...
Let’s assume we want to grant access to 👩💻 Angela to login and use LHO.
| Table of Contents |
|---|
I. Configure LHO App Login and Role Delegation
Active Directory authentication is configured automatically on installation.
...
Based on how the Service Principal was configured, if the “Assigned required?” is set to “Yes”, then you will have to manually add user Angela to this app. If you “Assigned required?” is set to “No”, you can share the LHO url with any Azure AD tenant user for access, each user will be authorized by the Azure Management API for listing subscriptions and workspaces in Azure, and then by Databricks for all access inside the workspaces.
Please proceed to the following step
...
| Note |
|---|
If there are NO roles defined in the Service Principal App, then any signed in user in LHO is considered LHO Admin. |
II. Grant Rights for Listing Databricks Workspaces
Once the previous section is complete, Angela is now able to successfully long to LHO via Active Directory authentication.
...
(3) Select Access control (IAM)
...
(4) Add Role Assignment
...
Depending on your configuration, you can either add a Custom Role or a generic Default Reader Role
Lakehouse Optimizer requires only read permission to list Databricks Workspaces. Therefore, in order to limit the rights only to this permission, create a custom role named BplmDatabricksReader (for example).
For example, BplmDatabricksReader is a custom role configured to provide only “List workspaces” rights for Databricks, while Reader role is a prebuilt role to provide read-only rights.. The prebuilt Reader role provide access to too many resources which are not required by LHO to function properly.
For how to create this custom role, please see:
(5) Select Role BplmDatabricksReader
...
| Info |
|---|
Once this section is complete, Angela will be able to see the names of all Databricks Workspaces that are published in LHO for the selected subscription in which she was just added. |
III. Grant Access to Databricks Content
listing workloads
listing clusters
listing assets defined in Databricks
Open the desired Databricks Workspace
Open Admin Settings
Open Identity and access
Manage Users
Add User
Edit User
Admin
to be able to list all clusters
to be able to list all assets
with default user
you will have access only where you have been granted
| Info |
|---|
This next section is required if Angela is not already a Databricks user. |
If the Active Directory group which holds Angela’s email account is not synchronized or imported into Databricks, then Angela is not recognized as a Databricks user and Databricks will not show her any assets.
If Angela is not a user in Databricks, than you will manually have to create her as a user.
Databricks uses the email as the user identification.
Therefore, Angela must have the same email used for AD login to LHO also configured as a user in Databricks.
How to add Angela as a Databricks user?
...
(0) Open desired Databricks Workspace
(1) Open Admin Settings
(2) Open Identity and access
(3) Open Manage Users
(4) Add User
...
(5) Edit User
...
By default, the newly added user will have access only to those assets that are publicly visible.
You can add the new user to other groups that you have defined in Databricks.
You can also make Angela a workspace admin which will grant access to all assets available in Databricks.
...
| Info |
|---|
Once this section is complete, Angela will be able to all Databricks Workspaces assets to which her Databricks user has acces. If Anglela is a LHO User (regular user, not admin), then she will see only those entities to which Databricks grants her acces. |