工作区对象访问控制Workspace object access control

备注

访问控制仅在 Azure Databricks 高级计划中提供。Access control is available only in the Azure Databricks Premium Plan.

默认情况下,除非管理员启用工作区访问控制,否则所有用户均可创建和修改工作区对象(包括文件夹、笔记本、试验和模型)。By default, all users can create and modify workspace objects—including folders, notebooks, experiments, and models—unless an administrator enables workspace access control. 在使用工作区对象访问控制的情况下,用户的操作能力取决于单个权限。With workspace object access control, individual permissions determine a user’s abilities. 本文介绍各个权限以及配置工作区对象访问控制的方式。This article describes the individual permissions and how to configure workspace object access control.

Azure Databricks 管理员必须先为工作区启用工作区对象访问控制,然后你才能使用该控制。Before you can use workspace object access access control, an Azure Databricks admin must enable it for the workspace. 请参阅启用工作区对象访问控制See Enable workspace object access control.

文件夹权限 Folder permissions

可以为文件夹分配五个权限级别:“无权限”、“读取”、“运行”、“编辑”和“管理”。You can assign five permission levels to folders: No Permissions, Read, Run, Edit, and Manage. 该表列出了每个权限赋予用户的能力。The table lists the abilities for each permission.

能力Ability 无权限No Permissions 读取Read 运行Run 编辑Edit 管理Manage
列出文件夹中的项List items in folder xx xx xx xx xx
查看文件夹中的项View items in folder xx xx xx xx
克隆和导出项Clone and export items xx xx xx xx
创建、导入和删除项Create, import, and delete items xx
移动和重命名项Move and rename items xx
更改权限Change permissions xx

文件夹中的笔记本和试验继承该文件夹的所有权限设置。Notebooks and experiments in a folder inherit all permissions settings of that folder. 例如,在某个文件夹上拥有“运行”权限的用户对该文件夹中的笔记本拥有“运行”权限。For example, a user that has Run permission on a folder has Run permission on the notebooks in that folder.

默认的文件夹权限Default folder permissions

  • 以下权限独立于工作区对象访问控制而存在:Independent of workspace object access control, the following permissions exist:
    • 对于 Workspace > 共享图标 Shared 文件夹中的项,所有用户都有“管理”权限。All users have Manage permission for items in the Workspace > Shared Icon Shared folder. 可以授予针对笔记本和文件夹的“管理”权限,方法是将笔记本和文件夹移到 共享图标 Shared 文件夹。You can grant Manage permission to notebooks and folders by moving them to the Shared Icon Shared folder.
    • 所有用户对自己创建的对象都有“管理”权限。All users have Manage permission for objects the user creates.
  • 在禁用工作区对象访问控制的情况下,存在以下权限:With workspace object access control disabled, the following permissions exist:
    • 对于 Workspace 文件夹中的项,所有用户都有“编辑”权限。All users have Edit permission for items in the Workspace folder.
  • 启用工作区对象访问控制的情况下,存在以下权限:With workspace object access control enabled, the following permissions exist:
    • Workspace 文件夹Workspace folder
      • 只有管理员才能在 Workspace 文件夹中创建新项目。Only administrators can create new items in the Workspace folder.
      • Workspace 文件夹中的现有项 -“管理”。Existing items in the Workspace folder - Manage. 例如,如果 Workspace 文件夹包含 Folder DocumentsFolder Temp 文件夹,则所有用户都会继续拥有针对这些文件夹的“管理”权限。For example, if the Workspace folder contained the Folder Documents and Folder Temp folders, all users continue to have the Manage permission for these folders.
      • Workspace 文件夹中的新项 -“无权限”。New items in the Workspace folder - No Permissions.
    • 用户对文件夹中的所有项(包括在设置权限后创建到或移动到文件夹中的项)的权限与用户对该文件夹的权限相同。A user has the same permission for all items in a folder, including items created or moved into the folder after you set the permissions, as the permission the user has on the folder.
    • 用户主目录 - 用户有“管理”权限。User home directory - The user has Manage permission. 所有其他用户的权限为“无权限”。All other users have No Permissions permission.

