Databricks

100804 · ‎02-21-2024

I manage instance profiles assigned to specific user groups. For example, instance profile A provides access solely to group A. Currently, any user within group A has the ability to update the permissions of a cluster using instance profile A, which allows a user from outside group A to utilize the cluster and access instance profile A, contrary to the intended access restrictions on instance profile A.

Are there strategies to mitigate this risk and enhance security?

Kaniz · ‎02-22-2024

Hi @100804, Managing instance profiles in Databricks is crucial for maintaining security and access control.

Let’s explore some strategies to mitigate the risk you’ve described and enhance security:

Fine-Grained Access Control:
- Instance profiles define the permissions associated with clusters. When users deploy clusters, they gain the permissions defined by the instance profile.
- To restrict access, ensure that instance profiles are assigned carefully. Consider creating specific profiles for different user groups or use cases.
- For example, instead of having a single instance profile for all users in group A, create separate profiles for different subsets within group A.
Admin Settings Page:
- As a workspace admin, you can manage access to instance profiles using the admin settings page.
- Go to the admin settings page, click the Instance Profiles tab, and select the profile you want to update.
- Add or remove users, groups, or service principals associated with the instance profile.
- Alternatively, assign instance profiles directly to groups via the Identity and Access tab.
API-Based Management:
- Workspace admins can use workspace-level SCIM APIs to manage instance profile access.
- For instance, to grant a group access to an instance profile, use the following pattern:
```
curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Groups/<group-id> \
--header 'Content-type: application/scim+json' \
--data @update-group.json
```
  Replace <group-id> with the group’s ID and <instance-profile-role-arn> with the Amazon Resource Name (ARN) of the instance profile role.
Edit Instance Profile Role ARN:
- If you’ve already created instance profiles, you can edit them to specify a different IAM role ARN.
- This allows you to update the permissions associated with the profile without creating a new one.
Best Practices for Security:
- Beyond instance profiles, consider other security practices:
  - Audit log delivery: Enable auditing to track changes and monitor activity.
  - Tagging and monitoring: Use tags to monitor usage and enable charge-back.
  - Overwatch: Monitor your workspace for security events.
  - Enhanced security monitoring: Implement additional security measures as needed.

Remember that security is an ongoing process.

Regularly review and adjust your access controls to align with your organization’s evolving needs an...¹ ² ³. 🛡️🔒

100804 · ‎02-22-2024

Hi @Kaniz,

Thank you for your guidance. I am following the strategies outlined in steps 1 and 2, and I remain concerned about a specific scenario.

Consider instance profile A, which is designed to grant access exclusively to group A. If user A, a member of group A, creates a cluster using instance profile A, they can modify the cluster's permissions, granting unauthorized access to user B, who is not part of group A.

I'd appreciate any additional insights or strategies to specifically address this risk. Thank you!

Databricks

Instance Profile Access Controls

Unity Catalog Lakeguard: Industry-first and only data governance for multi-user Apache™ Spark cluste

Announcing the General Availability of Databricks Asset Bundles

Register now and save 50% on training at Data + AI Summit!

How to successfully build GenAI applications

Meet DBRX, the New Standard for High-Quality LLMs