topic Access Control in hive_metastore Based on Cluster Type in Data Engineering https://community.databricks.com/t5/data-engineering/access-control-in-hive-metastore-based-on-cluster-type/m-p/39481#M26992 <P>Hello Databricks Community, I asked the same question on the Get Started Discussion page but feels like here is the right place for this question.&nbsp;</P><P>I'm reaching out with a query regarding access control in the hive_metastore. I've encountered behavior that I'd like to understand better and potentially address.</P><P>To illustrate the situation:</P><UL><LI>I've set up three users for testing purposes: admin, dataengineer1, and dataanalyst1.</LI><LI>The admin user granted permissions to dataengineer1 for three specific tables: circuits, country_regions, and results.</LI></UL><P><STRONG>Case 1:</STRONG><SPAN>&nbsp;</SPAN>When using SQL Warehouse (as seen in the screenshot, labeled as serverless-sql-wh) or a Cluster with shared Access mode, dataengineer1 can only view the tables they have permissions for. This is the expected behavior.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DeltaTrain_0-1691618617261.png" style="width: 791px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/3110i28A278FDB186CD90/image-dimensions/791x182?v=v2" width="791" height="182" role="button" title="DeltaTrain_0-1691618617261.png" alt="DeltaTrain_0-1691618617261.png" /></span></P><P>&nbsp;</P><P><STRONG>Case 2:</STRONG><SPAN>&nbsp;However, when a Single User Access mode cluster is activated (in the screenshot, labeled as&nbsp;</SPAN>dataengineer1@d...<SPAN>),&nbsp;</SPAN>dataengineer1<SPAN>&nbsp;can view all schemas and tables. This is not the desired behavior.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DeltaTrain_1-1691618617263.png" style="width: 801px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/3111i42C384415EFD4126/image-dimensions/801x263?v=v2" width="801" height="263" role="button" title="DeltaTrain_1-1691618617263.png" alt="DeltaTrain_1-1691618617263.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><P>I'm hoping to find a solution that ensures even in Single User Access Mode, users can only access Schemas and Tables for which they have permission.</P><P>Any insights or suggestions would be greatly appreciated. I value the expertise of this community and look forward to your responses.</P><P>Thank you,</P><P>DeltaTrain</P></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Wed, 09 Aug 2023 22:05:39 GMT DeltaTrain 2023-08-09T22:05:39Z Access Control in hive_metastore Based on Cluster Type https://community.databricks.com/t5/data-engineering/access-control-in-hive-metastore-based-on-cluster-type/m-p/39481#M26992 <P>Hello Databricks Community, I asked the same question on the Get Started Discussion page but feels like here is the right place for this question.&nbsp;</P><P>I'm reaching out with a query regarding access control in the hive_metastore. I've encountered behavior that I'd like to understand better and potentially address.</P><P>To illustrate the situation:</P><UL><LI>I've set up three users for testing purposes: admin, dataengineer1, and dataanalyst1.</LI><LI>The admin user granted permissions to dataengineer1 for three specific tables: circuits, country_regions, and results.</LI></UL><P><STRONG>Case 1:</STRONG><SPAN>&nbsp;</SPAN>When using SQL Warehouse (as seen in the screenshot, labeled as serverless-sql-wh) or a Cluster with shared Access mode, dataengineer1 can only view the tables they have permissions for. This is the expected behavior.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DeltaTrain_0-1691618617261.png" style="width: 791px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/3110i28A278FDB186CD90/image-dimensions/791x182?v=v2" width="791" height="182" role="button" title="DeltaTrain_0-1691618617261.png" alt="DeltaTrain_0-1691618617261.png" /></span></P><P>&nbsp;</P><P><STRONG>Case 2:</STRONG><SPAN>&nbsp;However, when a Single User Access mode cluster is activated (in the screenshot, labeled as&nbsp;</SPAN>dataengineer1@d...<SPAN>),&nbsp;</SPAN>dataengineer1<SPAN>&nbsp;can view all schemas and tables. This is not the desired behavior.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DeltaTrain_1-1691618617263.png" style="width: 801px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/3111i42C384415EFD4126/image-dimensions/801x263?v=v2" width="801" height="263" role="button" title="DeltaTrain_1-1691618617263.png" alt="DeltaTrain_1-1691618617263.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><P>I'm hoping to find a solution that ensures even in Single User Access Mode, users can only access Schemas and Tables for which they have permission.</P><P>Any insights or suggestions would be greatly appreciated. I value the expertise of this community and look forward to your responses.</P><P>Thank you,</P><P>DeltaTrain</P></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Wed, 09 Aug 2023 22:05:39 GMT https://community.databricks.com/t5/data-engineering/access-control-in-hive-metastore-based-on-cluster-type/m-p/39481#M26992 DeltaTrain 2023-08-09T22:05:39Z Re: Access Control in hive_metastore Based on Cluster Type https://community.databricks.com/t5/data-engineering/access-control-in-hive-metastore-based-on-cluster-type/m-p/44495#M27664 <P>That is expected. The single user mode is the legacy standard + UC ACL enabled.&nbsp;<A href="https://docs.databricks.com/en/archive/compute/cluster-ui-preview.html#how-does-backward-compatibility-work-with-these-changes" target="_blank">https://docs.databricks.com/en/archive/compute/cluster-ui-preview.html#how-does-backward-compatibility-work-with-these-changes</A></P> <P>For your case, you need the hive table acl enabled to restrict the list schemas and list table actions.&nbsp;</P> <P>You can add below two spark conf to enabled the hive metastore ACL:</P> <LI-CODE lang="java">spark.databricks.acl.dfAclsEnabled true spark.databricks.repl.allowedLanguages python,sql</LI-CODE> <P>&nbsp;</P> Tue, 12 Sep 2023 18:44:43 GMT https://community.databricks.com/t5/data-engineering/access-control-in-hive-metastore-based-on-cluster-type/m-p/44495#M27664 User16752239289 2023-09-12T18:44:43Z