Skip to content

Basic Server Access Control

Basic Server Access Control adds access controls to the Unity Catalog server endpoints.

  • Access control is optionally enabled through server configuration (server.authorization=enable)
  • Resource endpoints all have access control rules that match access rules for Databricks Unity Catalog.
  • An access control is defined by a principal, a resource and a privilege.
  • Principals are currently only user entities.
  • Access controls are hierarchically applied.
  • A privilege assigned to a resource for a principal is active for all the children.
  • A command-line interface is available to add, update, and delete authorizations.
  • The root of the hierarchy is a catalog.
  • There is a new concept of a metastore, which is primarily a resource to assign server-level privileges with.

Permissions and Privilege Assignments

Permissions and Privilege Assignments are synonyms.

Commit

Basic Server Access Control is available since this commit.

Securables

Unity Catalog defines the following securables to apply (create) permissions to:

  1. catalog
  2. function
  3. metastore
  4. registered_model
  5. schema
  6. table
  7. volume
OpenAPI Generator

Securable types are defined in SecurableType enum in Unity Catalog's OpenAPI specification.

Principals

There are the following principal types supported in Unity Catalog:

  • USER
  • GROUP
OpenAPI Generator

Principals are defined in PrincipalType enum in Unity Catalog's OpenAPI specification.

Privileges

The privileges to grant are as follows:

Privilege Description
CREATE CATALOG Allows the principal to create catalogs
USE CATALOG Allows the principal to access/use a catalog
CREATE SCHEMA Allows the principal to create schemas within a catalog
USE SCHEMA Allows the principal to access/use the schema and child tables
CREATE TABLE Allows the principal to create tables in the schema
SELECT Allows the principal to run queries against table(s)
CREATE FUNCTION Allows principal to create functions in the schema
EXECUTE Allows the principal to execute function(s)
CREATE VOLUME Allows principal to create volumes in the schema
READ VOLUME Allows the principal to access volumes within the catalog
CREATE MODEL Allows the principal to create models within a schema
OpenAPI Generator

Privileges are defined in Privilege enum in Unity Catalog's OpenAPI specification.

Unity Catalog CLI

The CLI interface provides a new permission command.

./bin/uc permission create \
  --securable_type catalog \
  --name mycatalog \
  --principal user@myorg.com \
  --privilege "CREATE CATALOG"

./bin/uc permission get \
  --securable_type catalog \
  --name unity

./bin/uc permission delete \
  --securable_type table \
  --name mycatalog.myschema.table \
  --principal user@myorg.com \
  --privilege SELECT

Framework

Basic Server Access Control is based on a framework that attempts to separate the concern of access control from the rest of the request handling and processing through annotation-based configuration, via @AuthorizeExpression, @AuthorizeKey and @AuthorizeKeys added to each service entry point.

All requests are routed through the UnityAccessDecorator which decodes the request, parameters and authorization configuration to evaluate whether access should be allowed or denied.