Databricks Unity Catalog jdbc access control

Question

I got all the setup and Unity Catalog working. But how can I give access to DB's Tabels to external apps and respect Unity catalog permissions. I mean user that I created will be used in

jdbc:databricks://adb-xxxxxxxxxxxxx.8.azuredatabricks.net:443/default;transportMode=http;ssl=1;httpPath=sql/protocolv1/o/xxxxxxxxxxxxx/xxxxxxxx;AuthMech=3;UID=token;PWD=<personal-access-token>

but seams like access tokens does not respect Unity Catalog permissions setup. Example i can alter data in DBeaver but my Unity Catalog permissions are only SELECT

How to enable external app to fetch data based on Unity Catalog permissons?

Answer 1

To enable an external app to fetch data based on Unity Catalog permissions, you can use the following steps:

• Create a catalog user or group in Unity Catalog.
• Grant the catalog user or group the appropriate permissions to the tables or views that you want the external app to be able to access.
• Configure the external app to use Azure Active Directory (Azure AD) to authorize requests to the tables or views.

Here are some links that may find helpful:

• Manage privileges in Unity Catalog: https://docs.databricks.com/data-governance/unity-catalog/manage-privileges/index.html
• Manage external locations and storage credentials: https://docs.databricks.com/data-governance/unity-catalog/manage-external-locations-and-credentials.html
• Databricks Unity Catalog jdbc access control: Databricks Unity Catalog jdbc access control

Using Azure Active directory: Azure Active Directory (Azure AD) to authorize requests to table data.With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a service principal, which may be a user, group, or application service principal. The Service principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Table service. Here are the below steps that will help you:

1. Create an application-specific user or service principal in your Azure Active Directory (AD) tenant.

Here is the link to how create application-specific user or service principal in your Azure Active Directory (AD) tenant This will help you with Authorize access to tables using Azure Active Directory

• Grant the necessary permissions to this user or service principal in the Azure portal. These permissions should align with the desired access levels defined in your Unity Catalog permissions Below Manage previlages will help you. Here is how you Manage Previlages

• Generate an access token for the application-specific user orservice principal using Azure AD authentication. This token will be used to authenticate the external application when accessing the Unity Catalog's database tables. and as you said access token generated in UI are not AD based. Tokens are generated by the Databricks platform and are used to authenticate requests to the Databricks REST API. These tokens are not aware of the Azure AD permissions that you have set up in Unity Catalog.

• To enable external apps to fetch data based on Unity Catalog permissions, you can use Azure AD to authorize requests to table data With Azure AD, you can use Azure RBAC to grant permissions

• This below documentation to Get Azure AD tokens for service principals

• Access tokens in the Microsoft identity platform

• Here is an example for howAuthetication works

After the above set up is done. you can use the connection string in your external application to use the generated access token for authentication

jdbc:databricks://adb-xxxxxxxxxxxxx.8.azuredatabricks.net:443/default;transportMode=http;ssl=1;httpPath=sql/protocolv1/o/xxxxxxxxxxxxx/xxxxxxxx;AuthMech=3;UID=token;PWD=<access-token>

Using the Azure AD-based access token in your connection string, the external application will be authenticated based on the permissions granted to the application-specific user or service principal in Azure AD. This helps the Unity Catalog's permissions are authenticated.