topic Service Account Access granted still getting as User does not have USE SCHEMA on Schema in Data Engineering

Service Account Access granted still getting as User does not have USE SCHEMA on Schema

raghunathr — Wed, 07 Aug 2024 22:50:26 GMT

Hi All,

We have ran into scenario, where Azure Data Factory connecting to Azure Data Bricks through linkedServices,

Where its trying to connect with System Assigned Managed Identity (SAMI).

Specific SAMI added to compute and unity catalog for usage.

show grants `6b3xxxx-0xx9-4xx4-axx9-bxxxxxxbc` on schema dev.uef_db; ----------------------------- Principal ActionType ObjectType ObjectKey 6b3xxxx-0xx9-4xx4-axx9-bxxxxxxbc USE SCHEMA CATALOG dev

But, still when we try to query or execute any notebooks from ADF LinkedServices (compute/delta lake connector)

User does not have USE SCHEMA on Schema 'dev.uef_db'. SQLSTATE: 42501

Any idea, where we missing permissions.

Thanks in Advance.

Re: Service Account Access granted still getting as User does not have USE SCHEMA on Schema

Retired_mod — Fri, 09 Aug 2024 11:34:51 GMT

Hi @raghunathr, To resolve this, ensure the SAMI has the necessary permissions on both the Databricks workspace and Unity Catalog, particularly the USE SCHEMA permission on dev.uef_db, and confirm it has the Contributor role in Databricks. Also, verify that the ADF linked service is configured to use SAMI for authentication, and consider granting additional permissions like SELECT, INSERT, UPDATE, and DELETE if needed. Finally, review Databricks access control to ensure proper SAMI access to compute resources and the Unity Catalog.

Re: Service Account Access granted still getting as User does not have USE SCHEMA on Schema

raghunathr — Sat, 10 Aug 2024 21:00:55 GMT

Thanks @Retired_mod .. We found issue. SAMI given permission but it was managed and registered MI instead of using application/object id we were using MI directly. Its solved.

Re: Service Account Access granted still getting as User does not have USE SCHEMA on Schema

raghunathr — Mon, 12 Aug 2024 21:21:55 GMT

Still we have trouble on external_storage location now.

That specific Managed Identity which added to Databricks Resource now got everything needed for Unity Catalog DEV/Tables. But, Even in External Location that SPN added but still getting error as

py4j.protocol.Py4JJavaError: An error occurred while calling o513.load. : com.databricks.sql.managedcatalog.acl.UnauthorizedAccessException: PERMISSION_DENIED: User does not have READ FILES on External Location 'dev_raw_b002'.

Any idea where its going wrong again ? @Retired_mod