cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enforcing developers to use something like a single user cluster

noorbasha534
Valued Contributor

‎03-27-2025 03:05 PM

Dear all

we have a challenge. Developers create/recreate tables/views in PRD environment by running notebooks on all-purpose clusters where as the same notebooks already exist as jobs. Not sure, why the developers feel comfortable in using all-purpose clusters. The point now is that the objects get created/recreated with individual ids as owner and that is breaking our data flows as well as consumption flows at times, resulting into chaos. Had been created/recreated by a job, as the job runs as a service principal, and we want that service principal to be the owner of the objects in PRD env.

Any ideas on how i can overcome this obstacle? Can we use single user all-purpose clusters (with a service principal) be used by different individuals while invoking notebooks?

Appreciate any thoughts..

0 Kudos
2 REPLIES 2

Stefan-Koch
Valued Contributor II

‎03-27-2025 10:19 PM

Hi @noorbasha534 

I think the problem lies deeper, in the way you have set up your CI/CD process. No developer should be able to create any views and/or tables directly in PRD. This development work should only take place in DEV. The objects are then tested in Staging/QA and then automatically deployed to PRD. Deployment to Staging/UAT and PRD takes place automatically, for example with asset bundles.

You can find more information about asset bundles here: https://docs.databricks.com/aws/en/dev-tools/bundles/

If this process is set up correctly, you revoke the rights of all developers in PRD and thus protect your environment.

You can also create cluster policies that restrict the creation of clusters in Dev according to your requirements: https://docs.databricks.com/aws/en/admin/clusters/policies

0 Kudos

noorbasha534
Valued Contributor

‎03-28-2025 03:08 AM

Hi Stefan, exactly, we have the same. the CI/CD process invokes jobs that run as service principal. So far, so good. But, please note that not all situations would fall under this ideal case. There will be cases wherein I have to recreate 50 views out of 10000 I have. So, then the developer acquires special access, and is expected to run the job with parameters passed to just recreate those 50 views. However, developers resort to all-purpose clusters and run that views recreation notebook and then their id becomes owner of the object

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements