Azure Databricks - Resolve : User does not have permission SELECT on any file error stopping from executing 'save'

Question

We have two different Azure cloud resource groups, RG1 and RG2, where RG1 hosts the ADB_source of the data source, and RG2 hosts the ADB_sink & ADLS_sink(gen2) of the data sink.

Use Case: We have a few delta tables in ADB_source (ACL enabled) where a list of users has Read access. In the ADB_source workspace, we need to read the delta tables and write them into ADLS_sink as parquet for further processing at the sink.

What's Available: We have a high concurrency cluster created in ADB_Source workspace, which -

• Allows only Python & SQL (dbutils.fs also restricted).
• Credential Passthrough is disabled.
• Has ACLs Enabled in spark config.
• Has mount point created to a container in ADLS_sink.
• Has no Admin Access to the cluster.

Errors Observed: We could read the delta tables as expected and run action commands as long as they are in the ADB_source workspace. However, when we write that data into the ADLS_sink with .save(), we get the below error.

Py4JJavaError: An error occurred while calling o410.save. : java.lang.SecurityException: User does not have permission SELECT on any file. User does not have permission MODIFY on any file. 

I would appreciate it if anyone could explain this and recommend additional security checks/accesses needed to implement the use case successfully.

Answer 1

This is happening because ACL is enabled, please refer to the documentation below: https://learn.microsoft.com/en-us/azure/databricks/kb/security/table-create-security-exception