" -H 'Accept: application/json' 
  "$DATABRICKS_HOST/api/2.0/preview/sql/permissions/queries/$QUERY_ID"

gives:

{
  "object_id": "queries/<....>",
  "object_type": "query",
  "access_control_list": [
    {
      "user_name": "....@domain.com",
      "permission_level": "CAN_MANAGE"
    },
    {
      "group_name": "users",
      "permission_level": "CAN_VIEW"
    },
    {
      "group_name": "admins",
      "permission_level": "CAN_MANAGE"
    }
  ]
}

huangapple
  • 本文由 发表于 2023年5月22日 21:16:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/76306596.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定