|
| 1 | +# Basic Server Access Control |
| 2 | + |
| 3 | +**Basic Server Access Control** adds access controls to the Unity Catalog server endpoints. |
| 4 | + |
| 5 | +* Access control is optionally enabled through server configuration (`server.authorization=enable`) |
| 6 | +* Resource endpoints all have access control rules that match access rules for Databricks Unity Catalog. |
| 7 | +* An access control is defined by a principal, a resource and a privilege. |
| 8 | +* Principals are currently only user entities. |
| 9 | +* Access controls are hierarchically applied. |
| 10 | +* A privilege assigned to a resource for a principal is active for all the children. |
| 11 | +* A command-line interface is available to add, update, and delete authorizations. |
| 12 | +* The root of the hierarchy is a catalog. |
| 13 | +* There is a new concept of a metastore, which is primarily a resource to assign server-level privileges with. |
| 14 | + |
| 15 | +??? note |
| 16 | + Basic Server Access Control is available since [this commit]({{ uc.commit }}/f9a9bf1f84cb4c7fa03ecb569ae19f306a7cd85b). |
| 17 | + |
| 18 | +## Privileges |
| 19 | + |
| 20 | +The initial set of privileges are as follows: |
| 21 | + |
| 22 | +Privilege | Description |
| 23 | +-|- |
| 24 | + `CREATE CATALOG` | Allows the principal to create catalogs |
| 25 | + `USE CATALOG` | Allows the principal to access/use a catalog |
| 26 | + `CREATE SCHEMA` | Allows the principal to create schemas within a catalog |
| 27 | + `USE SCHEMA` | Allows the principal to access/use the schema and child tables |
| 28 | + `CREATE_TABLE` | Allows the principal to create tables in the schema |
| 29 | + `SELECT` | Allows the principal to run queries against table(s) |
| 30 | + `CREATE_FUNCTION` | Allows principal to create functions in the schema |
| 31 | + `EXECUTE` | Allows the principal to execute function(s) |
| 32 | + `CREATE_VOLUME` | Allows principal to create volumes in the schema |
| 33 | + `READ VOLUME` | Allows the principal to access volumes within the catalog |
| 34 | + `CREATE MODEL` | Allows the principal to create models within a schema |
| 35 | + |
| 36 | +## Unity Catalog CLI |
| 37 | + |
| 38 | +The CLI interface provides a new `permission` command. |
| 39 | + |
| 40 | +``` bash |
| 41 | +./bin/uc permission create \ |
| 42 | + --securable_type catalog \ |
| 43 | + --name mycatalog \ |
| 44 | + --principal user@myorg.com \ |
| 45 | + --privilege "CREATE CATALOG` |
| 46 | +``` |
| 47 | +
|
| 48 | +``` bash |
| 49 | +./bin/uc permission get \ |
| 50 | + --securable_type catalog \ |
| 51 | + --name unity |
| 52 | +``` |
| 53 | +
|
| 54 | +``` bash |
| 55 | +./bin/uc permission delete \ |
| 56 | + --securable_type table \ |
| 57 | + --name mycatalog.myschema.table \ |
| 58 | + --principal user@myorg.com \ |
| 59 | + --privilege SELECT |
| 60 | +``` |
| 61 | +
|
| 62 | +## Framework |
| 63 | +
|
| 64 | +Basic Server Access Control is based on a framework that attempts to separate the concern of access control from the rest of the request handling and processing through annotation-based configuration, via `@AuthorizeExpression`, `@AuthorizeKey` and |
| 65 | +`@AuthorizeKeys` added to each service entry point. |
| 66 | +
|
| 67 | +All requests are routed through the `UnityAccessDecorator` which decodes the request, parameters and authorization configuration to evaluate whether access should be allowed or denied. |
0 commit comments