为工作区启用群集访问控制Enable cluster access control for your workspace

备注

访问控制仅在 Azure Databricks 高级计划中提供。Access control is available only in the Azure Databricks Premium Plan.

默认情况下,除非管理员启用群集访问控制,否则所有用户均可创建和修改群集By default, all users can create and modify clusters unless an administrator enables cluster access control. 使用群集访问控制,用户的操作能力取决于权限。With cluster access control, permissions determine a user’s abilities. 本文介绍如何启用群集访问控制、配置群集创建权限,以及防止用户看到他们无权访问的群集。This article describes how to enable cluster access control, configure cluster creation permission, and prevent users from seeing clusters they don’t have access to.

有关分配权限和配置群集访问控制的信息,请参阅群集访问控制For information about assigning permissions and configuring cluster access control, see Cluster access control.

启用群集访问控制 Enable cluster access control

  1. 转到管理控制台Go to the Admin Console.

  2. 选择“访问控制”选项卡。Select the Access Control tab.

    “访问控制”选项卡Access control tab

  3. 单击“群集和作业访问控制”旁边的“启用”按钮 。Click the Enable button next to Cluster and Jobs Access Control.

  4. 单击“确认” 。Click Confirm.

防止用户看到他们无权访问的群集 Prevent users from seeing clusters they do not have access to

备注

默认情况下,发布 Azure Databricks 平台 3.34 版(于 2020 年 12 月发布)之后创建的工作区的群集可见性控制处于启用状态。Cluster visibility control is enabled by default for workspaces created after the release of Azure Databricks platform version 3.34 (released in December 2020). 如果工作区是在此之前创建的,则管理员必须启用该功能。If your workspace was created earlier, an admin must enable the feature.

群集访问控制本身不会阻止用户看到 Azure Databricks UI 中显示的群集,即使用户没有这些群集的权限。Cluster access control by itself does not prevent users from seeing clusters displayed in the Azure Databricks UI even when the users have no permissions on those clusters. 若要防止用户看到这些群集,请执行以下操作:To prevent these clusters from being visible to a user:

  1. 转到管理控制台Go to the Admin Console.
  2. 选择“访问控制”选项卡。Select the Access Control tab.
  3. 单击“群集可见性控制”旁边的“启用”按钮 。Click the Enable button next to Cluster Visibility Control.
  4. 单击“确认” 。Click Confirm.

若要禁用群集可见性控制,请使用相同的过程,在第三步中单击“禁用”。To disable cluster visibility control, use the same procedure, clicking Disable in the third step.

配置群集创建权限 Configure cluster creation permission

可以为单个用户或组分配“允许创建群集”权限。You can assign the Allow cluster creation permission to individual users or to groups.

若要为单个用户分配该权限,请执行以下操作:To assign to an individual user:

  1. 转到管理控制台Go to the Admin Console.

  2. 转到“用户”选项卡。Go to the Users tab.

  3. 选中用户所在行的“允许创建群集”复选框。Select the Allow cluster creation checkbox in the user’s row.

    用户所在行User row

  4. 单击“确认”以确认更改。Click Confirm to confirm the change.

若要为分配该权限,请执行以下操作:To assign to a group:

  1. 转到管理控制台Go to the Admin Console.
  2. 转到“组”选项卡。Go to the Groups tab.
  3. 选择要更新的组。Select the group you want to update.
  4. 在“权利”选项卡上,选择“允许创建群集”。On the Entitlements tab, select Allow cluster creation.

示例:使用群集级别权限强制实施群集配置 Example: using cluster-level permissions to enforce cluster configurations

群集访问控制的一个优点是可以强制实施群集配置,使用户无法更改它们。One benefit of cluster access control is the ability to enforce cluster configurations so that users cannot change them.

例如,管理员可能希望强制实施的配置包括:For example, configurations that admins might want to enforce include:

  • 用于成本退款的标记Tags to charge back costs
  • 向 Azure Data Lake Storage 进行 Azure AD 凭据直通身份验证,以控制对数据的访问Azure AD credential passthrough to Azure Data Lake Storage to control access to data
  • 标准库Standard libraries

对于需要锁定群集配置的组织,Azure Databricks 建议使用以下工作流:Azure Databricks recommends the following workflow for organizations that need to lock down cluster configurations:

  1. 对所有用户禁用“允许创建群集”。Disable Allow cluster creation for all users.

    “群集创建”复选框Cluster creation checkbox

  2. 创建你想要用户使用的所有群集配置后,请向需要访问给定群集的用户授予“可重启”权限。After you create all of the cluster configurations that you want your users to use, give the users who need access to a given cluster Can Restart permission. 这样一来,用户无需手动设置所有配置即可随意启动和停止群集。This allows a user to freely start and stop the cluster without having to set up all of the configurations manually.

    可重启Can restart