Skip to main content

Disable access to DBFS root and mounts in your existing Databricks workspace

Preview

This feature is in Public Preview.

This page describes how to disable access to the legacy Databricks Filesystem (DBFS) root and mounts in existing Databricks workspaces. To disable DBFS root and mounts at the account level for new workspaces, use the Disable legacy features account setting.

After you've migrated your file-based workflows to Unity Catalog volumes, external locations, or workspace files, you can prevent users from uploading, modifying, or accessing data in DBFS root and DBFS mounts. Disabling DBFS root and mounts enhances your security posture by removing access to shared storage that is not governed by Unity Catalog.

What are DBFS root and mounts?

DBFS is a distributed file system in Databricks workspaces accessible under the dbfs: URI scheme and used to interact with cloud-based storage. The dbfs: URI scheme is used to access several areas of storage in a workspace, including:

  • DBFS root: The area accessible directly under the file system's root, for example, when you type dbfs:/. All workspace users can access the content created directly under the DBFS root, except content under one of the reserved prefixes below, each subject to special conditions. See What is the DBFS root?.
  • DBFS mounts: A legacy approach to defining external cloud storage access, accessible under dbfs:/mnt/<mount_name>. See Mount object storage.
  • Reserved Databricks prefixes: The prefix used by Unity Catalog volumes, and other Databricks system paths, such as dbfs:/databricks-datasets/ and MLflow asset paths. For example, dbfs:/Volumes/.

All paths are also accessible using POSIX-style paths. See Do I need to provide a URI scheme to access data?.

For more information about DBFS, including DBFS root and mounts, see What is DBFS?

What is being disabled?

After you disable DBFS root and mounts:

  • All access to DBFS root and mounts in existing workspaces is disabled and blocked across all interfaces (UI, APIs, CLI, FUSE).
  • Attempts to read or write files from the DBFS root and mounts fail with an error. For example, the error message Public DBFS root is disabled.
  • The DBFS browser and the Upload to DBFS option are no longer accessible from the UI. Jobs, notebooks, or scripts that reference DBFS root and mounts fail unless the setting is reverted.
  • The DBFS option is no longer accessible from common features like:
    • Cluster libraries
    • Cluster log delivery
    • MLflow tracking/model registry (non-UC)
    • AutoML experiments
    • DLT pipelines
  • Static notebook file embedding using /files fails with a 500 error. See Embed static images in notebooks.
  • Mount/unmount operations are blocked.
  • FileStore operations are blocked.
  • Disabling the DBFS root and mounts in your workspace also disables Databricks Runtime versions below 13.3 LTS.

What is not affected?

The dbfs: URI scheme remains central to Databricks, and disabling DBFS root and DBFS mounts does not disable the dbfs: URI itself. The following continue to work as expected:

note

Pre-existing data under the DBFS root and mounts are not deleted. If DBFS root and mounts are re-enabled using the workspace-level Disable DBFS root and mounts setting, the data becomes accessible again.

Here are some examples of paths that remain accessible and are not impacted by the DBFS root and mounts disablement:

Category

Path

Description

Unity Catalog Volumes

dbfs:/Volumes/<catalog>/<schema>/<volume>/<path>/<file_name>

Reserved for UC Volumes and accessible only through UC-specific APIs and subject to UC governance rules. For more information, see What path is used for accessing files in a volume?.

System Path

dbfs:/databricks/mlflow-registry dbfs:/databricks/mlflow-tracking

Read-only paths pointing to content written by Databricks' internal APIs in Workspace system data.

System Path

dbfs:/databricks-datasets/

A read-only collection of datasets mounted by default in Databricks workspaces. See Browse DBFS mounted Databricks datasets.

The dbfs: prefix (URI scheme) is optional and can be omitted in most cases. See Do I need to provide a URI scheme to access data?.

When can you disable DBFS root and mounts?

You can disable DBFS at any time. However, if existing workflows still depend on it, they can break. Databricks recommends disabling DBFS root and mounts in non-critical environments only after:

  • You’ve migrated all workflows that rely on DBFS root or mounts to Unity Catalog volumes, external locations, or workspace files.
  • You’ve upgraded all jobs and clusters to Databricks Runtime 13.3 LTS or above.
note

Before proceeding, you can use the observability scripts to scan for remaining DBFS root and mounts usage.

Disable DBFS root and mounts

note

If the Disable DBFS root and mounts setting is missing, your account admin must turn on the Unity Catalog: Disable Legacy Features setting under Previews in the account console.

You can disable DBFS root and mounts in both existing and new workspaces.

As a workspace admin, follow these steps to disable DBFS root and mounts:

  1. Log in to your Databricks workspace.

  2. Click your user profile icon in the upper-right corner, and select Settings.

  3. Navigate to Workspace admin and click Security.

  4. Set Disable DBFS root and mounts to Disabled: DBFS root and mounts cannot be used.

  5. Wait up to 20 minutes for the setting to take effect.

  6. Restart all running clusters.

    • Propagation delay: It can take up to 20 minutes for the DBFS root and mounts disablement to be propagated entirely.
    • Cluster restart: Any running all-purpose compute and SQL warehouses must be MANUALLY restarted, this must be done after the 20-minute propagation time for the changes to take effect. If they are not restarted, such clusters will continue to be able to access DBFS root and mounts.

    See Notebook example: Find long-running compute for an example to identify and restart long-running all-purpose compute.

Last updated on