Databricks Community

Subratpanigrahi · ‎03-11-2024

Hello all,

We have encountered a problem while running a notebook on a unity catalog cluster by using Azure data factory managed identity. When we add the managed identity directly to the unity catalog table it’s working but if we add the managed identity within a group that has same permissions to the table it fails with insufficient error priveledge. Does anyone know why unity catalog is unable to identify the managed identity within a Azure Active Directory group? Thanks

# unity catalog

Kaniz · ‎03-13-2024

Hi @Subratpanigrahi, Let’s delve into the issue you’re facing with Unity Catalog and Azure Data Factory managed identities.

Managed Identities in Unity Catalog:
- Unity Catalog can be configured to use an Azure-managed identity to access storage containers on behalf of Unity Catalog users.
- These managed identities provide an identity for applications when connecting to resources that support Microsoft Enterprise ID (formerly Azure Active Directory) authentication.
- You can use managed identities in Unity Catalog for two primary use cases:
  - As an identity to connect to the metastore’s managed storage accounts (where managed tables are stored).
  - As an identity to connect to other external storage accounts (for file-based access or accessing existing datasets through external tables).
Benefits of Managed Identities:
- Managed identities offer several advantages over service principals:
  - No need to maintain credentials or rotate secrets.
  - If your Azure Databricks workspace is deployed in your own VNet (VNet injection), you can use the managed identity to connect to a protected Azure data lake Storage Gen2 account.
  - Note that storage firewalls are not supported in standard Azure Databricks deployments.
Configuring Managed Identity for Unity Catalog:
- Here are the steps to configure a managed identity for Unity Catalog:
  1. Create an Access Connector for Azure Databricks:
    - This connector allows you to connect managed identities to an Azure Databricks account.
    - By default, it deploys with a system-assigned managed identity, but you can also attach a user-assigned managed identity.
  2. Grant Access to Azure Data Lake Storage Gen2:
    - The managed identity must have the necessary permissions on your storage account.
    - The user or service principal creating the access connector should be a Contributor or Owner of an Azure resource group.
    - The user or service principal granting the managed identity access to the storage account should be an Owner or have the User Access Administrator Azure RBAC role on the storage account.
Troubleshooting Insights:
- If you encounter issues, consider the following:
  - Access Connector Permissions: Ensure that the access connector has the right role and permissions.
  - Storage Firewall: Check for any storage firewall issues.
  - Storage Credentials: Verify that the correct storage credentials or Spark Azure keys are being used.
Catalog Permissions Management:
- In your Azure Databricks workspace, you can manage Unity Catalog permissions via the Catalog Explorer:
  - Click Catalog.
  - Select the object (catalog, schema, table, or view).
  - Go to the Permissions tab to manage privileges granted to users, service principals, or groups.

Hopefully, this information helps you troubleshoot the issue. If you need further assistance, feel free to ask! 😊

For more detailed instructions, refer to the official documentation ¹.

Databricks Community

Unity catalog unable to identify Managed Identity

Earn swag at the User Community Booth at Data & AI Summit 2024!

Get Certified at Data & AI Summit and Earn this Exclusive Databricks Jacket

Databricks Test Drives - Get Help

Databricks Learning Festival (Virtual): 10 July - 24 July 2024