笔记本权限Notebook permissions

可以为笔记本分配五个权限级别:“无权限”、“读取”、“运行”、“编辑”和“管理”。You can assign five permission levels to notebooks: No Permissions, Read, Run, Edit, and Manage. 该表列出了每个权限赋予用户的能力。The table lists the abilities for each permission.

能力Ability 无权限No Permissions 读取Read 运行Run 编辑Edit 管理Manage
查看单元View cells xx xx xx xx
注释Comment xx xx xx xx
通过 %run 或笔记本工作流来运行Run via %run or notebook workflows xx xx xx xx
附加和分离笔记本Attach and detach notebooks xx xx xx
运行命令Run commands xx xx xx
编辑单元Edit cells xx xx
更改权限Change permissions xx

配置笔记本和文件夹权限Configure notebook and folder permissions

备注

此部分介绍如何使用 UI 来管理权限。This section describes how to manage permissions using the UI. 你还可以使用权限 APIYou can also use the Permissions API.

  1. 打开“权限”对话框:Open the permissions dialog:

    • 笔记本 - 在笔记本上下文栏中单击“Notebook - click 权限 ”。in the notebook context bar.
    • 文件夹 - 在文件夹的下拉菜单中选择“权限”:Folder - select Permissions in the folder’s drop-down menu:

    “权限”下拉菜单Permissions Drop Down

  2. 若要向用户或组授予权限,请从“添加用户和组”下拉菜单中选择权限,然后单击“添加”: To grant permissions to a user or group, select from the Add Users and Groups drop-down, select the permission, and click Add:

    添加用户Add Users

    若要更改用户或组的权限,请从权限下拉菜单中选择新权限:To change the permissions of a user or group, select the new permission from the permission drop-down:

    更改权限Change Permissions

  3. 单击“保存更改”保存所做的更改,或单击“取消”放弃所做的更改。Click Save Changes to save your changes or click Cancel to discard your changes.

MLflow 试验权限MLflow Experiment permissions

可以为 MLflow 试验分配四个权限级别:“无权限”、“读取”、“编辑”和“管理”。You can assign four permission levels to MLflow Experiments: No Permissions, Read, Edit, and Manage. 该表列出了每个权限赋予用户的能力。The table lists the abilities for each permission.

能力Ability 无权限No Permissions 读取Read 编辑Edit 管理Manage
查看运行信息、搜索、比较运行View run info, search, compare runs xx xx xx
查看、列出和下载运行项目View, list, and download run artifacts xx xx xx
创建、删除和还原运行Create, delete, and restore runs xx xx
记录运行参数、指标、标记Log run params, metrics, tags xx xx
记录运行项目Log run artifacts xx xx
编辑试验标记Edit experiment tags xx xx
清除运行和试验Purge runs and experiments xx
授予权限Grant permissions xx

备注

  • 只会对存储在由 MLflow 管理的 DBFS 位置中的项目强制实施试验权限。Experiment permissions are only enforced on artifacts stored in DBFS locations managed by MLflow. 有关详细信息,请参阅 MLflow 项目权限For more information, see MLflow Artifact permissions.
  • 创建、删除和还原试验需要对包含试验的文件夹具有“编辑”或“管理”访问权限。 Create, delete, and restore experiment requires Edit or Manage access to the folder containing the experiment.
  • 可以为试验指定“运行”权限。You can specify the Run permission for experiments. 它以与“编辑”相同的方式强制实施。It is enforced the same way as Edit.

配置 MLflow 试验权限Configure MLflow experiment permissions

  1. 打开“权限”对话框。Open the permissions dialog. 在笔记本上下文栏中单击“Click 权限 ”。in the notebook context bar.

    “权限”下拉菜单Permissions Drop Down

  2. 授予权限。Grant permissions. 帐户中的所有用户都属于“所有用户”组。All users in your account belong to the group all users. 管理员属于“管理员”组,该组对所有项目具有“管理”权限。Administrators belong to the group admins, which has Manage permissions on all items.

    若要向用户或组授予权限,请从“添加用户和组”下拉菜单中选择权限,然后单击“添加”: To grant permissions to a user or group, select from the Add Users and Groups drop-down, select the permission, and click Add:

    添加用户Add Users

    若要更改用户或组的权限,请从权限下拉菜单中选择新权限:To change the permissions of a user or group, select the new permission from the permission drop-down:

    更改权限Change Permissions

  3. 单击“保存更改”保存所做的更改,或单击“取消”放弃所做的更改。Click Save Changes to save your changes or click Cancel to discard your changes.

MLflow 项目权限MLflow Artifact permissions

每个 MLflow 试验都有一个“项目位置”,用于存储记录到 MLflow 运行的项目。Each MLflow Experiment has an Artifact Location that is used to store artifacts logged to MLflow runs. 从 MLflow 1.11 开始,项目默认会存储在 Databricks 文件系统 (DBFS) 的由 MLflow 管理的子目录中。Starting in MLflow 1.11, artifacts are stored in an MLflow-managed subdirectory of the Databricks File System (DBFS) by default. MLflow 试验权限适用于存储在这些托管位置中的项目,其前缀为 dbfs:/databricks/mlflow-trackingMLflow experiment permissions apply to artifacts stored in these managed locations, which have the prefix dbfs:/databricks/mlflow-tracking. 若要下载或记录项目,必须对其关联的 MLflow 试验具有相应级别的访问权限。To download or log an artifact, you must have the appropriate level of access to its associated MLflow experiment.

备注

  • 只能使用 MLflow 客户端(1.9.1 或更高版本)访问存储在 MLflow 所管理的位置中的项目。该 MLflow 客户端适用于 PythonJavaR。MLflow 管理的位置不支持其他访问机制,例如 dbutilsDBFS APIArtifacts stored in MLflow-managed locations can only be accessed using the MLflow Client (version 1.9.1 or later), which is available for Python, Java, and R. Other access mechanisms, such as dbutils and the DBFS API, are not supported for MLflow-managed locations.
  • 创建 MLflow 试验时,还可以指定自己的项目位置。You can also specify your own artifact location when creating an MLflow experiment. 对于存储在默认的由 MLflow 管理的 DBFS 目录之外的项目,不会强制执行试验访问控制。Experiment access controls are not enforced on artifacts stored outside of the default MLflow-managed DBFS directory.

MLflow 模型权限MLflow Model permissions

可以为在 MLflow 模型注册表中注册的 MLflow 模型分配六个权限级别:“无权限”、“读取”、“编辑”、“管理过渡版本”、“管理生产版本”和“管理”。You can assign six permission levels to MLflow Models registered in the MLflow Model Registry: No Permissions, Read, Edit, Manage Staging Versions, Manage Production Versions, and Manage. 该表列出了每个权限赋予用户的能力。The table lists the abilities for each permission.

备注

模型版本从其父模型继承权限;不能设置模型版本的权限。A model version inherits permissions from its parent model; you cannot set permissions for model versions.

能力Ability 无权限No Permissions 读取Read 编辑Edit 管理过渡版本Manage Staging Versions 管理生产版本Manage Production Versions 管理Manage
创建模型Create a model xx xx xx xx xx xx
查看模型详细信息、版本、阶段转换请求、活动以及项目下载 URIView model details, versions, stage transition requests, activities, and artifact download URIs xx xx xx xx xx
请求模型版本阶段转换Request a model version stage transition xx xx xx xx xx
向模型添加版本Add a version to a model xx xx xx xx
更新模型和版本说明Update model and version description xx xx xx xx
在阶段之间转换模型版本Transition model version between stages x(在“无”、“已存档”和“正在过渡”之间)x (between None, Archived, and Staging) xx xx
批准或拒绝模型版本阶段转换请求Approve or reject a model version stage transition request x(在“无”、“已存档”和“暂存”之间)x (between None, Archived, and Staging) xx xx
取消模型版本阶段转换请求(请参阅注意Cancel a model version stage transition request (see Note) xx
修改权限Modify permissions xx
重命名模型Rename model xx
删除模型和模型版本Delete model and model versions xx

备注

阶段转换请求的创建者也可以取消请求。The creator of a stage transition request can also cancel the request.

默认的 MLflow 模型权限 Default MLflow Model permissions

  • 以下权限独立于工作区对象访问控制而存在:Independent of workspace object access control, the following permissions exist:
    • 所有用户都有权新建一个经过注册的模型。All users have permission to create a new registered model.
    • 所有管理员对所有模型都具有“管理”权限。All administrators have Manage permission for all models.
  • 在禁用工作区对象访问控制的情况下,存在以下权限:With workspace object access control disabled, the following permissions exist:
    • 所有用户对所有模型都具有“管理”权限。All users have Manage permission for all models.
  • 启用了工作区对象访问控制的情况下,存在以下默认权限:With workspace object access control enabled, the following default permissions exist:
    • 所有用户都对自己创建的模型有“管理”权限。All users have Manage permission for models the user creates.
    • 非管理员用户对并非自己创建的模型具有的权限为“无权限”。Non-administrator users have No Permissions on models they did not create.

配置 MLflow 模型权限Configure MLflow Model permissions

你的帐户中的所有用户都属于“all users”组。All users in your account belong to the group all users. 管理员属于“admins”组,该组对所有对象具有“管理”权限。Administrators belong to the group admins, which has Manage permissions on all objects.

备注

此部分介绍如何使用 UI 来管理权限。This section describes how to manage permissions using the UI. 你还可以使用权限 APIYou can also use the Permissions API.

  1. 单击边栏中的Click the “模型”图标 图标。icon in the sidebar.

  2. 单击模型名称。Click a model name.

  3. 单击模型名称右侧的下拉按钮,然后选择“权限”。Click Button Down at the right of the model name and select Permissions.

    “权限”下拉菜单Permissions Drop Down

  4. 单击“选择用户或组”下拉菜单,选择某个用户或组。Click the Select User or Group drop-down and delect a user or group.

    添加用户Add Users

  5. 选择权限。Select a permission. 若要更改用户或组的权限,请从权限下拉菜单中选择新权限:To change the permissions of a user or group, select the new permission from the permission drop-down:

    更改权限Change Permissions

  6. 单击“添加”。Click Add.

  7. 单击“保存”保存所做的更改,或单击“取消”放弃所做的更改。Click Save to save your changes or Cancel to discard your changes.

MLflow 模型项目权限MLflow Model Artifact permissions

每个 MLflow 模型版本的模型文件都存储在一个由 MLflow 管理的位置,其前缀为 dbfs:/databricks/model-registry/The model files for each MLflow model version are stored in an MLflow-managed location, with the prefix dbfs:/databricks/model-registry/.

若要获取模型版本的文件的确切位置,你必须对模型具有“读取”访问权限。To get the exact location of the files for a model version, you must have Read access to the model. 使用 REST API 终结点 /api/2.0/mlflow/model-versions/get-download-uriUse the REST API endpoint /api/2.0/mlflow/model-versions/get-download-uri. 获取 URI 后,可以使用 DBFS API 来下载文件。After obtaining the URI, you can use the DBFS API to download the files.

MLflow 客户端(适用于 PythonJavaR)提供了几个简便方法,这些方法可以包装此工作流以下载和加载模型,例如 mlflow.<flavor>.load_model()The MLflow Client (for Python, Java, and R) provides several convenience methods that wrap this workflow to download and load the model, such as mlflow.<flavor>.load_model().

备注

MLflow 管理的文件位置不支持其他访问机制,例如 dbutils%fsOther access mechanisms, such as dbutils and %fs are not supported for MLflow-managed file locations.

库和作业访问控制Library and jobs access control

库 所有用户均可查看库。Library All users can view libraries. 若要控制谁可以将库附加到群集,请参阅群集访问控制To control who can attach libraries to clusters, see Cluster access control.

作业 若要控制谁可以运行作业并查看作业运行结果,请参阅作业访问控制Jobs To control who can run jobs and see the results of job runs, see Jobs access control.