Cluster access control
This article describes how to configure permissions on clusters.
Note
Access control is available only in the Premium plan.
Cluster access control overview
You can configure two types of cluster permissions:
The
Allow unrestricted cluster creationworkspace entitlement controls your ability to create clusters.Workspace admins grant users the
Allow unrestricted cluster creationCluster permissions control your ability to use and modify a specific cluster.
Users with the CAN MANAGE permission on a cluster can configure cluster permissions. Workspace admins have the CAN MANAGE permission on all clusters in their workspace.
Configure cluster creation entitlement
Workspace admins can assign the Allow unrestricted cluster creation entitlement to users, service principals, and groups.
As a workspace admin, log in to the Azure Databricks workspace.
Click your username in the top bar of the Azure Databricks workspace and select Admin Settings.
Click the Identity and access tab.
Next to Users, or Groups click Manage.
Go to the Users, or Groups tab.
Select the user, service principal, or group you want to update.
Click the Entitlement tab.
Toggle on the Allow unrestricted cluster creation setting.
Databricks recommends revoking the Allow unrestricted cluster creation entitlement from the users group and using compute policies to limit users' compute creation permissions based on a set of policy rules. For more information, see Create and manage compute policies.
Cluster permissions
There are four permission levels for a cluster: NO PERMISSIONS, CAN ATTACH TO, CAN RESTART, and CAN MANAGE. The table lists the abilities for each permission.
Important
Users with CAN ATTACH TO permissions can view the service account keys in the log4j file. Use caution when granting this permission level.
| Ability | NO PERMISSIONS | CAN ATTACH TO | CAN RESTART | CAN MANAGE |
|---|---|---|---|---|
| Attach notebook to cluster | x | x | x | |
| View Spark UI | x | x | x | |
| View cluster metrics | x | x | x | |
| View driver logs | x (see note) | |||
| Terminate cluster | x | x | ||
| Start and restart cluster | x | x | ||
| Edit cluster | x | |||
| Attach library to cluster | x | |||
| Resize cluster | x | |||
| Modify permissions | x |
Workspace admins have the CAN MANAGE permission on all clusters in their workspace. Users automatically have the CAN MANAGE permission on clusters they create.
Note
Secrets are not redacted from a cluster's Spark driver log stdout and stderr streams. To protect sensitive data, by default, Spark driver logs are viewable only by users with CAN MANAGE permission on job, single user access mode, and shared access mode clusters. To allow users with CAN ATTACH TO or CAN RESTART permission to view the logs on these clusters, set the following Spark configuration property in the cluster configuration: spark.databricks.acl.needAdminPermissionToViewLogs false.
On No Isolation Shared access mode clusters, the Spark driver logs can be viewed by users with CAN ATTACH TO or CAN MANAGE permission. To limit who can read the logs to only users with the CAN MANAGE permission, set spark.databricks.acl.needAdminPermissionToViewLogs to true.
See Spark configuration to learn how to add Spark properties to a cluster configuration.
Configure cluster permissions
This section describes how to manage permissions using the workspace UI. You can also use the Permissions API or Databricks Terraform provider.
You must have the CAN MANAGE permission on a cluster to configure cluster permissions.
In the sidebar, click Compute.
On the row for the cluster, click the kebab menu
on the right, and select Edit permissions.In Permission Settings, click the Select user, group or service principal… drop-down menu and select a user, group, or service principal.
Select a permission from the permission drop-down menu.
Click Add and click Save.