作业访问控制 Jobs access control

备注

访问控制仅在 Azure Databricks Premium 计划中可用。Access control is available only in the Azure Databricks Premium Plan.

默认情况下,除非管理员启用作业访问控制,否则所有用户均可创建和修改作业By default, all users can create and modify jobs unless an administrator enables jobs access control. 使用作业访问控制,用户的操作能力取决于单个权限。With jobs access control, individual permissions determine a user’s abilities. 本文介绍各个权限以及启用和配置作业访问控制的方式。This article describes the individual permissions and how to enable and configure jobs access control.

Azure Databricks 管理员必须先为工作区启用作业访问控制,然后你才能使用表访问控制。Before you can use jobs access control, an Azure Databricks admin must enable it for the workspace. 请参阅为工作区启用作业访问控制See Enable jobs access control for your workspace.

作业权限Job permissions

有五个作业权限级别:无权限、可以查看、可以管理运行、是所有者、可以管理 。There are five permission levels for jobs: No Permissions, Can View, Can Manage Run, Is Owner, and Can Manage. 默认情况下,会向管理员授予“可以管理”权限,并且他们可将该权限分配给非管理员用户。Admins are granted the Can Manage permission by default, and they can assign that permission to non-admin users.

该表列出了每个权限赋予用户的能力。The table lists the abilities for each permission.

能力Ability 无权限No Permissions 可以查看Can View 可以管理运行Can Manage Run 为所有者Is Owner 可管理Can Manage
查看作业详细信息及设置View job details and settings xx xx xx xx xx
查看结果、Spark UI、作业运行日志View results, Spark UI, logs of a job run xx xx xx xx
立即运行Run now xx xx xx
取消运行Cancel run xx xx xx
编辑作业设置Edit job settings xx xx
修改权限Modify permissions xx xx
删除作业Delete job xx xx
更改所有者Change owner xx

备注

  • 作业的创建者拥有“是所有者”权限。The creator of a job has Is Owner permission.
  • 一个作业不能有多个所有者。A job cannot have more than one owner.
  • 作业不能将组作为所有者。A job cannot have a group as an owner.
  • 通过“立即运行”触发的作业会获得作业所有者的权限,而不是发出“立即运行”的用户的权限 。Jobs triggered through Run Now assume the permissions of the job owner and not the user who issued Run Now. 例如,即使将作业 A 配置为只能在作业所有者(用户 A)访问的现有群集上运行,具有“可以管理运行”权限的用户(用户 B)也可以启动该作业的新运行。For example, even if job A is configured to run on an existing cluster accessible only to the job owner (user A), a user (user B) with Can Manage Run permission can start a new run of the job.
  • 仅当你在作业上有“可以查看”或更高的权限时,才能查看笔记本运行结果。You can view notebook run results only if you have the Can View or higher permission on the job. 即使已重命名、移动或删除作业笔记本,此操作也可以使作业访问控制保持不变。This allows jobs access control to be intact even if the job notebook was renamed, moved, or deleted.
  • 作业访问控制适用于在 Databricks 作业 UI 中显示及运行的作业。Jobs access control applies to jobs displayed in the Databricks Jobs UI and their runs. 它不适用于笔记本工作流生成的运行或 API 提交的运行,这些运行的 ACL 与笔记本捆绑在一起。It doesn’t apply to runs spawned by notebook workflows or runs submitted by API whose ACLs are bundled with the notebooks.

启用作业访问控制Enable jobs access control

  1. 转到管理控制台Go to the Admin Console.

  2. 选择“访问控制”选项卡。Select the Access Control tab.

    “访问控制”选项卡Access control tab

  3. 单击“群集和作业访问控制”旁边的“启用”按钮 。Click the Enable button next to Cluster and Jobs Access Control.

    启用访问控制Enable access control

  4. 单击“确认”以确认更改。Click Confirm to confirm the change.

配置作业权限Configure job permissions

备注

此部分介绍如何使用 UI 来管理权限。This section describes how to manage permissions using the UI. 你还可以使用权限 APIYou can also use the Permissions API.

你必须具有“可以管理”或“是所有者”权限 。You must have Can Manage or Is Owner permission.

  1. 转到作业的详细信息页。Go to the details page for a job.

  2. 单击“高级”。Click Advanced.

    高级Advanced

  3. 单击“权限”旁边的“编辑”链接 。Click the Edit link next to Permissions.

    编辑作业权限Edit job permissions

  4. 在弹出对话框中,通过用户名旁边的下拉菜单分配作业权限。In the pop-up dialog box, assign job permissions via the drop-down menu beside a user’s name.

    分配作业权限Assign job permissions

  5. 单击 “保存更改”Click Save Changes.