Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,080 questions
Azure Databricks ADLS gen2 mount fails
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 42%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
ROVERE Lorenzo
21
Reputation points
Hi all,
We have some problems when trying to mount ADLS gen2 storage. The error when we run "dbutils.fs.mount" is:
Operation failed: "This request is not authorized to perform this operation.", 403, HEAD, https://<storage-account-name>.dfs.core.windows.net/<container-name>/?upn=false&action=getAccessControl&timeout=90
The service principal has the recommended rights on the container, but we are afraid the firewall is blocking the traffic, so the Security Team is asking us the IP AND ports Databricks is trying to access the storage account. We cannot find any information about the ports used (the IP is simple). From the Driver Logs, before the errors, we see:
*Thu Mar 17 16:42:05 2022 Initialized gateway on port 37791
Thu Mar 17 16:42:07 2022 Python shell executor start
ExecutionError Traceback (most recent call last)
<command-1975187649771274> in <module>
15
16
---> 17 dbutils.fs.mount(
18 source = "abfss://<container-name>@<storage-account-name>.dfs.core.windows.net",
19 mount_point = "/mnt/hdfsGen2Mount/",
/databricks/python_shell/dbruntime/dbutils.py in f_with_exception_handling(*args, **kwargs)
379 exc.context = None
380 exc.cause = None
--> 381 raise exc
382
383 return f_with_exception_handling
ExecutionError: An error occurred while calling o305.mount.
: Operation failed: "This request is not authorized to perform this operation.", 403, HEAD, https://<storage-account-name>.dfs.core.windows.net/<container-name>/?upn=false&action=getAccessControl&timeout=90
at shaded.databricks.azurebfs.org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.execute(AbfsRestOperation.java:241)
at shaded.databricks.azurebfs.org.apache.hadoop.fs.azurebfs.services.AbfsClient.getAclStatus(AbfsClient.java:768)
at shaded.databricks.azurebfs.org.apache.hadoop.fs.azurebfs.services.AbfsClient.getAclStatus(AbfsClient.java:750)
at shaded.databricks.azurebfs.org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.getIsNamespaceEnabled(AzureBlobFileSystemStore.java:313)
at shaded.databricks.azurebfs.org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.getFileStatus(AzureBlobFileSystemStore.java:821)
at shaded.databricks.azurebfs.org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.getFileStatus(AzureBlobFileSystem.java:628)
at com.databricks.backend.daemon.dbutils.DBUtilsCore.verifyAzureFileSystem(DBUtilsCore.scala:772)
at com.databricks.backend.daemon.dbutils.DBUtilsCore.mount(DBUtilsCore.scala:720)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at py4j.reflection.MethodInvoker.invoke(MethodInvoker.java:244)
at py4j.reflection.ReflectionEngine.invoke(ReflectionEngine.java:380)
at py4j.Gateway.invoke(Gateway.java:295)
at py4j.commands.AbstractCommand.invokeMethod(AbstractCommand.java:132)
at py4j.commands.CallCommand.execute(CallCommand.java:79)
at py4j.GatewayConnection.run(GatewayConnection.java:251)
at java.lang.Thread.run(Thread.java:748)
Thu Mar 17 16:52:54 2022 Python shell started with PID 1045 and guid eac79ab5168148fabe12f3f627017bbb
Thu Mar 17 16:52:54 2022 Initialized gateway on port 42045
Thu Mar 17 16:52:55 2022 Python shell executor start
Thu Mar 17 16:53:26 2022 Python shell started with PID 1076 and guid 87da3fe8ff02445c842d7cb60d976c48
Thu Mar 17 16:53:26 2022 Initialized gateway on port 41209
Thu Mar 17 16:53:26 2022 Python shell executor start
KeyboardInterrupt Traceback (most recent call last)
<command-3523407472135170> in <module>
16 if returncode != 0 and False:
17 raise subprocess.CalledProcessError(returncode, cmd)
---> 18 ____databricks_percent_sh()
19 finally:
20 del ____databricks_percent_sh
<command-3523407472135170> in ____databricks_percent_sh()
10 stdout = subprocess.PIPE,
11 universal_newlines = True)
---> 12 for line in iter(p.stdout.readline, ''):
13 sys.stdout.write(line)
14 sys.stdout.flush()
KeyboardInterrupt: Dropped logging in PythonShell:*
In this example ports used seems to be 37791, 42045, 41209. so we suppose the ports stays in a range, but we cannot identify this range. Any ideas? Thanks
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
HimanshuSinha-msft 19,386 Reputation points Microsoft Employee2022-03-21T20:01:57.29+00:00 Hello @ROVERE Lorenzo ,
Thanks for the question and using MS Q&A platform.
As we understand the ask here is to get rid of the 403 error whch youa re encountering when connecting to ADLA gen2 whcih is behind a firewall , please do let us know if its not accurate.
Databricks being a managed services offering, its designed to abstract the complexity of having to manage the finer networking details of your underlying infrastructure such as IP addresses , so you will not have an static IP by default but you can always set that up . Please read the same here
https://learn.microsoft.com/en-us/azure/databricks/kb/cloud/azure-vnet-single-ip
<<snippet from the doc >>
You can use an Azure Firewall to create a VNet-injected workspace in which all clusters have a single IP outbound address. The single IP address can be used as an additional security layer with other Azure services and applications that allow access based on specific IP addresses.Please do let me if you have any queries.
Thanks
Himanshu -
ROVERE Lorenzo 21 Reputation points
2022-03-22T08:23:57.84+00:00 Hi @HimanshuSinha-msft , thanks for the response. Yes, the ask is to get rid of the 403 error. Do you know the port Databricks uses to connect to the ADLS gen2 storage when we try to execute dbutils.fs.mount?
I don't know of it's correct, but from this article ( https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject#network-security-group-rules-for-workspaces-created-after-january-13-2020 ) port 443 is the destination port for the storage. Is that correct? Can we add this port as a rule in our firewall? Thanks
Sign in to comment