英文:
Databricks Unity Catalog jdbc access control
问题
我已经完成了所有的设置,并让Unity Catalog正常工作。但是如何让外部应用程序访问数据库的表,并遵守Unity Catalog的权限呢?我的意思是,我创建的用户将在以下连接字符串中使用:
jdbc:databricks://adb-xxxxxxxxxxxxx.8.azuredatabricks.net:443/default;transportMode=http;ssl=1;httpPath=sql/protocolv1/o/xxxxxxxxxxxxx/xxxxxxxx;AuthMech=3;UID=token;PWD=
但似乎访问令牌不遵守Unity Catalog的权限设置。例如,我可以在DBeaver中修改数据,但我的Unity Catalog权限仅为“SELECT”。
如何使外部应用程序能够根据Unity Catalog的权限获取数据?
英文:
I got all the setup and Unity Catalog working. But how can I give access to DB's Tabels to external apps and respect Unity catalog permissions. I mean user that I created will be used in
jdbc:databricks://adb-xxxxxxxxxxxxx.8.azuredatabricks.net:443/default;transportMode=http;ssl=1;httpPath=sql/protocolv1/o/xxxxxxxxxxxxx/xxxxxxxx;AuthMech=3;UID=token;PWD=<personal-access-token>
but seams like access tokens does not respect Unity Catalog permissions setup. Example i can alter data in DBeaver but my Unity Catalog permissions are only SELECT
How to enable external app to fetch data based on Unity Catalog permissons?
答案1
得分: 1
为了使外部应用程序根据Unity目录权限获取数据,您可以使用以下步骤:
- 在Unity目录中创建一个目录用户或组。
- 授予目录用户或组对您希望外部应用程序能够访问的表或视图的适当权限。
- 配置外部应用程序以使用Azure活动目录(Azure AD)授权对表或视图的请求。
以下是一些可能会对您有所帮助的链接:
使用Azure活动目录:
使用Azure活动目录(Azure AD)授权对表数据的请求。使用Azure AD,您可以使用Azure基于角色的访问控制(Azure RBAC)向服务主体授予权限,该服务主体可以是用户、组或应用程序服务主体。
服务主体由Azure AD进行身份验证以返回OAuth 2.0令牌。然后可以使用该令牌对Table服务发出请求进行授权。
以下是将帮助您的步骤:
- 在您的Azure活动目录(AD)租户中创建一个特定于应用程序的用户或服务主体。
以下是如何在Azure活动目录(AD)租户中创建特定于应用程序的用户或服务主体的链接,这将为您提供使用Azure活动目录授权对表进行访问。
-
在Azure门户中向此用户或服务主体授予必要的权限。这些权限应与您在Unity目录权限中定义的期望访问级别相一致。以下是如何管理特权的链接。
-
使用Azure AD身份验证为特定于应用程序的用户或服务主体生成访问令牌。此令牌将用于在访问Unity目录的数据库表时对外部应用程序进行身份验证,正如您所说,UI中生成的访问令牌不是基于AD的。这些令牌由Databricks平台生成,并用于对Databricks REST API发出请求进行身份验证。这些令牌不知道您在Unity目录中设置的Azure AD权限。
-
为了使外部应用程序根据Unity目录权限获取数据,您可以使用Azure AD授权对表数据进行请求。使用Azure AD,您可以使用Azure RBAC授予权限。
-
下面的文档获取服务主体的Azure AD令牌。
-
这里有一个关于身份验证的示例。
完成上述设置后,您可以在外部应用程序中使用连接字符串来使用生成的访问令牌进行身份验证。
jdbc:databricks://adb-xxxxxxxxxxxxx.8.azuredatabricks.net:443/default;transportMode=http;ssl=1;httpPath=sql/protocolv1/o/xxxxxxxxxxxxx/xxxxxxxx;AuthMech=3;UID=token;PWD=<access-token>
使用基于Azure AD的访问令牌在连接字符串中,外部应用程序将根据在Azure AD中为特定于应用程序的用户或服务主体授予的权限进行身份验证。这有助于验证Unity目录的权限。
英文:
To enable an external app to fetch data based on Unity Catalog permissions, you can use the following steps:
- Create a catalog user or group in Unity Catalog.
- Grant the catalog user or group the appropriate permissions to the
tables or views that you want the external app to be able to access. - Configure the external app to use Azure Active Directory (Azure AD)
to authorize requests to the tables or views.
Here are some links that may find helpful:
- Manage privileges in Unity Catalog:
https://docs.databricks.com/data-governance/unity-catalog/manage-privileges/index.html - Manage external locations and storage credentials:
https://docs.databricks.com/data-governance/unity-catalog/manage-external-locations-and-credentials.html - Databricks Unity Catalog jdbc access control:
https://stackoverflow.com/questions/76502882/databricks-unity-catalog-jdbc-access-control
Using Azure Active directory:
Azure Active Directory (Azure AD) to authorize requests to table data.With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a service principal, which may be a user, group, or application service principal.
The Service principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Table service.
Here are the below steps that will help you:
- Create an application-specific user or service principal in your
Azure Active Directory (AD) tenant.
Here is the link to how create application-specific user or service principal in your Azure Active Directory (AD) tenant
This will help you with Authorize access to tables using Azure Active Directory
-
Grant the necessary permissions to this user or service principal in the Azure portal. These permissions should align with the desired access levels defined in your Unity Catalog permissions Below Manage previlages will help you.
Here is how you Manage Previlages -
Generate an access token for the application-specific user orservice principal using Azure AD authentication. This token will be used to authenticate the external application when accessing the Unity Catalog's database tables. and as you said access token generated in UI are not AD based. Tokens are generated by the Databricks platform and are used to authenticate requests to the Databricks REST API. These tokens are not aware of the Azure AD permissions that you have set up in Unity Catalog.
-
To enable external apps to fetch data based on Unity Catalog permissions, you can use Azure AD to authorize requests to table data
With Azure AD, you can use Azure RBAC to grant permissions -
This below documentation to Get Azure AD tokens for service
principals -
Here is an example for howAuthetication works
After the above set up is done. you can use the connection string in your external application to use the generated access token for authentication
jdbc:databricks://adb-xxxxxxxxxxxxx.8.azuredatabricks.net:443/default;transportMode=http;ssl=1;httpPath=sql/protocolv1/o/xxxxxxxxxxxxx/xxxxxxxx;AuthMech=3;UID=token;PWD=<access-token>
Using the Azure AD-based access token in your connection string, the external application will be authenticated based on the permissions granted to the application-specific user or service principal in Azure AD.
This helps the Unity Catalog's permissions are authenticated.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论