Role-Based Access Control for Databricks Workspaces

Question

Pulumi · Accepted Answer

Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an organization. In the context of cloud services like Databricks, RBAC allows you to define who can access which resources within your Databricks workspace.

When using Pulumi to configure RBAC for Databricks workspaces on Azure, you would use the `azure-native.databricks.Workspace` resource, which is responsible for managing a Databricks workspace within Azure. This resource allows you to specify access control policies by setting up authorizations using the `authorizations` property, where you can assign roles to different principals (users or groups).

Below is a simple Pulumi program that demonstrates how you might create a Databricks workspace in Azure and set up RBAC for it. The program:

1. Creates a new resource group in Azure.
2. Deploys a Databricks workspace within that resource group.
3. Configures RBAC by adding an authorization rule to the workspace.

Here's the Pulumi program for setting up a Databricks workspace with RBAC on Azure:

```python
import pulumi
import pulumi_azure_native as azure_native

# Create an Azure Resource Group
resource_group = azure_native.resources.ResourceGroup('resource_group')

# Define an authorization rule for a Databricks workspace. This defines the access control.
# The principal ID refers to the entity that is getting the access (could be a user, group, or service principal).
# The role definition ID refers to the role that will be assigned to the user or group. It defines what actions are allowed.
authorizations_rule = azure_native.databricks.WorkspaceCustomObjectArgs(
    principal_id='YOUR_SERVICE_PRINCIPAL_ID',  # Replace with the actual principal ID
    role_definition_id='YOUR_ROLE_DEFINITION_ID'  # Replace with Databricks role definition ID
)

# Create a Databricks workspace and apply the RBAC rule defined above.
workspace = azure_native.databricks.Workspace(
    'workspace',
    resource_group_name=resource_group.name,
    location=resource_group.location,
    sku=azure_native.databricks.SkuArgs(
        name='standard',  # Choose `trial`, `standard`, `premium`, or `enterprise`
    ),
    authorizations=[authorizations_rule],
    managed_resource_group_id=pulumi.Output.concat('/subscriptions/', pulumi.get_stack(), '/resourceGroups/myManagedResourceGroup')  # Managed resource group for Databricks Workspace assets
)

# To access your workspace after deployment,
# use pulumi.export to output the deployed workspace URL.
pulumi.export('workspace_url', workspace.workspace_url)
```

This program is straightforward and only requires a few steps to enforce RBAC. You would customize the principal IDs and role definition IDs to match your specific Azure Active Directory setup and the specific permissions you want to grant.

Remember to replace `YOUR_SERVICE_PRINCIPAL_ID` and `YOUR_ROLE_DEFINITION_ID` with the appropriate values. The `principal_id` should correspond to the user, group, or service principal you wish to grant access to, and the `role_definition_id` should correspond to the role that defines the permissions that are being granted.

This example assumes you have already configured your Pulumi CLI and have adequate privileges in your Azure subscription to make these changes. The `pulumi.export` statement at the end outputs the URL of the Databricks workspace, which can be used to access the workspace after deployment.

If you need to create or manage service principals and role definitions in Azure Active Directory, you would typically use the Azure portal, CLI, or appropriate Azure SDKs, as these are outside of Databricks workspace context and not covered by the Pulumi Databricks provider.