Access Control in hive_metastore Based on Cluster Type

DeltaTrain
New Contributor II

‎08-09-2023 03:05 PM

Hello Databricks Community, I asked the same question on the Get Started Discussion page but feels like here is the right place for this question. 

I'm reaching out with a query regarding access control in the hive_metastore. I've encountered behavior that I'd like to understand better and potentially address.

To illustrate the situation:

  • I've set up three users for testing purposes: admin, dataengineer1, and dataanalyst1.
  • The admin user granted permissions to dataengineer1 for three specific tables: circuits, country_regions, and results.

Case 1: When using SQL Warehouse (as seen in the screenshot, labeled as serverless-sql-wh) or a Cluster with shared Access mode, dataengineer1 can only view the tables they have permissions for. This is the expected behavior.

 

DeltaTrain_0-1691618617261.png

 

Case 2: However, when a Single User Access mode cluster is activated (in the screenshot, labeled as dataengineer1@d...), dataengineer1 can view all schemas and tables. This is not the desired behavior.

DeltaTrain_1-1691618617263.png

 

 

I'm hoping to find a solution that ensures even in Single User Access Mode, users can only access Schemas and Tables for which they have permission.

Any insights or suggestions would be greatly appreciated. I value the expertise of this community and look forward to your responses.

Thank you,

DeltaTrain

0 Kudos

User16752239289
Databricks Employee
Databricks Employee

‎09-12-2023 11:44 AM

That is expected. The single user mode is the legacy standard + UC ACL enabled. https://docs.databricks.com/en/archive/compute/cluster-ui-preview.html#how-does-backward-compatibili...

For your case, you need the hive table acl enabled to restrict the list schemas and list table actions. 

You can add below two spark conf to enabled the hive metastore ACL:

spark.databricks.acl.dfAclsEnabled true
spark.databricks.repl.allowedLanguages python,sql

 

0 Kudos