Databricks Community

samlexrod · ‎07-18-2024

I am trying to create an online table in a Unity catalog. However, I get a GET, 403 error.

DataPlaneException: Failed to start the DLT service on cluster . Please check the stack trace below or driver logs for more details.
com.databricks.pipelines.execution.service.UCContextInitializationException: Failed to initialize the UCContext
com.databricks.pipelines.common.CustomException: [DLT ERROR CODE: EXECUTION_SERVICE_STARTUP_FAILURE.STORAGE_PERMISSION_ISSUE] Operation failed: "This request is not authorized to perform this operation.", 403, GET

This error only happens when I set my ADLS Gen 2 Networking Public network access settings to Enabled from selected virtual networks and IP addresses.
The online table gets created When I Enable it from all networks.

I have the correct access control using the unity-catalog-access-connector with Storage Blob Data Contributor.

My Databricks workspace is set up in a VNet with two subnets: the private and the public. These two subnets are white-listed in the network settings of my ADSL Gen2 in the Virtual Networks section of the Networking settings.

Yet, the only way I can set up the DLT Online Table is by setting my Blob storage to Enable it form all networks. How do I do this without Enabling it to all networks?

samlexrod · ‎07-19-2024

I figured it out. It was because of the Network Connectivity Configurations. I did not have one setup with a private endpoint connection to the ADLS Gen2. I followed the instructions here: https://learn.microsoft.com/en-us/azure/databricks/security/network/serverless-network-security/serv... and it is now working with the VNet integrated.

Thank you @Kaniz_Fatma for your time.

View solution in original post

Kaniz_Fatma · ‎07-19-2024

Hi @samlexrod, The error message indicates a storage permission issue. Specifically, it states that the operation is not authorized, which typically points to misconfigured access controls or networking settings.

Could you check that your ADLS Gen2 storage account is configured to allow access from the correct virtual networks? Since the error occurs when set to "Enabled from selected virtual networks and IP addresses," double-check that the virtual network and subnets used by your Databricks workspace are correctly whitelisted in the ADLS settings.

samlexrod · ‎07-19-2024

Hi @Kaniz_Fatma, Thank you for the fast response.

I believe I have whitelisted the network correctly. I managed to create the metastore and assign to the workspace. I also have the ability to create tables in the ADLS Gen2 unitycatalog container assigned to the metastore. The only thing that does not work is creating the online table.

Here is a screenshot of the VNet whitelisting. Perhaps the creation of the online table is not using the unity connector to access the resource. I have included a screenshot of the IAM role assigned to the blob storage.

samlexrod · ‎07-19-2024

I figured it out. It was because of the Network Connectivity Configurations. I did not have one setup with a private endpoint connection to the ADLS Gen2. I followed the instructions here: https://learn.microsoft.com/en-us/azure/databricks/security/network/serverless-network-security/serv... and it is now working with the VNet integrated.

Thank you @Kaniz_Fatma for your time.