topic Re: Using logged in user's identity in Databricks Apps in Administration & Architecture

Using logged in user's identity in Databricks Apps

vishwas7 — Fri, 27 Dec 2024 14:17:10 GMT

Hi Databricks Community, I recently started using Datbricks apps where I list some schemas and tables in the UI.

What I explicitly want to do is only show the schemas and tables on which user actually have permission. Currently the databricks apps would use it's own identity, morever in the headers as well I do receive email and username but don't have any access token which might be used for user impersonation.

Do let me know if I could achieve it.

Re: Using logged in user's identity in Databricks Apps

Walter_C — Fri, 27 Dec 2024 14:30:16 GMT

To display only the schemas and tables on which a user has permission in Databricks Apps, you need to manage permissions effectively. Here are the steps and considerations based on the provided context:

Service Principal for Authorization:
- When a Databricks app is created, a service principal is automatically assigned to the app. This service principal is used to authenticate and authorize access to resources within the workspace, such as SQL warehouses, model serving endpoints, or securable objects in Unity Catalog.
- If the service principal requires access to additional resources (e.g., tables or workspace files), an account or workspace admin must grant the necessary permissions to the service principal. This follows the principle of least privilege, ensuring that the service principal only has the minimal permissions required.
Managing Permissions:
- To manage the app’s permissions, you must have the CAN MANAGE or IS OWNER permission. On the app details page, you can configure permissions by selecting the user, group, or service principal and assigning the appropriate permissions.
- Permissions can be managed through the Databricks Apps UI, where you can add or modify permissions for users, groups, or service principals.

Re: Using logged in user's identity in Databricks Apps

vishwas7 — Fri, 27 Dec 2024 14:47:44 GMT

Hi @Walter_C , thanks for the quick reply. I understood the functioning of above stated Service Principal and Permission Management.

In my scenario, I have a schema 'S' with table T1(with user U1 Read, user U2 - Read Permission) and T2(user U1 Read permission). Now if I assign databricks app's service principal as owner on schema "S", It will let both user U1 and U2 access Table T1 and T2.

What I am searching is the way to validate if the user logged in databricks app actually have access to the Table or any other object before accessing it. Currently I can first get permissions list for the table and check if the logged in user's email id is there in the list. But I wanted to check if there can be any better way.

Re: Using logged in user's identity in Databricks Apps

samlauncher — Fri, 27 Jun 2025 04:33:04 GMT

https://docs.databricks.com/aws/en/dev-tools/databricks-apps/auth#retrieve-user-authorization-credentials : they launched this recently to support user identity in databricks apps