cancel
Showing results for 
Search instead for 
Did you mean: 
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Showing results for 
Search instead for 
Did you mean: 

Limit the scope of workspace level access token to access only specific REST APIs of Databricks

Surajv
New Contributor III

Hi Community, 

Is there a way to limit the scope of workspace level token to hit only certain REST APIs of Databricks.

In short, Once we generate a workspace level token following this doc. Link: https://docs.databricks.com/en/dev-tools/auth/oauth-m2m.html#manually-generate-a-workspace-level-acc... 

I see we can generate token via: 

curl --request POST \
--url <token-endpoint-URL> \
--user "$CLIENT_ID:$CLIENT_SECRET" \
--data 'grant_type=client_credentials&scope=all-apis'

But here, the scope=all-apis. Which gives access to all APIs. Can I limit the APIs which the entity can access using the token as a part of ensuring better security?

3 REPLIES 3

Kaniz_Fatma
Community Manager
Community Manager

Hi @Surajv , When working with Databricks, you can manage personal access tokens to control the scope of access to specific REST APIs.

Let’s explore how you can achieve this:

  1. Personal Access Tokens Overview:

    • Personal access tokens allow users to authenticate to the Databricks REST API without using their username and password.
    • By default, personal access tokens are enabled for all Databricks workspaces created in 2018 or later.
    • Users with the appropriate permissions can generate personal access tokens with custom expiration dates.
  2. Enabling or Disabling Personal Access Tokens:

    • Personal access token authentication is enabled by default.
    • As a workspace admin, you can change this setting in the workspace settings page.
    • If you disable personal access tokens for a workspace, users cannot create new tokens, but existing non-expired tokens remain available for use.
    • Note that some integrations (like Partner Connect) and service principals require personal access tokens to be enabled.
  3. Fine-Grained Control:

    • To limit token access for specific users, keep personal access token authentication enabled and set fine-grained permissions for users and groups.
    • You can control who can create and use tokens based on roles and permissions.
  4. Setting Maximum Token Lifetime (REST API Only):

    • You can manage the maximum lifetime of new tokens using the Workspace configuration API.
    • Call the PATCH /workspace-conf API and set maxTokenLifetimeDays to the desired maximum token lifetime (in days) as an integer.
    • This ensures that tokens have a restricted lifespan, enhancing security.
  5. Monitoring and Revoking Tokens (REST API Only):

    • You can monitor and revoke tokens using the REST API.
    • Keep track of token usage and revoke any unnecessary or compromised tokens promptly.

Remember that managing personal access tokens is crucial for security, and Databricks provides tools and options to tailor token access according to your requirements. For detailed instructions, refer to the official Databricks documentation1.

By following these practices, you can enhance security while allowing controlled access to specific REST APIs within your Databricks workspace. 🛡🔒

 

Surajv
New Contributor III

Hi @Kaniz_Fatma

Thanks for response. Noted. 

I have 1 doubt: Can I restrict the token access only to specific REST APIs? In other words, once I use the token and setup a bearer token based auth and try accessing different REST APIs provided by Databricks like consider below 3 APIs: 

i) /api/2.1/unity-catalog/catalogs
ii) /api/2.0/preview/sql/queries

iii) /api/2.0/sql/warehouses
 
Is it possible to only access APIs defined in (i) and (ii) and not give API access permission to (iii)? 

 

Surajv
New Contributor III

 

<Replied to previous message as response to @Kaniz_Fatma's answer> 

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group