hive_metastore Access Control by different cluster type
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2023 03:01 PM
Hello Databricks Community,
I'm reaching out with a query regarding access control in the hive_metastore. I've encountered behavior that I'd like to understand better and potentially address.
To illustrate the situation:
- I've set up three users for testing purposes: admin, dataengineer1, and dataanalyst1.
- The admin user granted permissions to dataengineer1 for three specific tables: circuits, country_regions, and results.
Case 1: When using SQL Warehouse (as seen in the screenshot, labeled as serverless-sql-wh) or a Cluster with shared Access mode, dataengineer1 can only view the tables they have permissions for. This is the expected behavior.
Case 2: However, when a Single User Access mode cluster is activated (in the screenshot, labeled as dataengineer1@d...), dataengineer1 can view all schemas and tables. This is not the desired behavior.
I'm hoping to find a solution that ensures even in Single User Access Mode, users can only access Schemas and Tables for which they have permission.
Any insights or suggestions would be greatly appreciated. I value the expertise of this community and look forward to your responses.
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2023 12:55 AM
Hi, could you please elaborate on the permissions on the cluster and who has deployed it? Also, please refer to the limitations here: https://docs.databricks.com/en/clusters/configure.html#assigned-limitations
Please tag @Debayan with your next comment, which will get me notified. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2023 04:01 AM
Hi @Debayan, thank you for your reply.
with hive_metastore, still I cannot get the level of isolation, which means that if anyone activates the Single node cluster, she/he can see all the catalog, schema, and table.
However, with Unity catalog application, I can get the level of isolation that I want. So rather than trying to find any solution with hive_metastore, I will switch to Unity Catalog application.
thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2023 10:07 PM
Hi, Thanks for your confirmation. Yes, that would be better.