cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access Control in hive_metastore Based on Cluster Type

DeltaTrain
New Contributor II

‎08-09-2023 03:05 PM

Hello Databricks Community, I asked the same question on the Get Started Discussion page but feels like here is the right place for this question. 

I'm reaching out with a query regarding access control in the hive_metastore. I've encountered behavior that I'd like to understand better and potentially address.

To illustrate the situation:

  • I've set up three users for testing purposes: admin, dataengineer1, and dataanalyst1.
  • The admin user granted permissions to dataengineer1 for three specific tables: circuits, country_regions, and results.

Case 1: When using SQL Warehouse (as seen in the screenshot, labeled as serverless-sql-wh) or a Cluster with shared Access mode, dataengineer1 can only view the tables they have permissions for. This is the expected behavior.

 

DeltaTrain_0-1691618617261.png

 

Case 2: However, when a Single User Access mode cluster is activated (in the screenshot, labeled as dataengineer1@d...), dataengineer1 can view all schemas and tables. This is not the desired behavior.

DeltaTrain_1-1691618617263.png

 

 

I'm hoping to find a solution that ensures even in Single User Access Mode, users can only access Schemas and Tables for which they have permission.

Any insights or suggestions would be greatly appreciated. I value the expertise of this community and look forward to your responses.

Thank you,

DeltaTrain

0 Kudos
1 REPLY 1

User16752239289
Databricks Employee
Databricks Employee

‎09-12-2023 11:44 AM

That is expected. The single user mode is the legacy standard + UC ACL enabled. https://docs.databricks.com/en/archive/compute/cluster-ui-preview.html#how-does-backward-compatibili...

For your case, you need the hive table acl enabled to restrict the list schemas and list table actions. 

You can add below two spark conf to enabled the hive metastore ACL:

spark.databricks.acl.dfAclsEnabled true
spark.databricks.repl.allowedLanguages python,sql

 

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements