How to Add New Users for LHO (AWS)

Owned by Ciprian LUCACI
Jan 31, 2024
6 min read

Once you’ve successfully installed Lakehouse Optimizer and you have your LHO admin user working, then it’s time to add new users to LHO.

 

Let’s assume we want to grant access to 👩‍💻 Angela to login and use LHO.

 

I. Configure LHO App Login and Role Delegation

Active Directory authentication is configured automatically on installation. 

For more details, please refer to the following related articles:

 

First step is to add 👩‍💻 Angela as use of the managed application used by LHO.


How to add rights to a user to access LHO via AD auth
(1.) Copy the “Client ID” used by the service principal of LHO

You can find the Client ID of the environment on the Settings page // Provisioning & Permissions and scroll down to the bottom of the page where you can find this information in the “Service Principal” panel under the “Client Id” label.

image (73).png
Service Principal → Client ID

 

(2.) Open Microsoft Entra >

 

(3.) Navigate to App Registrations >

(4.) Search all applications for “client id of the environment” >

image-20240122-140703.png

Click on the name of application you found.

 

(5) Manage application

  • in the top right section, click on the name of the application

    • click on the value of the label “Managed application in local directory”

  • you need to be owner of the app in order to add users

 

This action will open the following view:

 

(6) Check Assignment Required

Based on how the Service Principal was configured, if the “Assigned required?” is set to “Yes”, then you will have to manually add user Angela to this app.

Please proceed to the following step

 

(6) Add user

  • click on the left navigation pane on “Users and groups”, or

  • click on “Assign users and groups”

 

  • click on “Add user/group”

  • click on “Users and groups” and search for user and select user

 

  • click on “select a role” and select from the right section which role you want to assign

    • for more information regarding LHO roles, please refer to

    • all LHO users have as default access “LHO User” (Default Access)

 

If there are NO roles defined in the Service Principal App, then any signed in user in LHO is considered LHO Admin.

 

 

II. Grant Rights for Listing Databricks Workspaces

Once the previous section is complete, Angela is now able to successfully long to LHO via Active Directory authentication.

However, she still cannot see anything yet in LHO.

 

The second step is to grant reading rights for Angela in the Azure Subscription(s).

Once this section is complete, Angela will be able

  • to read all (published LHO) Databricks workspaces in a particular Subscription

  • to see the name of the Databricks workspaces, but not the content of the workspaces (ie. listing workloads)

 

(1) Open Azure Portal and navigate to Subscriptions

 

(2) Select Subscription


(3) Select Access control (IAM)

 

(4) Add Role Assignment

 

Depending on your configuration, you can either add a Custom Role or a generic Default Reader Role.

For example, BplmDatabricksReader is a custom role configured to provide only “List workspaces” rights for Databricks, while Reader role is a prebuilt role to provide read-only rights.

 

 

(5) Select Role BplmDatabricksReader

  • click Next


(6) Select members


(7) Review + Assign

 

Once this section is complete, Angela will be able to see the names of all Databricks Workspaces that are published in LHO for the selected subscription in which she was just added.

 

III. Grant Access to Databricks Content

This next section is required if Angela is not already a Databricks user.

If the Active Directory group which holds Angela’s email account is not synchronized or imported into Databricks, then Angela is not recognized as a Databricks user and Databricks will not show her any assets.

If Angela is not a user in Databricks, than you will manually have to create her as a user.

Databricks uses the email as the user identification.

Therefore, Angela must have the same email used for AD login to LHO also configured as a user in Databricks.

 

How to add Angela as a Databricks user?

(0) Open desired Databricks Workspace

(1) Open Admin Settings

(2) Open Identity and access

(3) Open Manage Users

(4) Add User

 

 

(5) Edit User

By default, the newly added user will have access only to those assets that are publicly visible.

You can add the new user to other groups that you have defined in Databricks.

You can also make Angela a workspace admin which will grant access to all assets available in Databricks.