question

JohnnyHumphrey-3892 avatar image
0 Votes"
JohnnyHumphrey-3892 asked JohnnyHumphrey-3892 commented

Permission to run Synapse Spark pool

I have a role as Contributor in a Synapse Analytics workspace. I add a new Notebook (only 1 cell), but when I try to run it I get the error:

Failed to start session: {"error":{"code":"Unauthorized","message":"The principal '<my-principle-id-here>' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/bigDataPools/useCompute/action, Scope: workspaces/<our-workspace>/bigDataPools/<our-spark-pool> ."}}

According to the Synapse documentation on RBAC (https://docs.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac-roles), Synapse Contributor is supposed to have workspaces/bigDataPools/useCompute/action. There is no Deny assignment in the workspace either. Why am I getting this error?

azure-synapse-analyticsazure-rbac
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JohnnyHumphrey-3892,

Welcome to Microsoft Q&A forum and thanks for reaching out. Could you please confirm if you have Contributor role assigned on the Azure Synapse Analytics resource in Azure portal or Synapse Contributor role in Synapse Studio (Workspace) ?

In order to perform workspaces/bigDataPools/useCompute/action actions, the user should have either of these roles assigned - Synapse Administrator or Synapse Contributor` or Synapse Compute Operator on the Synapse Studio Access control (i.e within Workspace)

74571-image.png

Please let us know what permission are you having in Synapse studio (i.e., workspace)?

Thank you


0 Votes 0 ·
image.png (103.8 KiB)
KranthiPakala-MSFT avatar image
1 Vote"
KranthiPakala-MSFT answered JohnnyHumphrey-3892 commented

Hi @JohnnyHumphrey-3892,

Thanks for your response and additional details. I believe the confusion here is the difference between Azure RBAC (RBAC at Azure Synapse resource in Azure Portal - refer to image 1 below) and Synapse RBAC in Synapse Studio (Refer to image 2 below).

Image 1: Azure RBAC on Azure Synapse resource in Azure Portal

74876-synapserbacresourcelevel.png

An Azure RBAC is used to manage who can create, update, or delete the Synapse workspace and its SQL pools, Apache Spark pools, and Integration runtimes.



Image2 : Synapse RBAC in Synapse Studio

74896-image.png

A Synapse RBAC is used to manage who can:

  • Publish code artifacts and list or access published code artifacts,

  • Execute code on Apaches Spark pools and Integration runtimes,

  • Access linked (data) services protected by credentials

  • Monitor or cancel job execution, review job output, and execution logs.

Synapse RBAC is managed from within Synapse Studio using the Access control tools in the Manage hub.

Based on the above details you have shared, I have noticed that the your user has been granted Azure RBAC in Azure Portal but not the Synapse RBAC in Synapse Studio. Which is why authorization error is thrown. A user with Synapse Administrator has to grant your user either of these roles - Synapse Administrator or Synapse Contributor or Synapse Compute Operator within the Synapse Studio -> Manage Hub -> Access control (i.e within Workspace) in order to perform workspaces/bigDataPools/useCompute/action actions.



2 other things to note:

I have another subscription in a different directory, and I'm the one who created the Synapse workspace, resource group, storage account, and Spark pool, so I am of course the Owner there, and I have no problems running things.

Since you are the user who had created Azure Synapse resource, by default you will have Synapse Administrator role (Synapse RBAC permission) on Synapse Studio. Hence you haven't noticed any permission issue as you have full privilege on the Synapse studio.


In the workspace above, where I get the error, I am a Guest on that subscription. I would think that wouldn't make a difference, since it is called Role-Based Access Control, and not Role-and-User-Type-Based Access Control, but could the fact that I am a guest in the subscription be affecting things?

Since you are a guest user on that resource, a user with 'Synapse Administrator' role have to grant your user either of these permission - Synapse Administrator or Synapse Contributor or Synapse Compute Operator within the Synapse Studio -> Manage Hub -> Access control (i.e within Workspace) in order to perform workspaces/bigDataPools/useCompute/action actions.


Here are couple of helpful docs about Synapse RBAC:
- What is Synapse role-based access control (RBAC)?
- Synapse RBAC Roles


Hope this info clarifies. Do let us know if you have further query.



Thank you
Please do consider to click on "Accept Answer" and "Upvote" on the post that helps you, as it can be beneficial to other community members.








image.png (139.9 KiB)
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So adding the Synapse Administrator role assignment does allow me to run the Spark pool, so that does answer the original question.

I'll note that I now get a different error:
AnalysisException : java.lang.RuntimeException: Operation failed: "This request is not authorized to perform this operation using this permission.", 403, HEAD, https://<our_storage_account>.dfs.core.windows.net/<our_container>/tmp/hive?upn=false&action=getStatus&timeout=90;

Comparing roles in the different Azure directories, I believe the problem may be that I need the Azure role Storage Blob Data Contributor on the storage account, whereas I am only Contributor in the directory/subscription where I am encountering this problem. This is interesting/confusing to me, since I was able to add the very folder and file to that storage account that my Spark job was getting an error while trying to access.




