โ11-02-2022 06:22 AM
Hello,
What is the best practice to modify/delete/recreate groups properly ?
In order to rename a group, the only mean was to delete/recreate. But after deletion in the account console, the permissions granted to the deleted groups in the tables were in a bad state, i.e it was then not possible to revoke the permissions. There was an error "Could not find principal with name ...". The only way to restore a proper state was to drop the catalog.
โ11-16-2022 12:28 AM
After checking with Microsoft support: "this issue is happening only temporarily due to the browser cache and the issue is resolved after a few mins and we don't see that after the browser cache has been updated. This could be expected with the eventual consistency."
โ11-03-2022 12:01 AM
Hi @Yannick Vuignierโ , Securable objects in Unity Catalog are hierarchical and privileges are inherited downward. You can assign and revoke permissions using Data Explorer, SQL commands, or REST APIs.
https://docs.databricks.com/data-governance/unity-catalog/manage-privileges/index.html
Please let us know if this does not help.
โ11-03-2022 01:16 AM
Hi @Debayan Mukherjeeโ ,
Thank you for your answer, but no it does not help. The problem is that if a group is deleted, the grants on the tables/schemas/catalogs on this group are in a bad state. There is no way to revoke the grants, because it cant find the group that was deleted with this error "Could not find principal with name ...". Only way to recover a good state is to delete the table/schema/catalog, and this is not good solution.
It's as if the grant on the table is assigned an id, and this id is not found anymore. The delete group action should not be possible if grants are still referencing the group, or the delete group action should remove the grants.
โ11-03-2022 07:57 AM
@Yannick Vuignierโ why do you want to delete whole group, objective of group creation is have multiple users in that group and assign permissions to whole group. if a user is removed from that group, remaining users will have all permissions as it is. as @Debayan Mukherjeeโ mentioned you can go with that approach please
โ11-03-2022 08:10 AM
The problem is to rename a group, the only way is to delete and recreate. But we have to make sure to remove the grants before deleting the groups, otherwise the grants will be in a bad state and it is then not possible to revoke them.
โ11-03-2022 10:20 AM
@Yannick Vuignierโ yes got you, best way is revoke permission related to catalog/tables and then delete groups, as permissions are inherited from catalog - schema - table please @Debayan Mukherjeeโ posted link has good information which can be used
โ11-04-2022 12:51 AM
@karthik pโ Thank you for your answer, I wish that the delete group action should not be possible if grants are still referencing the group, or the delete group action should remove the grants.
โ11-06-2022 01:29 AM
Hi @Yannick Vuignierโ
Hope all is well!
Just wanted to check in if you were able to resolve your issue, and would you be happy to share the solution or mark an answer as best? Else please let us know if you need more help.
We'd love to hear from you.
Thanks!
โ11-16-2022 12:28 AM
After checking with Microsoft support: "this issue is happening only temporarily due to the browser cache and the issue is resolved after a few mins and we don't see that after the browser cache has been updated. This could be expected with the eventual consistency."
โ04-05-2023 08:24 AM
Hello,
I would like to reopen this thread, as I have exactly the same issue
I also tried to rename a group name and it makes the catalog permissions to be in a bad state. I am not able to revoke access to this group using the Databricks UI nor REST API. I also tried to recreate the group with the same name, but it doesn't help
The issue is not related to the browser cache, because I use Terraform/REST API
Is there any way to remove this permission without recreating whole catalog?
โ02-15-2024 05:04 AM
Hello,
I have exactly the same issue - I am also using terraform.
I deleted a group and the catalog permissions are in bad state. I am not able to revoke access to this group using the Databricks UI nor REST API. I also tried to recreate the group with the same name, but it doesn't help
How can I fix the permissions?
โ02-15-2024 10:30 PM
Update: If you know the Id of the deleted group, you can recreate it with the Databricks Rest API: https://docs.databricks.com/api/account/accountgroups/create (you can set name and id in the request)
โ07-09-2024 08:21 AM
Hello RobinK,
I know the Id of the deleted group but I don't manage to re-create the group with the same Id.
The API you sent the link can indeed take an "Id", but this one is ignored..
Do you have an idea why?
Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโt want to miss the chance to attend and share knowledge.
If there isnโt a group near you, start one and help create a community that brings people together.
Request a New Group