Skip to content

Instantly share code, notes, and snippets.

@sameeragarwal

sameeragarwal/acl.md

Last active May 9, 2024 13:48
Show Gist options
  • Save sameeragarwal/46716a69308bb2ddda225bdc926b0236 to your computer and use it in GitHub Desktop.
Save sameeragarwal/46716a69308bb2ddda225bdc926b0236 to your computer and use it in GitHub Desktop.
Download ZIP
SQL ACLs in Databricks
Raw
acl.md

SQL ACLs in Databricks

We support fine-grained access control via the SparkSQL interface in Databricks. In this context, access can be restricted on any securable objects, e.g. tables, views, databases or functions. Fine-grained level access control (i.e. on rows or columns matching specific conditions) can be accomplished via access control on derived views that can contain arbitrary queries. These access control policies are enforced by the SQL query analyzer at runtime. Fine-grained access control can be enabled on a Databricks Spark 2.1+ cluster by setting a custom spark config on the cluster creation page:

spark.databricks.acl.enabled true

Privileges

  • SELECT privilege – gives read access to an object.
  • CREATE privilege – gives ability to create an object (e.g., a table in a database).
  • MODIFY privilege – gives ability to add/delete/modify data to/from an object (e.g., a table).
  • READ_METADATA privilege – gives ability to view an object and its metadata.
  • CREATE_NAMED_FUNCTION privilege – gives ability to create a named UDF in an existing catalog or database.
  • ALL PRIVILEGES – gives all privileges (gets translated into all the above privileges).

Objects

The privileges apply to CATALOG, DATABASE, TABLE, VIEW and FUNCTION.

Objects Ownership

For certain actions, the ownership of the object (table/view/database) determines if you are authorized to perform the action. The user who creates the table, view or database becomes its owner. In the case of tables and views, the owner gets all the privileges with grant option.

Users

Privileges can be granted to users. Each user is uniquely identified via their username (that typically maps to their email address) in Databricks. Users that are workspace administrators in Databricks belong to a special admin role and can also access objects that they haven’t been given explicit access to.

Privilege Hierarchy

Privileges on object are hierarchical. This means that granting a privilege on the entire CATALOG automatically grants to it all the databases (and tables/views). Similarly, granting a privilege to a given DATABASE automatically grants it to all tables and views in that database.

Managing Object Privileges

The following commands can be used to manage the object privileges:

Grant

GRANT
    privilege_type [, privilege_type ] ...
    ON (CATALOG | DATABASE db_name | [TABLE] table_name | [VIEW] view_name | [FUNCTION] function_name)
    TO user [, user] ...
    
privilege_type
  : SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES

Revoke

REVOKE
    privilege_type [, privilege_type ] ...
    ON (CATALOG | DATABASE db_name | [TABLE] table_name | [VIEW] view_name | [FUNCTION] function_name)
    FROM user [, user] ...

privilege_type
  : SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES

Examples

GRANT SELECT ON table_name to `[email protected]`;
REVOKE ALL PRIVILEGES ON DATABASE default FROM `[email protected]`

Note: We do not support an explicit DENY command for objects.

Show Grant

SHOW GRANT [user] ON (CATALOG | DATABASE db_name | [TABLE] table_name | [VIEW] view_name | [FUNCTION] function_name)

Examples

SHOW GRANT `[email protected]` ON DATABASE default

Fine-grained Access Control

Fine-grained level access control (i.e. on rows or columns matching specific conditions) can be accomplished by granting access on derived views that can contain arbitrary queries.

Examples

CREATE OR REPLACE VIEW view_name AS SELECT columnA, columnB FROM table_name WHERE columnC > 1000;
GRANT SELECT ON VIEW view_name to `[email protected]`;

Privileges Required for SQL Operations

The following table roughly maps the privileges to various SQL operations:

Privilege SELECT CREATE MODIFY READ_METADATA CREATE_NAMED_FUNCTION Ownership Admin
CREATE TABLE X X X
DROP TABLE X X X
DESCRIBE TABLE X X X
ALTER TABLE X X X
DROP TABLE X X X
CREATE VIEW X X X
DROP VIEW X X X
SELECT X X X
CREATE FUNCTION X X X
MSCK X
CREATE DATABASE X X X
EXPLAIN X X X
DROP DATABASE X X X
GRANT X X
REVOKE X X
@ian-su-sirca
Copy link

Hi Sameer,

We've been using these SQL ACLs and we noticed that some things are undocumented in the latest release, for example GRANT SELECT ON ANONYMOUS FUNCTION and GRANT SELECT ON ANY FILE.

Given this is early access we're finding it very hard to discover documentation on these things, is it possible for you to point us in the right direction for the most up-to-date documentation?

Thanks!

@GregOwen
Copy link

Hey there @ian-su-sirca, I know that it's been a while since you asked this question, but for your future reference and to help anybody else who winds up here, we now have more complete docs about our Table ACLs here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment