为工作区启用表访问控制Enable table access control for your workspace

重要

此功能目前以公共预览版提供。This feature is in Public Preview.

利用表访问控制,你可以使用基于 Azure Databricks 视图的访问控制模型以编程方式授予和撤销对数据的访问权限。Table access control lets you programmatically grant and revoke access to your data using the Azure Databricks view-based access control model. 表访问控制需要 Azure Databricks 高级计划Table access control requires the Azure Databricks Premium Plan.

本文介绍如何为 Azure Databricks 工作区启用和强制实施 Python 和 SQL 表访问控制This article describes how to enable and enforce Python and SQL table access control for your Azure Databricks workspace. 若要了解如何在群集上启用表访问控制,请参阅为群集启用表访问控制For information about how to enable table access control on a cluster, see Enable table access control for a cluster. 若要了解启用了表访问控制后如何对数据对象设置特权,请参阅数据对象特权To learn how to set privileges on a data object once table access control is enabled, see Data object privileges.

若要保护从群集进行的表访问操作,另一种方法是使用仅限 SQL 的表访问控制,该方法通常可用,不需要使用本文介绍的选项来启用。Another approach to securing table access from clusters is SQL-only table access control , which is generally available and does not require enablement using the options described in this article.

为工作区启用表访问控制 Enable table access control for your workspace

  1. 登录到管理控制台Log in to the Admin Console.

  2. 转到“访问控制”选项卡。Go to the Access Control tab.

    “访问控制”选项卡Access control tab

  3. 确保群集访问控制已启用。Ensure that Cluster access control is enabled. 必须先启用群集访问控制,然后才能启用表访问控制。You cannot enable table access control without having cluster access control already enabled.

  4. 在“表访问控制”旁边,单击“启用”按钮。Next to Table Access Control , click the Enable button.

  5. 单击“确认” 。Click Confirm.

强制实施表访问控制Enforce table access control

为了确保用户只访问你希望他们访问的数据,你必须只允许用户访问已启用表访问控制的群集。To ensure that your users access only the data that you want them to, you must restrict your users to clusters with table access control enabled. 具体而言,你应确保:In particular, you should ensure that:

  • 用户无权创建群集。Users do not have permission to create clusters. 如果在没有表访问控制的情况下创建群集,则可以从该群集访问任何数据。If they create a cluster without table access control, they can access any data from that cluster.

    禁用群集创建权限Disable cluster create permission

  • 对于任何未启用表访问控制的群集,用户没有“可附加到”权限。Users do not have Can Attach To permission for any cluster that is not enabled for table access control.

有关详细信息,请参阅群集访问控制See Cluster access control for more information.