0 Votes 0 ·

I realize that with the separation of both storage and compute, as well as the separation of Azure resources and Synapse resources, the various role interactions are going to be complex. I'm not convinced those interactions are what they should be. I will say that, from my view, since Synapse depends upon Azure resources, it would make sense if the Synapse Access Control page had some warnings or tips about potential changes you might want in the related Azure roles. For example, are there role pairings that tend to be inconsistent? I think I am experiencing one now, and it would be good to have a warning about that and have a link from Synapse RBAC to the workspace Azure RBAC setup to fix it.

Thanks,
Johnny

0 Votes 0 ·

Hi @JohnnyHumphrey-3892, Glad to know that the above info was helpful.

Regarding Access issue to ADLS Gen2 please refer to this GitHub issue - https://github.com/MicrosoftDocs/azure-docs/issues/70324

76370-image.png

And I totally agree with you that assigning RBAC roles at different locations/levels is a bit confusing. But this has been called out in this document: https://docs.microsoft.com/azure/synapse-analytics/security/synapse-workspace-access-control-overview

76378-image.png

76393-image.png


I will also take this feedback forward to Product team to see if we can make improvements both from documentation or product feature standpoint and will get back to you as soon as I heard back from them.

Thank you for your patience.


0 Votes 0 ·
image.png (18.1 KiB)
image.png (101.7 KiB)
image.png (25.7 KiB)

Hi @JohnnyHumphrey-3892,

Here is a documentation that explains how to control access to a Synapse workspace using Azure roles, Synapse roles, SQL permissions, and Git permissions: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-set-up-access-control

Synapse access control can be simplified by using security groups that are aligned with the roles and personas in your organization. You only need to add and remove users from security groups to manage access. The approach taken in the above guide is to create several security groups and then assign roles to these groups. After the groups are set up, you only need to manage membership within the security groups to control access to the workspace which would ultimately avoid the above confusion.

Hope this helps. Do let us know if you have any further questions.

Thank you



0 Votes 0 ·

Hi @JohnnyHumphrey-3892 ,

Following up to check if the above documentation was helpful in understanding the Synapse Access Control ? Do let us know if you have any feedback.

Thank you

0 Votes 0 ·
Show more comments
JohnnyHumphrey-3892 avatar image
0 Votes"
JohnnyHumphrey-3892 answered KranthiPakala-MSFT rolled back

1) Workspace Info
Workspace: test-dataproject-synapse-workspace
Resource Group: dev-usncentral-improving-dataproject
Storage Account: devdataproject
Primary File Storage: avalondata
Apache Spark Pool: devdataspark
76408-image.png

2) Resource Group Info
It includes the workspace and Spark pool above
76380-image.png

3) Workspace Role Assignment
My role assignment in the workspace is Contributor, inherited from the resource group
76451-image.png

4) User ID
This will be in the error message.
76409-image.png

5) Data
This actually doesn't matter because the Spark pool never starts, but the data that I refer to in the Notebook does exist.
74858-05-source.png

6) Error Message
The Spark pool is shown. The error message is:
Failed to start session: {"error":{"code":"Unauthorized","message":"The principal 'b57975cd-2e46-4164-a972-9a4c0969cc5a' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/bigDataPools/useCompute/action, Scope: workspaces/test-dataproject-synapse-workspace/bigDataPools/devdataspark ."}}
74834-06-error.png

Let me know if there is anything else that you need.

Thanks,
Johnny



05-source.png (47.4 KiB)
06-error.png (76.1 KiB)
image.png (116.7 KiB)
image.png (62.6 KiB)
image.png (118.9 KiB)
image.png (56.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnnyHumphrey-3892 avatar image
0 Votes"
JohnnyHumphrey-3892 answered KranthiPakala-MSFT edited

New and additional info, the User Access Administrator added the Owner role to my role assignments (screenshot below). I logged off of Azure and closed edge, opened a new browser window and logged in again, verified the new role privilege, then went to run a Notebook and got the same error (screenshot also below). The error message:

Failed to start session: {"error":{"code":"Unauthorized","message":"The principal 'b57975cd-2e46-4164-a972-9a4c0969cc5a' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/bigDataPools/useCompute/action, Scope: workspaces/test-dataproject-synapse-workspace/bigDataPools/devdataspark ."}}

2 other things to note:

  1. I have another subscription in a different directory, and I'm the one who created the Synapse workspace, resource group, storage account, and Spark pool, so I am of course the Owner there, and I have no problems running things.

  2. In the workspace above, where I get the error, I am a Guest on that subscription. I would think that wouldn't make a difference, since it is called Role-Based Access Control, and not Role-and-User-Type-Based Access Control, but could the fact that I am a guest in the subscription be affecting things?

Thanks,
Johnny

New role added:
76407-image.png

Same error message:
74830-08-error.png



08-error.png (93.8 KiB)
image.png (230.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.