這很重要
湖底自動縮放可在以下地區使用:eastus,eastus2,centralus,southcentralus,westus,westus2,canadacentral,brazilsouth,northeurope,uksouth,westeurope,australiaeast,centralindia,southeastasia。
Lakebase 自動縮放是 Lakebase 的最新版本,具備自動縮放計算、縮放至零、分支及即時還原功能。 如果你是 Lakebase Provisioned 使用者,請參見 Lakebase Provisioned。
Lakebase 專案權限可透過標準的 Azure Databricks Permissions API、Azure Databricks CLI、Azure Databricks SDK 及 Terraform 以程式化方式管理。
關於權限類型、預設權限及如何在 Lakebase UI 管理權限的概述,請參閱「管理專案權限」。
權限等級
湖基專案的可核准許可等級為 CAN_USE 和 CAN_MANAGE。
CAN_CREATE 是一個繼承的層級,會自動從工作區流向所有使用者,且無法在專案中明確授予或撤銷。 嘗試透過 API 授權 CAN_CREATE 時會回傳 HTTP 400。
專案 ID 是 UUID(例如 a446ad92-e936-454b-a31c-a0742e53dd5c)。 取出你的databricks postgres list-projects,然後查看uid欄位。
REST API
專案權限使用標準的 Azure Databricks 權限 API。/api/2.0/permissions/database-projects/{project_id}
取得最新權限
curl -X GET "https://${DATABRICKS_HOST}/api/2.0/permissions/database-projects/${PROJECT_ID}" \
-H "Authorization: Bearer ${DATABRICKS_TOKEN}" | jq
授與或更新權限(PATCH)
curl -X PATCH "https://${DATABRICKS_HOST}/api/2.0/permissions/database-projects/${PROJECT_ID}" \
-H "Authorization: Bearer ${DATABRICKS_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"access_control_list": [
{
"user_name": "user@example.com",
"permission_level": "CAN_USE"
}
]
}'
若要授予群組或服務主體權限,請將 替換 user_name 為 group_name 或 service_principal_name。
備註
PATCH 是加法式的,無法降級現有的更高權限。 例如,對已持有 CAN_MANAGE 的使用者套用 CAN_USE 補丁不會有影響。 若要降級或移除權限,請改用 PUT。
替換所有明確的存取權限(PUT)
警告
PUT 取代了整個明確的 ACL。 任何未包含在請求實體中的使用者、群組或服務主體,將失去明確授權。 繼承的權限(例如工作區管理員)則不受影響。
curl -X PUT "https://${DATABRICKS_HOST}/api/2.0/permissions/database-projects/${PROJECT_ID}" \
-H "Authorization: Bearer ${DATABRICKS_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"access_control_list": [
{
"user_name": "user@example.com",
"permission_level": "CAN_MANAGE"
}
]
}'
完整的權限 API 參考,請參見 權限 API。
CLI
使用 databricks permissions 命令(封裝權限 API)從命令列管理專案權限。
授權或更新權限
# PROJECT_ID is a UUID. Retrieve it with: databricks postgres list-projects
databricks permissions update database-projects ${PROJECT_ID} \
--json '{
"access_control_list": [
{
"user_name": "user@example.com",
"permission_level": "CAN_USE"
}
]
}'
取得最新權限
databricks permissions get database-projects ${PROJECT_ID}
備註
使用 databricks permissions (非 databricks postgres)用於專案 ACL 管理。 子 databricks postgres 指令負責管理專案資源(分支、運算等),而非權限。
SDK
使用 WorkspaceClient.permissions Python、Java 或 Go SDK 中的介面來管理專案權限。
Python SDK
from databricks.sdk import WorkspaceClient
from databricks.sdk.service.iam import AccessControlRequest, PermissionLevel
w = WorkspaceClient()
# Retrieve your project UUID from: databricks postgres list-projects
PROJECT_ID = "<project-uuid>"
# Grant CAN_USE to a user (PATCH is additive and cannot downgrade)
w.permissions.update(
request_object_type="database-projects",
request_object_id=PROJECT_ID,
access_control_list=[
AccessControlRequest(
user_name="user@example.com",
permission_level=PermissionLevel.CAN_USE,
)
],
)
# Get current permissions
permissions = w.permissions.get(
request_object_type="database-projects",
request_object_id=PROJECT_ID,
)
print(permissions)
# Revoke or downgrade: use set() (PUT), not update() (PATCH)
# update() with an empty list is a no-op; set() replaces the full explicit ACL
w.permissions.set(
request_object_type="database-projects",
request_object_id=PROJECT_ID,
access_control_list=[
# Include every identity that should retain explicit access
AccessControlRequest(
user_name="owner@example.com",
permission_level=PermissionLevel.CAN_MANAGE,
)
],
)
Java 開發套件
import com.databricks.sdk.WorkspaceClient;
import com.databricks.sdk.service.iam.*;
WorkspaceClient w = new WorkspaceClient();
// Retrieve your project UUID from: databricks postgres list-projects
String projectId = "<project-uuid>";
// Grant CAN_USE to a user (PATCH is additive and cannot downgrade)
w.permissions().update(new UpdatePermissions()
.setRequestObjectType("database-projects")
.setRequestObjectId(projectId)
.setAccessControlList(List.of(
new AccessControlRequest()
.setUserName("user@example.com")
.setPermissionLevel(PermissionLevel.CAN_USE)
))
);
// Get current permissions
ObjectPermissions permissions = w.permissions().get(
new GetPermissionRequest()
.setRequestObjectType("database-projects")
.setRequestObjectId(projectId)
);
Go 軟體開發套件 (SDK)
import (
"github.com/databricks/databricks-sdk-go"
"github.com/databricks/databricks-sdk-go/service/iam"
)
w, _ := databricks.NewWorkspaceClient()
// Retrieve your project UUID from: databricks postgres list-projects
projectID := "<project-uuid>"
// Grant CAN_USE to a user (Update is additive and cannot downgrade)
_, err := w.Permissions.Update(ctx, iam.UpdatePermissions{
RequestObjectType: "database-projects",
RequestObjectId: projectID,
AccessControlList: []iam.AccessControlRequest{
{
UserName: "user@example.com",
PermissionLevel: iam.PermissionLevelCanUse,
},
},
})
// Get current permissions
permissions, err := w.Permissions.Get(ctx, iam.GetPermissionRequest{
RequestObjectType: "database-projects",
RequestObjectId: projectID,
})
Terraform
使用帶有 database_project_name 屬性的 databricks_permissions 資源以基礎設施即程式碼形式管理專案權限。 如需完整的 Terraform 工作流程,包括專案建立、群組範例及宣告式行為,請參閱 「以 Terraform 管理專案權限」。
resource "databricks_permissions" "project_perms" {
database_project_name = databricks_postgres_project.app.project_id
access_control {
user_name = "someone@example.com"
permission_level = "CAN_USE"
}
}
如需完整資源參考,請參見 Terraform 註冊局上的 databricks_permissions。