cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using Managed Identity Authentication in Unity Catalog using pyodbc

rushi29
New Contributor II

‎08-09-2024 07:00 AM

Hello,

I am having trouble using Managed Identity Authentication in Unity Catalog using pyodbc in Azure Databricks. The same code works on a "Legacy Shared Compute". The code snippet is below:

 

import pyodbc
 
jdbc_url = (
    "DRIVER={ODBC 17 DRIVER PATH};"
    "SERVER=AzureSQLServer.database.windows.net,1433;"
    "DATABASE=AzureSQLDBName;"
    "Authentication=ActiveDirectoryMsi;"
    "TrustServerCertificate=no;"
    "Encrypt=yes")
 
conn = pyodbc.connect(jdbc_url)
 
If I run this on a "Shared Compute" enabled for Unity Catalog, I get a connection timeout error:
('HYT00', '[HYT00] [Microsoft][ODBC Driver 17 for SQL Server]Login timeout expired (0) (SQLDriverConnect)')
If I switch to using UID/PWD, then it works on the Unity Catalog as well. So, not sure why Managed Identity would not work on a Unity Catalog enabled cluster but work on the Legacy cluster. 
 
Any thoughts would be appreciated.
 
Thanks,
Rushi
1 REPLY 1

rushi29
New Contributor II

‎08-09-2024 02:50 PM

I wanted to provide an update on this issue and see if the added information can help resolve the problem. So, after doing some research, it turns out that the Unity Catalog cluster is unable to reach the Azure Instance Metadata Service (IMDS) possibly due to some network restrictions for unity catalog enabled clusters. This prevents the cluster from getting an access token that is needed to use Managed Identity. I used curl to hit the IMDS endpoint and it errors out in case of Unity Catalog.

%sh

curl -H Metadata:true http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://databa...

rushi29_0-1723239930607.png

I have raised this with our Databricks administrators but in order to help them out, does anyone know where these networking settings might be for Unity Catalog where this IP/port can be whitelisted?

Thanks,

Rushi

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements