01-05-2024 01:38 AM - edited 01-05-2024 01:41 AM
I’m having a trouble accessing Ganglia UI on a job run cluster. The job run is executed by a service principal and I would like to enable the Ganglia UI view to an user/admin group in Databricks.
The error I get is: HTTP ERROR 403 PERMISSION_DENIED: Cannot use the cluster as user (my_email@email.com) must have at least 'Bind' permission on the service principal.
The situation occurs only during job run, screenshots taken from Ganglia UI are accessible.Following the documentation, I’ve tried to set access_control_list property. When I set access_control_list to [{"user_name": "my_email@email.com", "permission_level": "CAN_VIEW"}] then request was accepted (200), but Ganglia UI is still not accessible, however when I’ve tried [{"user_name": "my_email@email.com", "permission_level": "CAN_BIND"}] then I got Bad Request (400) and a message Permission type not defined. https://docs.databricks.com/api/workspace/jobs/submit
Also CAN_BIND value is not described in this documentation: https://docs.databricks.com/en/security/auth-authz/access-control/jobs-acl.html so I'm a little confused.
I’m also not sure I have chosen the right path since Ganglia UI can also belong to the cluster rather than to a job. Can you point me in a right direction?
01-11-2024 12:38 PM
Hi @arkadiuszr - can you please try the following steps and let us know?
To resolve this error, first you want to add your service principal to the workspace:
then bind your user to the service principal:
To grant this permission to users, the workflow is as follows:
$ vim grant-service-principal.json
{
"access_control_list": [
{
"user_name": "{username}",
"permission_level": "CAN_BIND"
}
]
}
$ curl -X PATCH {DATABRICKS_HOST}/api/2.0/permissions/service-principals/{SP_ID}
header "Content-type: application/json" header "Authorization: Bearer
${DATABRICKS_TOKEN}" data @grant-service-principal.json
Reference on Service Principal: https://docs.databricks.com/administration-guide/users-groups/service-principals.html#what-is-a-serv...
01-11-2024 12:38 PM
Hi @arkadiuszr - can you please try the following steps and let us know?
To resolve this error, first you want to add your service principal to the workspace:
then bind your user to the service principal:
To grant this permission to users, the workflow is as follows:
$ vim grant-service-principal.json
{
"access_control_list": [
{
"user_name": "{username}",
"permission_level": "CAN_BIND"
}
]
}
$ curl -X PATCH {DATABRICKS_HOST}/api/2.0/permissions/service-principals/{SP_ID}
header "Content-type: application/json" header "Authorization: Bearer
${DATABRICKS_TOKEN}" data @grant-service-principal.json
Reference on Service Principal: https://docs.databricks.com/administration-guide/users-groups/service-principals.html#what-is-a-serv...
01-12-2024 06:45 AM - edited 01-12-2024 06:55 AM
Thank you for the time you spent to clarify a few things to me. Yes it worked indeed with one remark {SP_ID} is not the GUID but a numeric one instead. To fetch it I. had to make a call to that endpoint "api/2.0/preview/scim/v2/ServicePrincipals"
Do you know if there is a terraform component that allows that? I've searched a little and couldn't find.
01-16-2024 07:39 AM
@arkadiuszr - Can you please check the documentation for SP here for examples - https://docs.databricks.com/en/dev-tools/service-principals-tools-apis.html ?
01-18-2024 12:44 AM
Ok, there is no terraform component that does that yet. https://docs.databricks.com/en/dev-tools/service-principals-tools-apis.html
Thanks
10-08-2024 05:38 PM
Thank you! We encountered the same issue, and your solution was very helpful in resolving it. We have a follow-up question: how can we revoke the permissions granted through this method using the REST API? I couldn’t find any REST API methods for revoking or deleting object permissions.
Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.
If there isn’t a group near you, start one and help create a community that brings people together.
Request a New Group