cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

Instance Profile Access Controls

100804
New Contributor II

I manage instance profiles assigned to specific user groups. For example, instance profile A provides access solely to group A. Currently, any user within group A has the ability to update the permissions of a cluster using instance profile A, which allows a user from outside group A to utilize the cluster and access instance profile A, contrary to the intended access restrictions on instance profile A.

Are there strategies to mitigate this risk and enhance security?

2 REPLIES 2

Kaniz_Fatma
Community Manager
Community Manager

Hi @100804Managing instance profiles in Databricks is crucial for maintaining security and access control.

Let’s explore some strategies to mitigate the risk you’ve described and enhance security:

  1. Fine-Grained Access Control:

    • Instance profiles define the permissions associated with clusters. When users deploy clusters, they gain the permissions defined by the instance profile.
    • To restrict access, ensure that instance profiles are assigned carefully. Consider creating specific profiles for different user groups or use cases.
    • For example, instead of having a single instance profile for all users in group A, create separate profiles for different subsets within group A.
  2. Admin Settings Page:

    • As a workspace admin, you can manage access to instance profiles using the admin settings page.
    • Go to the admin settings page, click the Instance Profiles tab, and select the profile you want to update.
    • Add or remove users, groups, or service principals associated with the instance profile.
    • Alternatively, assign instance profiles directly to groups via the Identity and Access tab.
  3. API-Based Management:

    • Workspace admins can use workspace-level SCIM APIs to manage instance profile access.
    • For instance, to grant a group access to an instance profile, use the following pattern:
      curl --netrc -X PATCH \
      https://<databricks-instance>/api/2.0/preview/scim/v2/Groups/<group-id> \
      --header 'Content-type: application/scim+json' \
      --data @update-group.json
      
      Replace <group-id> with the group’s ID and <instance-profile-role-arn> with the Amazon Resource Name (ARN) of the instance profile role.
  4. Edit Instance Profile Role ARN:

    • If you’ve already created instance profiles, you can edit them to specify a different IAM role ARN.
    • This allows you to update the permissions associated with the profile without creating a new one.
  5. Best Practices for Security:

    • Beyond instance profiles, consider other security practices:
      • Audit log delivery: Enable auditing to track changes and monitor activity.
      • Tagging and monitoring: Use tags to monitor usage and enable charge-back.
      • Overwatch: Monitor your workspace for security events.
      • Enhanced security monitoring: Implement additional security measures as needed.

Remember that security is an ongoing process.

Regularly review and adjust your access controls to align with your organization’s evolving needs an...123. 🛡🔒

100804
New Contributor II

 

Hi @Kaniz_Fatma,

Thank you for your guidance. I am following the strategies outlined in steps 1 and 2, and I remain concerned about a specific scenario.

Consider instance profile A, which is designed to grant access exclusively to group A. If user A, a member of group A, creates a cluster using instance profile A, they can modify the cluster's permissions, granting unauthorized access to user B, who is not part of group A.

I'd appreciate any additional insights or strategies to specifically address this risk. Thank you!

Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!