Enable Table Access Control

Note

In North America, this feature is available only on Enterprise accounts. In the rest of the world, it is available only on accounts that include the Databricks Operational Security Package. If you don’t know the kind of account you’re on, contact your Databricks sales representative.

Table access control lets you programmatically grant and revoke access to your data using the Databricks view-based access control model.

To set up table access control, you must:

This topic describes how to enable and enforce table access control.

For information about how to set permissions on a data object once table access control is enabled, see Set Permissions on a Data Object.

Step 1: Enable table access control for a cluster

Table access control is available in two versions:

  • SQL-only table access control, which:
    • Is generally available.
    • Restricts cluster users to SQL commands. Users are restricted to the SparkSQL API, and therefore cannot use Python, Scala, R, RDD APIs, or clients that directly read the data from cloud storage, such as DBUtils.
    • Requires that clusters run Databricks Runtime 3.1 or above.
  • Python and SQL table access control (Beta), which:
    • Is in Beta.
    • Allows users to run SQL, Python, and PySpark commands. Users are restricted to the SparkSQL API and DataFrame API, and therefore cannot use Scala, R, RDD APIs, or clients that directly read the data from cloud storage, such as DBUtils.
    • Requires that clusters run Databricks Runtime 3.5 or above.

SQL-only table access control

This version of table access control restricts users on the cluster to SQL commands only.

To enable SQL-only table access control on a cluster and restrict that cluster to use only SQL commands, set the following flag in the cluster’s Spark conf:

spark.databricks.acl.sqlOnly true

Python and SQL table access control (Beta)

This version of table access control lets users run Python and PySpark commands that use the DataFrame API, as well as SQL. When it is enabled on a cluster, users on that cluster or pool:

  • Can access Spark only via the Spark SQL API or DataFrame API. In both cases, access to tables and views is restricted by administrators according to the Databricks View-based access control model.
  • Cannot acquire direct access to data in the cloud via DBFS or by reading credentials from the cloud provider’s metadata service.
  • Must run their commands on cluster nodes as a low-privilege user forbidden from accessing sensitive parts of the filesystem or creating network connections to ports other than 80 and 443.

Attempts to get around these restrictions will fail with an exception. These restrictions are in place so that your users can never access unprivileged data through the cluster.

There are two steps to enabling a cluster for Python and SQL table access control.

Enable table access control at the account level

Note

Starting with Databricks Platform 2.68, all access controls are enabled by default for new accounts in the Databricks Operational Security Package. For accounts that were opened before version 2.68, an administrator must enable table access control using the steps listed in this section.

  1. Log in to the Admin Console.
  2. Go to the Access Control tab.
  3. Ensure that Cluster Access Control is enabled. You cannot enable table access control without having cluster access control already enabled.
  4. Next to Table Access Control, click the Enable button.

Create a cluster enabled for table access control

Note

The checkbox is available only for high concurrency clusters.

When you create a cluster, click the Enable table access control and only allow Python and SQL commands option.

../../../_images/table-acl-enable-cluster-aws.png

To create the cluster using the REST API, see Enable table access control example.

Step 2: Enforce table access control

To ensure that your users access only the data that you want them to, you must restrict your users to clusters with table access control enabled. In particular, you should ensure that:

  • Users do not have permission to create clusters. If they create a cluster without table access control, they can access any data from that cluster.

    ../../../_images/table-acl-no-allow-cluster-create-aws.png
  • Users do not have Can Attach To permission for any cluster that is not enabled for table access control.

See Cluster Access Control for more information.

Now you can Set Permissions on a Data Object.