cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Unity catalog - How do you modify groups properly ?

yvuignie
Contributor

Hello,

What is the best practice to modify/delete/recreate groups properly ?

In order to rename a group, the only mean was to delete/recreate. But after deletion in the account console, the permissions granted to the deleted groups in the tables were in a bad state, i.e it was then not possible to revoke the permissions. There was an error "Could not find principal with name ...". The only way to restore a proper state was to drop the catalog.

1 ACCEPTED SOLUTION

Accepted Solutions

yvuignie
Contributor

After checking with Microsoft support: "this issue is happening only temporarily due to the browser cache and the issue is resolved after a few mins and we don't see that after the browser cache has been updated. This could be expected with the eventual consistency."

View solution in original post

12 REPLIES 12

Debayan
Esteemed Contributor III

Hi @Yannick Vuignier​ , Securable objects in Unity Catalog are hierarchical and privileges are inherited downward. You can assign and revoke permissions using Data Explorer, SQL commands, or REST APIs.

https://docs.databricks.com/data-governance/unity-catalog/manage-privileges/index.html

Please let us know if this does not help.

Hi @Debayan Mukherjee​ ,

Thank you for your answer, but no it does not help. The problem is that if a group is deleted, the grants on the tables/schemas/catalogs on this group are in a bad state. There is no way to revoke the grants, because it cant find the group that was deleted with this error "Could not find principal with name ...". Only way to recover a good state is to delete the table/schema/catalog, and this is not good solution.

It's as if the grant on the table is assigned an id, and this id is not found anymore. The delete group action should not be possible if grants are still referencing the group, or the delete group action should remove the grants.

karthik_p
Esteemed Contributor

@Yannick Vuignier​ why do you want to delete whole group, objective of group creation is have multiple users in that group and assign permissions to whole group. if a user is removed from that group, remaining users will have all permissions as it is. as @Debayan Mukherjee​ mentioned you can go with that approach please

The problem is to rename a group, the only way is to delete and recreate. But we have to make sure to remove the grants before deleting the groups, otherwise the grants will be in a bad state and it is then not possible to revoke them.

karthik_p
Esteemed Contributor

@Yannick Vuignier​ yes got you, best way is revoke permission related to catalog/tables and then delete groups, as permissions are inherited from catalog - schema - table please @Debayan Mukherjee​ posted link has good information which can be used

yvuignie
Contributor

@karthik p​ Thank you for your answer, I wish that the delete group action should not be possible if grants are still referencing the group, or the delete group action should remove the grants.

Anonymous
Not applicable

Hi @Yannick Vuignier​ 

Hope all is well!

Just wanted to check in if you were able to resolve your issue, and would you be happy to share the solution or mark an answer as best? Else please let us know if you need more help. 

We'd love to hear from you.

Thanks!

yvuignie
Contributor

After checking with Microsoft support: "this issue is happening only temporarily due to the browser cache and the issue is resolved after a few mins and we don't see that after the browser cache has been updated. This could be expected with the eventual consistency."

156948
New Contributor II

Hello,

I would like to reopen this thread, as I have exactly the same issue

I also tried to rename a group name and it makes the catalog permissions to be in a bad state. I am not able to revoke access to this group using the Databricks UI nor REST API. I also tried to recreate the group with the same name, but it doesn't help

The issue is not related to the browser cache, because I use Terraform/REST API

Is there any way to remove this permission without recreating whole catalog?

RobinK
Contributor

Hello,

I have exactly the same issue - I am also using terraform.

I deleted a group and the catalog permissions are in bad state.  I am not able to revoke access to this group using the Databricks UI nor REST API. I also tried to recreate the group with the same name, but it doesn't help

How can I fix the permissions?

Update: If you know the Id of the deleted group, you can recreate it with the Databricks Rest API: https://docs.databricks.com/api/account/accountgroups/create (you can set name and id in the request)

loic
New Contributor II

Hello RobinK,

I know the Id of the deleted group but I don't manage to re-create the group with the same Id.
The API you sent the link can indeed take an "Id", but this one is ignored..
Do you have an idea why?


Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group