Enable admin protection for “No isolation shared” clusters on your account

Account admins can prevent internal credentials from being automatically generated for Databricks workspace admins on No Isolation Shared clusters. No Isolation Shared clusters are clusters that have the Access mode dropdown set to No isolation shared.

Important

The clusters UI recently changed. The No Isolation Shared access mode setting for a cluster previously appeared as the Standard cluster mode. If you used the High Concurrency cluster mode without additional security settings such as table access control (Table ACLs) or credential passthrough, the same settings are used as with Standard cluster mode. The account-level admin setting that this article discusses applies to both the No Isolation Shared access mode and its equivalent legacy cluster modes. For a comparison of the old UI and new UI cluster types, see Clusters UI changes and cluster access modes.

The admin protection for No Isolation Shared clusters on your account helps protect admin accounts from sharing internal credentials in an environment that is shared with other users. Enabling this setting may impact workloads that are run by admins. See Limitations.

No Isolation Shared clusters run arbitrary code from multiple users in the same shared environment, similar to what happens on a cloud Virtual Machine that is shared across multiple users. Data or internal credentials provisioned to that environment might be accessible to any code running within that environment. To call Databricks APIs for normal operations, access tokens are provisioned on behalf of users to these clusters. When a higher-privileged user, such as a workspace administrator, runs commands on a cluster, their higher-privileged token is visible in the same environment.

You can determine which clusters in a workspace have cluster types that are affected by this setting. See Find all your No Isolation Shared clusters (including equivalent legacy cluster modes).

In addition to this account-level setting, there is a workspace-level setting called Enforce User Isolation. Account admins can enable it to prevent creating or starting a “No isolation shared” cluster access type or its equivalent legacy cluster types.

Enable the account-level admin protection setting

  1. As an account admin, log in to the Account Console.

  2. Click Settings Settings icon.

  3. Click the Feature enablement tab.

  4. Under Enable Admin Protection for “No Isolation Shared” Clusters, click the setting to enable or disable this feature.

    • If the feature is enabled, Databricks prevents automatic generation of Databricks API internal credentials for Databricks workspace admins on No Isolation Shared clusters.

    • Changes may take up to two minutes to take effect on all workspaces.

Limitations

When used with No Isolation Shared clusters or the equivalent legacy cluster modes, the following Databricks features do not work if you enable admin protection for No Isolation Shared clusters on your account:

Other features might not work for admin users on this cluster type because these features rely on automatically generated internal credentials.

In those cases, Databricks recommends that admins do one of the following:

  • Use a different cluster type than “No isolation shared” or its equivalent legacy cluster types.

  • Create a non-admin user when using No Isolation Shared clusters.

Find all your No Isolation Shared clusters (including equivalent legacy cluster modes)

You can determine which clusters in a workspace are affected by this account-level setting.

Import the following notebook into all your workspaces and run the notebook.

Get a list of all No Isolation Shared clusters notebook

Open notebook in new tab