群集访问控制Cluster access control

备注

访问控制仅在 Azure Databricks 高级计划中提供。Access control is available only in the Azure Databricks Premium Plan.

默认情况下,除非管理员启用群集访问控制,否则所有用户均可创建和修改群集By default, all users can create and modify clusters unless an administrator enables cluster access control. 使用群集访问控制,用户的操作能力取决于权限。With cluster access control, permissions determine a user’s abilities. 本文介绍权限。This article describes the permissions.

Azure Databricks 管理员必须先为工作区启用群集访问控制,然后你才能使用该控制。Before you can use cluster access control, an Azure Databricks admin must enable it for the workspace. 请参阅为工作区启用群集访问控制See Enable cluster access control for your workspace.

权限的类型Types of permissions

你可以配置两种类型的群集权限:You can configure two types of cluster permissions:

  • “允许创建群集”权限控制你创建群集的能力。The Allow Cluster Creation permission controls your ability to create clusters.
  • 群集级别权限控制你使用和修改特定群集的能力。Cluster-level permissions control your ability to use and modify a specific cluster.

启用了群集访问控制时:When cluster access control is enabled:

  • 管理员可以对是否允许用户创建群集进行配置。An administrator can configure whether a user can create clusters.
  • 任何具有群集的“可管理”权限的用户都可以对是否允许用户附加到该群集、重启该群集、重设该群集大小和管理该群集进行配置。Any user with Can Manage permission for a cluster can configure whether a user can attach to, restart, resize, and manage that cluster.

群集级别权限Cluster-level permissions

群集权限级别有四个:“无权限”、“可附加到”、“可重启”和“可管理” 。There are four permission levels for a cluster: No Permissions, Can Attach To, Can Restart, and Can Manage. 该表列出了每个权限赋予用户的能力。The table lists the abilities for each permission.

能力Ability 无权限No Permissions 可附加到Can Attach To 可重启Can Restart 可管理Can Manage
将笔记本附加到群集Attach notebook to cluster xx xx xx
查看 Spark UIView Spark UI xx xx xx
查看群集指标View cluster metrics xx xx xx
终止群集Terminate cluster xx xx
启动群集Start cluster xx xx
重启群集Restart cluster xx xx
编辑群集Edit cluster xx
将库附加到群集Attach library to cluster xx
调整群集大小Resize cluster xx
修改权限Modify permissions xx

备注

你对自己创建的任何群集都具有“可管理”权限。You have Can Manage permission for any cluster that you create.

配置群集级别权限Configure cluster-level permissions

备注

此部分介绍如何使用 UI 来管理权限。This section describes how to manage permissions using the UI. 你还可以使用权限 APIYou can also use the Permissions API.

群集访问控制必须已启用,并且你必须具有针对群集的“可管理”权限。Cluster access control must be enabled and you must have Can Manage permission for the cluster.

  1. 单击“群集”图标Click the clusters icon “群集”图标 (在边栏中)。in the sidebar.

  2. 单击现有群集的“操作”列下的 “权限”图标 图标。Click the Permissions Icon icon under the Actions column of an existing cluster.

    ClusterACLsButtonClusterACLsButton

  3. 在“ 的权限设置”对话框中,你可以:In the Permission settings for dialog, you can:

    • 从“添加用户和组”下拉列表中选择用户和组,并为其分配权限级别。Select users and groups from the Add Users and Groups drop-down and assign permission levels for them.
    • 使用用户或组名称旁边的下拉菜单,为已添加的用户和组更新群集权限。Update cluster permissions for users and groups that have already been added, using the drop-down menu beside a user or group name.

    IndvClusterACLsIndvClusterACLs

  4. 单击“Done”(完成) 。Click Done.

示例:使用群集级别权限强制实施群集配置 Example: using cluster-level permissions to enforce cluster configurations

群集访问控制的一个优点是可以强制实施群集配置,使用户无法更改它们。One benefit of cluster access control is the ability to enforce cluster configurations so that users cannot change them.

例如,管理员可能希望强制实施的配置包括:For example, configurations that admins might want to enforce include:

  • 用于成本退款的标记Tags to charge back costs
  • 向 Azure Data Lake Storage 进行 Azure AD 凭据直通身份验证,以控制对数据的访问Azure AD credential passthrough to Azure Data Lake Storage to control access to data
  • 标准库Standard libraries

对于需要锁定群集配置的组织,Azure Databricks 建议使用以下工作流:Azure Databricks recommends the following workflow for organizations that need to lock down cluster configurations:

  1. 对所有用户禁用“允许创建群集”。Disable Allow cluster creation for all users.

    “群集创建”复选框Cluster creation checkbox

  2. 创建你想要用户使用的所有群集配置后,请向需要访问给定群集的用户授予“可重启”权限。After you create all of the cluster configurations that you want your users to use, give the users who need access to a given cluster Can Restart permission. 这样一来,用户无需手动设置所有配置即可随意启动和停止群集。This allows a user to freely start and stop the cluster without having to set up all of the configurations manually.

    可重启Can restart