Databricks

Surajv · ‎03-06-2024

Hi Community,

Is there a way to limit the scope of workspace level token to hit only certain REST APIs of Databricks.

In short, Once we generate a workspace level token following this doc. Link: https://docs.databricks.com/en/dev-tools/auth/oauth-m2m.html#manually-generate-a-workspace-level-acc...

I see we can generate token via:

curl --request POST \
--url <token-endpoint-URL> \
--user "$CLIENT_ID:$CLIENT_SECRET" \
--data 'grant_type=client_credentials&scope=all-apis'

But here, the scope=all-apis. Which gives access to all APIs. Can I limit the APIs which the entity can access using the token as a part of ensuring better security?

Kaniz · ‎03-07-2024

Hi @Surajv , When working with Databricks, you can manage personal access tokens to control the scope of access to specific REST APIs.

Let’s explore how you can achieve this:

Personal Access Tokens Overview:
- Personal access tokens allow users to authenticate to the Databricks REST API without using their username and password.
- By default, personal access tokens are enabled for all Databricks workspaces created in 2018 or later.
- Users with the appropriate permissions can generate personal access tokens with custom expiration dates.
Enabling or Disabling Personal Access Tokens:
- Personal access token authentication is enabled by default.
- As a workspace admin, you can change this setting in the workspace settings page.
- If you disable personal access tokens for a workspace, users cannot create new tokens, but existing non-expired tokens remain available for use.
- Note that some integrations (like Partner Connect) and service principals require personal access tokens to be enabled.
Fine-Grained Control:
- To limit token access for specific users, keep personal access token authentication enabled and set fine-grained permissions for users and groups.
- You can control who can create and use tokens based on roles and permissions.
Setting Maximum Token Lifetime (REST API Only):
- You can manage the maximum lifetime of new tokens using the Workspace configuration API.
- Call the PATCH /workspace-conf API and set maxTokenLifetimeDays to the desired maximum token lifetime (in days) as an integer.
- This ensures that tokens have a restricted lifespan, enhancing security.
Monitoring and Revoking Tokens (REST API Only):
- You can monitor and revoke tokens using the REST API.
- Keep track of token usage and revoke any unnecessary or compromised tokens promptly.

Remember that managing personal access tokens is crucial for security, and Databricks provides tools and options to tailor token access according to your requirements. For detailed instructions, refer to the official Databricks documentation ¹.

By following these practices, you can enhance security while allowing controlled access to specific REST APIs within your Databricks workspace. 🛡️🔒

Surajv · ‎03-11-2024

Hi @Kaniz,

Thanks for response. Noted.

I have 1 doubt: Can I restrict the token access only to specific REST APIs? In other words, once I use the token and setup a bearer token based auth and try accessing different REST APIs provided by Databricks like consider below 3 APIs:

i) /api/2.1/unity-catalog/catalogs
ii) /api/2.0/preview/sql/queries

iii) /api/2.0/sql/warehouses

Is it possible to only access APIs defined in (i) and (ii) and not give API access permission to (iii)?