机密工作流示例Secret workflow example

在此工作流示例中,我们使用机密来设置用于连接到 Azure Data Lake Store 的 JDBC 凭据。In this workflow example, we use secrets to set up JDBC credentials for connecting to an Azure Data Lake Store.

创建机密范围Create a secret scope

创建名为 jdbc 的机密范围。Create a secret scope called jdbc.

若要创建 Databricks 支持的机密范围:To create a Databricks-backed secret scope:

databricks secrets create-scope --scope jdbc

若要创建 Azure Key Vault 支持的机密范围,请按照创建 Azure Key Vault-支持的机密范围中的说明操作。To create an Azure Key Vault-backed secret scope, follow the instructions in Create an Azure Key Vault-backed secret scope.

备注

如果你的帐户没有 Azure Databricks 高级计划,则必须创建范围,并将 MANAGE 权限授予所有用户(以下称为“用户”)。If your account does not have the Azure Databricks Premium Plan, you must create the scope with MANAGE permission granted to all users (“users”). 例如:For example:

databricks secrets create-scope --scope jdbc --initial-manage-principal users

创建机密Create secrets

创建机密的方法取决于你使用的是 Azure Key Vault 支持的范围还是 Databricks 支持的范围。The method for creating the secrets depends on whether you are using an Azure Key Vault-backed scope or a Databricks-backed scope.

在 Azure Key Vault 支持的范围创建机密Create the secrets in an Azure Key Vault-backed scope

使用 Azure SetSecret REST API 或 Azure 门户 UI 添加机密 usernamepasswordAdd the secrets username and password using the Azure SetSecret REST API or Azure portal UI:

将机密添加到 Azure Key VaultAdd secrets to Azure Key Vault

在 Databricks 支持的范围内创建机密Create the secrets in a Databricks-backed scope

添加机密 usernamepasswordAdd the secrets username and password. 运行以下命令,然后在打开的编辑器中输入机密值。Run the following commands and enter the secret values in the opened editor.

databricks secrets put --scope jdbc --key username
databricks secrets put --scope jdbc --key password

在笔记本中使用机密 Use the secrets in a notebook

在笔记本中,读取存储在机密范围 jdbc 中的机密以配置 JDBC 连接器:In a notebook, read the secrets that are stored in the secret scope jdbc to configure a JDBC connector:

val driverClass = "com.microsoft.sqlserver.jdbc.SQLServerDriver"
val connectionProperties = new java.util.Properties()
connectionProperties.setProperty("Driver", driverClass)

val jdbcUsername = dbutils.secrets.get(scope = "jdbc", key = "username")
val jdbcPassword = dbutils.secrets.get(scope = "jdbc", key = "password")
connectionProperties.put("user", s"${jdbcUsername}")
connectionProperties.put("password", s"${jdbcPassword}")

现在,可以将这些 ConnectionProperties 与 JDBC 连接器结合使用,以便与你的数据源通信。You can now use these ConnectionProperties with the JDBC connector to talk to your data source. 从该范围中获取的值永远不会显示在笔记本中(请参阅机密编辑)。The values fetched from the scope are never displayed in the notebook (see Secret redaction).

授予对另一个组的访问权限Grant access to another group

备注

此步骤要求你的帐户拥有 Azure Databricks 高级计划This step requires that your account have the Azure Databricks Premium Plan.

验证凭据配置正确后,请与 datascience 组共享这些凭据,以用于分析。After verifying that the credentials were configured correctly, share these credentials with the datascience group to use for their analysis.

通过发出以下请求,向 datascience 组授予对这些凭据的只读权限:Grant the datascience group read-only permission to these credentials by making the following request:

databricks secrets put-acl --scope jdbc --principal datascience --permission READ