使用 Azure Databricks 个人访问令牌进行身份验证Authentication using Azure Databricks personal access tokens
若要对 Databricks REST API 进行身份验证和访问,可使用 Azure Databricks 个人访问令牌或 Azure Active Directory (Azure AD) 令牌。To authenticate to and access Databricks REST APIs, you can use Azure Databricks personal access tokens or Azure Active Directory (Azure AD) tokens.
本文介绍如何使用 Azure Databricks 个人访问令牌。This article discusses how to use Azure Databricks personal access tokens. 有关 Azure AD 令牌,请参阅使用 Azure Active Directory 令牌进行身份验证。For Azure AD tokens, see Authentication using Azure Active Directory tokens.
重要
令牌取代了身份验证流中的密码;与密码一样,应始终谨慎使用令牌。Tokens take the place of passwords in an authentication flow, and like passwords, they should always be treated with care. 为了保护令牌,Databricks 建议将令牌存储到:To protect tokens, Databricks recommends that you store tokens in:
- 机密管理,并使用机密实用程序在笔记本中检索令牌。Secret management and retrieve tokens in notebooks using the Secrets utilities.
- 本地密钥存储,并使用 Python keyring 包在运行时检索令牌。A local key store and use the Python keyring package to retrieve tokens at runtime.
要求Requirements
2018 年 1 月之后启动的所有 Azure Databricks 帐户默认启用基于令牌的身份验证。Token-based authentication is enabled by default for all Azure Databricks accounts launched after January 2018. 如果已禁用,你的管理员必须先启用它,然后你才能执行本文中所述的任务。If it is disabled, your administrator must enable it before you can perform the tasks described in this article. 请参阅管理个人访问令牌。See Manage personal access tokens.
生成个人访问令牌 Generate a personal access token
本部分介绍如何在 Azure Databricks UI 中生成个人访问令牌。This section describes how to generate a personal access token in the Azure Databricks UI. 还可使用令牌 API生成和撤销令牌。You can also generate and revoke tokens using the Token API.
单击“用户配置文件”图标Click the user profile icon
它位于 Azure Databricks 工作区的右上角。in the upper right corner of your Azure Databricks workspace.
单击“用户设置”。Click User Settings.
转到“访问令牌”选项卡。Go to the Access Tokens tab.
单击“生成新令牌”按钮。Click the Generate New Token button.
选择性地输入说明(注释)和有效期。Optionally enter a description (comment) and expiration period.
单击“生成”按钮。Click the Generate button.
复制生成的令牌,并将其存储在安全的位置。Copy the generated token and store in a secure location.
撤销个人访问令牌Revoke a personal access token
本部分介绍如何使用 Azure Databricks UI 撤销个人访问令牌。This section describes how to revoke personal access tokens using the Azure Databricks UI. 还可使用令牌 API 生成和撤销访问令牌。You can also generate and revoke access tokens using the Token API.
- 单击“用户配置文件”图标Click the user profile icon
它位于 Azure Databricks 工作区的右上角。in the upper right corner of your Azure Databricks workspace.
- 单击“用户设置”。Click User Settings.
- 转到“访问令牌”选项卡。Go to the Access Tokens tab.
- 针对要撤销的令牌单击 x。Click x for the token you want to revoke.
- 在“撤销令牌”对话框中,单击“撤销令牌”按钮。On the Revoke Token dialog, click the Revoke Token button.
使用个人访问令牌访问 Databricks REST API Use a personal access token to access the Databricks REST API
可在 .netrc
中存储个人访问令牌并在 curl
中使用,也可将其传递到 Authorization: Bearer
标头。You can store a personal access token in .netrc
and use in curl
or pass it to the Authorization: Bearer
header.
在 .netrc
文件中存储令牌并在 curl
中使用Store token in .netrc
file and use in curl
使用 machine
、login
和 password
属性创建 .netrc 文件:Create a .netrc file with machine
, login
, and password
properties:
machine <databricks-instance>
login token
password <personal-access-token>
其中:where:
<databricks-instance>
是 Azure Databricks 部署的工作区 URL。<databricks-instance>
is the workspace URL of your Azure Databricks deployment.token
是文本字符串token
token
is the literal stringtoken
<personal-access-token>
是个人访问令牌的值。<personal-access-token>
is the value of your personal access token.
若要调用 .netrc
文件,请在 curl
命令中使用 -n
:To invoke the .netrc
file, use -n
in your curl
command:
curl -n -X GET https://<databricks-instance>/api/2.0/clusters/list
将令牌传递到 Bearer
身份验证 Pass token to Bearer
authentication
可使用 Bearer
身份验证将令牌包含在标头中,You can include the token in the header using Bearer
authentication. 也可将此方法用于 curl
或你构建的任何客户端。You can use this approach with curl
or any client that you build. 如果是后者,请参阅将大文件上传到 DBFS。For the latter, see Upload a big file into DBFS.
curl -X GET -H 'Authorization: Bearer <personal-access-token>' https://<databricks-instance>/api/2.0/clusters/list