cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Using logged in user's identity in Databricks Apps

vishwas7
New Contributor II

‎12-27-2024 06:17 AM

Hi Databricks Community, I recently started using Datbricks apps where I list some schemas and tables in the UI.

What I explicitly want to do is only show the schemas and tables on which user actually have permission. Currently the databricks apps would use it's own identity, morever in the headers as well I do receive email and username but don't have any access token which might be used for user impersonation.

Do let me know if I could achieve it.

0 Kudos
2 REPLIES 2

Walter_C
Databricks Employee
Databricks Employee

‎12-27-2024 06:30 AM

To display only the schemas and tables on which a user has permission in Databricks Apps, you need to manage permissions effectively. Here are the steps and considerations based on the provided context:

  1. Service Principal for Authorization:

    • When a Databricks app is created, a service principal is automatically assigned to the app. This service principal is used to authenticate and authorize access to resources within the workspace, such as SQL warehouses, model serving endpoints, or securable objects in Unity Catalog.
    • If the service principal requires access to additional resources (e.g., tables or workspace files), an account or workspace admin must grant the necessary permissions to the service principal. This follows the principle of least privilege, ensuring that the service principal only has the minimal permissions required.

  2. Managing Permissions:

    • To manage the app’s permissions, you must have the CAN MANAGE or IS OWNER permission. On the app details page, you can configure permissions by selecting the user, group, or service principal and assigning the appropriate permissions.
    • Permissions can be managed through the Databricks Apps UI, where you can add or modify permissions for users, groups, or service principals.
0 Kudos

vishwas7
New Contributor II

‎12-27-2024 06:47 AM

Hi @Walter_C , thanks for the quick reply. I understood the functioning of above stated Service Principal and Permission Management.

In my scenario, I have a schema 'S' with table T1(with user U1 Read, user U2 - Read Permission) and T2(user U1 Read permission). Now if I assign databricks app's service principal as owner on schema "S", It will let both user U1 and U2 access Table T1 and T2.

What I am searching is the way to validate if the user logged in databricks app actually have access to the Table or any other object before accessing it. Currently I can first get permissions list for the table and check if the logged in user's email id is there in the list. But I wanted to check if there can be any better way.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements
Top