Skip to content

Databricks

Databricks has two locations where identity is managed: * Account * Workspace (deprecated) There are two types of identities: * Users * service principals Users and service principals can be assigned to groups. Groups can be assigned to other groups. Users, service principals and groups are assigned to workspaces, workspaces are assigned to unity-catalog. Unity-catalog manage access to data assets. Each asset has ownership, which grants full permission. Assets are hierarchical, so permissions can be inherited from parent assets. For example, a users can be granted select on a catalog, all tables which belong to the catalog will inherit the permission.

Setup Access to Scan a Databricks:

Azure Setup

  1. Generate a service principal at Azure with access to databricks.
  2. Provide to the service principal ccess to the account, workspace, and unity-catalog.

Other setups

  1. Provide a user which has access to the account, workspace, and unity-catalog.

Scanning databricks

Azure

udps databirks \
    --host <WORKSPACE URL> \
    --client_id <Oauth client ID generated by Azure service principal> \
    --client_secret <Oauth client secret generated by Azure service principal> \
    --tenant-id <Azure tenant ID>

Other

udps databricks \
    --host <WORKSPACE URL> \
    --username <USERNAME> \
    -- password <PASSWORD>