Root Storage account Isolation in unity catalog

Question

Root Storage account Isolation in unity catalog

Azuretech 95

I want to do the setting so that while creating any catalog/schema , even if user select default storage (not specify his/her own storage),It will not able to write the managed data in root storage account and user will force to create their own external location for storage. Please suggest what changes i need to do in root storage account as I want it to be secure .

Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator

2023-04-19T01:50:55.5166667+00:00

Hello Azuretech, Welcome to the MS Q&A platform. I am reaching out to my internal team to see what changes need to for the settings here. I will get back to you as soon as I hear from them.
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator

2023-04-19T22:22:06.8966667+00:00

Hello Azuretech, <update> Please try setting the credentials as "read only" for the default storage. That should prevent users from writing to the external location. I hope this helps. Please let us know if you still have any issues.
Azuretech 95 Reputation points

2023-04-20T05:25:08.2433333+00:00

@Bhargava-MSFT My requirement is not forbidding the users to use external location. I want them to use their own location(external location) . I want to restrict the default root location(storage given while metastore creation) so that No users will be able to write on the default location .if you dont give the location , it will write to default root location(by design). i want to restrict the user to use the default location. even if they try writing some managed table , it will give error.
Azuretech 95 Reputation points

2023-04-20T05:30:39.7633333+00:00

@Bhargava-MSFT My requirement is opposite . I want users to write on the External location only . even if they try to write on default root storage(storage given while metastore creation), it should not write and give error. users can only write to external not on the default one
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator

2023-04-25T23:22:50.33+00:00

Hello Azuretech, I am checking to see if the above solution is helpful here.
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator

2023-04-27T22:04:17.7366667+00:00

Hello Azuretech,

I am checking to see if you have any further questions here

1 answer

Your answer

Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator

2023-04-19T01:50:55.5166667+00:00

Hello Azuretech, Welcome to the MS Q&A platform. I am reaching out to my internal team to see what changes need to for the settings here. I will get back to you as soon as I hear from them.
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator

2023-04-19T22:22:06.8966667+00:00

Hello Azuretech, <update> Please try setting the credentials as "read only" for the default storage. That should prevent users from writing to the external location. I hope this helps. Please let us know if you still have any issues.
Azuretech 95 Reputation points

2023-04-20T05:25:08.2433333+00:00

@Bhargava-MSFT My requirement is not forbidding the users to use external location. I want them to use their own location(external location) . I want to restrict the default root location(storage given while metastore creation) so that No users will be able to write on the default location .if you dont give the location , it will write to default root location(by design). i want to restrict the user to use the default location. even if they try writing some managed table , it will give error.
Azuretech 95 Reputation points

2023-04-20T05:30:39.7633333+00:00

@Bhargava-MSFT My requirement is opposite . I want users to write on the External location only . even if they try to write on default root storage(storage given while metastore creation), it should not write and give error. users can only write to external not on the default one
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator

2023-04-25T23:22:50.33+00:00

Hello Azuretech, I am checking to see if the above solution is helpful here.
Bhargava-MSFT 31,361 Reputation points Microsoft Employee Moderator

2023-04-27T22:04:17.7366667+00:00

Hello Azuretech,

I am checking to see if you have any further questions here

Answer 1

Hello Azuretech,

To restrict users from writing to the default root storage and allow them to write only to the external location, you can set up a storage mount point for the external location and remove write permissions for the default root storage.

You can use Azure Blob Storage or Azure Data Lake Storage as the external location. Please follow these steps:

Create a storage mount point for the external location using the Databricks CLI or the UI
Remove write permissions for the default root storage
Grant write permissions for the external location

How to remove write permissions to default root storage:

Open the Databricks workspace.
Click on the Clusters tab and select the cluster you want to configure.
Click on the Edit button to edit the cluster configuration.
Scroll down to the Advanced Options section and click on the Spark tab.
In the Spark Config section, add the following configuration property: spark.databricks.acl.default. With a value of READ.
Click on the Confirm button to save the changes.
Restart the cluster for the changes to take effect.

User's image

I hope this helps. Please let me know if you have any further questions.

Share via

Root Storage account Isolation in unity catalog

1 answer

Your answer