cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Issue with applying ACL's in Unit catlog enabled workspace

Ravikumashi
Contributor

We have been using Hive Metastore in Databricks workspaces and recently enabled Unity Catalog for one of the workspace. However, we are encountering issues while applying grants on databases. The system is complaining, stating that table access control is not enabled on the cluster, despite us enabling ACL on the cluster.

actual error is : Query GRANT SELECT ON DATABASE database_name TO 'user_id': nested exception java.sql.SQLEXCEPTION : [Databricks][DaatbricksJDBCDriver][500051] Error Processing query/statement.

Error Code: 0, SQL state: org.apache.hive.service.HiveSQL Exception: Erorr running query:  [_LEGACY_ERROR_TEMP_DBR_0127]

org.apache.spark.SparkException: Trying yo perform permission  action on hive metastore  '/CATLOG/hive_metastore/database_name' but the Table access control is not enabled on the cluster.

And we are using cluster on DBR 7.3 LTS and using Databricks 2.6.29 JDBC driver.

 

1 REPLY 1

Kaniz_Fatma
Community Manager
Community Manager

Hi @Ravikumashi

  • Unity Catalog is a newer data governance feature in Databricks that provides a more streamlined experience and aligns with Databricks’ recommendations.
  • The legacy Hive metastore, on the other hand, is a workspace-level object that contains data you might want to continue using if your workspace was enabled for Unity Catalog after its initial setup.
  • Unity Catalog and the Hive metastore have different access control models.
  • In Unity Catalog, access control policies are applied to account groups, whereas in the Hive metastore, they are applied to workspace-local groups.
  • Additionally, Unity Catalog does not support DENY statements like the legacy access controls do.
  • The Hive metastore appears as a top-level catalog called hive_metastore in the three-level namespace.
  • You can query tables from the legacy Hive metastore using the following notation:
    SELECT * FROM hive_metastore.sales.sales_raw;
    
    Alternatively, you can specify the catalog and schema with a USE statement:
    USE hive_metastore.sales;
    SELECT * FROM sales_raw;
  • If you configured table access control on the Hive metastore, Databricks continues to enforce those access controls for data in the hive_metastore catalog for clusters running in the shared access mode.
  • However, there are some differences between Unity Catalog and legacy access controls:
    • Unity Catalog requires USE CATALOG and USE SCHEMA permissions on the catalog and schema for all operations on objects inside the catalog or schema.
    • Regardless of a principal’s privileges on a table, they must also have the USE CATALOG privilege on its parent catalog to access the schema and the USE SCHEMA privilege to access objects within the schema.
  • While the Hive metastore table access control is still supported, Databricks recommends migrating your tables to the Unity Catalog metastore.
  • Upgrading to Unity Catalog provides a simpler experience and aligns with best practices.
  • There is currently no official announcement regarding the end of support for Hive metastore table access control.
  • However, considering the benefits of Unity Catalog, it’s advisable to plan for migration.
  • For more details, refer to the official Databricks documentation.
Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!