If you created your Unity Catalog metastore during the public preview (before August 25, 2022), you can upgrade to Privilege Model version 1.0. to take advantage of privilege inheritance. Existing workloads will continue to operate as-is until you upgrade your privilege model. Databricks recommends upgrading to Privilege Model version 1.0 to get the benefits of privilege inheritance and new features.
Privilege Model v1.0 in Unity Catalog has the following differences from the public preview privilege model:
Privilege inheritance: In Privilege Model v1.0 privileges are inherited on child securable objects. This means that granting a privilege on the catalog automatically grants the privilege to all current and future objects within the catalog. Similarly, privileges granted on a schema are inherited by all current and future objects within that schema. In the preview model, privileges are not inherited on child securable objects. For more information on privilege inheritance, see Inheritance model.
ALL PRIVILEGESis evaluated differently: In the public preview privilege model,
ALL PRIVILEGESgrants the principal all available privileges at the time of the privilege grant. In Privilege Model v1.0, the
ALL PRIVILEGESpermission expands to all available privileges at the time a permission check is made.
In Privilege Model v1.0, when
ALL PRIVILEGESis revoked only the
ALL PRIVILEGESprivilege itself is revoked. Users retain any other privileges that were granted to them separately.
CREATE TABLEis updated to
CREATE EXTERNAL TABLE: The
CREATE TABLEpermission no longer applies to external locations or storage credentials, which are required to create external tables. In Privilege Model v1.0, you instead grant the
CREATE EXTERNAL TABLEprivilege on external locations and storage credentials to allow a user to create external tables using that external location or storage credential.
CREATEis removed: The
CREATEpermission is removed and replaced by the following more specific privileges:
CREATE EXTERNAL LOCATION,
CREATE MANAGED STORAGE.
USAGEis removed: The
USAGEpermission is removed and replaced by the following more specific privileges:
You cannot undo this action.
Upgrade all workloads that reference Unity Catalog to use Databricks Runtime 11.3 LTS or above.
You must upgrade all clusters to use Databricks Runtime 11.3 LTS or above, and you must restart any running SQL warehouses. If you skip this step, workloads on older versions of Databricks Runtime will be rejected after you complete the upgrade.
As an account admin, log in to the account console.
Click the metastore name.
Under Privilege Model click Upgrade
If you do not see the option to upgrade, your Unity Catalog metastore is already using Privilege Model 1.0.
Databricks will continue to support grants expressed using the old privilege model and automatically map them to the equivalent grant in Privilege Model v1.0. However, privileges returned via
SHOW GRANTS or
information_schema data will continue to reference Privilege Model v1.0. Databricks recommends that you upgrade existing code that performs grants to reference the updated privilege model.
CREATE TABLEprivilege on external locations or storage credentials with the
CREATE EXTERNAL TABLEprivilege.
CREATEpermission with the specific privilege
CREATE EXTERNAL LOCATION,
CREATE SCHEMA, or
USAGEpermission with the specific privilege
For more information about Unity Catalog privilege model see Unity Catalog privileges and securable objects