机密访问控制Secret access control

默认情况下,所有定价计划中的所有用户都可以创建机密和机密范围。By default, all users in all pricing plans can create secrets and secret scopes. 使用 Azure Databricks 高级计划提供的机密访问控制,你可以配置细化的权限来管理访问控制。Using secret access control, available with the Azure Databricks Premium Plan, you can configure fine-grained permissions for managing access control. 本指南介绍如何设置这些控制。This guide describes how to set up these controls.

备注

机密访问控制Secret access control

机密的访问控制在机密范围级别进行管理。Access control for secrets is managed at the secret scope level. 访问控制列表 (ACL) 定义了 Azure Databricks 主体(用户或组)、机密范围和权限级别之间的关系。An access control list (ACL) defines a relationship between an Azure Databricks principal (user or group), secret scope, and permission level. 通常,用户将使用可供其使用的最强大的权限(请参阅权限级别)。In general, a user will use the most powerful permission available to them (see Permission Levels).

当使用机密实用工具通过笔记本读取机密时,将根据执行命令的人员应用用户的权限,并且该人员必须至少具有“READ”权限。When a secret is read via a notebook using the Secrets utilities, the user’s permission will be applied based on who is executing the command, and they must at least have READ permission.

创建范围时,会将初始“MANAGE”权限级别 ACL 应用于该范围。When a scope is created, an initial MANAGE permission level ACL is applied to the scope. 后续访问控制配置可以由该主体执行。Subsequent access control configurations can be performed by that principal.

权限级别Permission levels

机密访问权限如下所示:The secret access permissions are as follows:

  • MANAGE - 允许更改 ACL,并在此机密范围内进行读取和写入。MANAGE - Allowed to change ACLs, and read and write to this secret scope.
  • WRITE - 允许在此机密范围内进行读取和写入。WRITE - Allowed to read and write to this secret scope.
  • READ - 允许读取此机密范围并列出哪些机密可用。READ - Allowed to read this secret scope and list what secrets are available.

每个权限级别都是上一级别的权限的子集(即,对于给定范围,具有 WRITE 权限的主体可以执行所有需要 READ 权限的操作)。Each permission level is a subset of the previous level’s permissions (that is, a principal with WRITE permission for a given scope can perform all actions that require READ permission).

备注

Databricks 管理员在工作区中的所有机密范围内都有 MANAGE 权限。Databricks admins have MANAGE permissions to all secret scopes in the workspace.

创建机密 ACLCreate a secret ACL

若要使用 Databricks CLI(版本 0.7.1 及更高版本)为给定机密范围创建机密 ACL,请执行以下语句:To create a secret ACL for a given secret scope using the Databricks CLI (version 0.7.1 and above):

databricks secrets put-acl --scope <scope-name> --principal <principal> --permission <permission>

对已经有一个应用的权限的主体发出 put 请求会覆盖现有权限级别。Making a put request for a principal that already has an applied permission overwrites the existing permission level.

查看机密 ACLView secret ACLs

若要查看给定机密范围的所有机密 ACL,请执行以下命令:To view all secret ACLs for a given secret scope:

databricks secrets list-acls --scope <scope-name>

若要获取应用于给定机密范围的主体的机密 ACL,请执行以下命令:To get the secret ACL applied to a principal for a given secret scope:

databricks secrets get-acl --scope <scope-name> --principal <principal>

如果给定主体和范围不存在 ACL,此请求会失败。If no ACL exists for the given principal and scope, this request will fail.

删除机密 ACLDelete a secret ACL

若要删除应用于给定机密范围的主体的机密 ACL,请执行以下命令:To delete a secret ACL applied to a principal for a given secret scope:

databricks secrets delete-acl --scope <scope-name> --principal <principal>