Databricks Community

PratikRudra · Saturday

Currently trying to connect a table on external location and it fails with error -

[UNAUTHORIZED_ACCESS] Unauthorized access: PERMISSION_DENIED: request not authorized SQLSTATE: 42501

which seems like a pretty straight forward error but unable to find permission issue as able to browse that same external location from catalog browser .

Able to create volume as well on that external location however while trying to create table like below -

CREATE TABLE IF NOT EXISTS main.default.ab_test
USING DELTA
LOCATION 'abfss://lake-container@account.dfs.core.windows.net/tenants/data/warehouse/testing';

it throws the error on permission
External location created on abfss://lake-container@account.dfs.core.windows.net/tenants/data/warehouse and able to browse the directory testing from catalog browser
This location has parquet files as well as delta log directory

Khaja_Zaffer · Sunday

Hello @PratikRudra

Thank you for sharing the error:

I think probably there is a component that is missing. Writing table metadata (for example, to the _delta_log directory) requires the CREATE EXTERNAL TABLE capability on the external location; this privilege is distinct from volume or browse permissions. It guarantees that Delta tables at paths controlled by that external location can be managed by the principal.

For this: check what permission you have by running this sql query

SHOW GRANTS ON EXTERNAL LOCATION your_external_location_name;

Also run
SHOW GRANTS ON SCHEMA main.default;

Also make sure that the storage account has sufficient Azure RBAC roles like Storage Blob Data Contributor