Summary:
This document provides links to a tutorial on implementing Pattern 3: Azure Active Directory Credential passthrough
Versions:
| Name | Title | Notes | Date |
|---|---|---|---|
| Anil Sener | Microsoft Cloud Solution Architect – Data & AI | Original | 01 December 2021 |
This tutorial requires the completion of the steps in Connecting securely to ADLS from ADB section.
This tutorial requires the completion of the steps in the preparation section.
This tutorial requires a premium Databricks Workspace.
Install Databricks Client.
- Navigate to the Storage Accounts, drill down to the storage account created in the setup steps and navigate to Containers to display test_container. Then, click ... icon on the rightern side of the container and select Manage ACLs:
- When the ACLs for the container are displayed, add the principals for the active directory groups called group1 and group2 which should be already created as a part of preparation steps. Please check only Execute right for these principals and click to Save button:
- Click on test_container and then you should be able to see the folders inside the container. Then, click ... icon on the rightern side of the iot_devices folder and select Manage ACLs:
- When the ACLs for the iot_devices folder are displayed, add the principals for the active directory group group1 and check Read and Execute and click to Save button:
- When the ACLs for the loans folder are displayed, add the principals for the active directory group group2 and check Read and Execute and click to Save button:
- Navigate to the premium Azure Databricks Workspace > Overview and click Launch Workspace button, choose and an admin user to login. When Azure Databricks Workspace is displayed, navigate to Compute. Then, create a Standard cluster for TestUser1 enabling the credential passthrough with the following settings. Set the permissions to allow IoTDevicesGroup to attach this cluster:
- Then, create another Standard cluster for TestUser2 enabling the credential passthrough with the following settings.Set the permissions to allow LoanGroup to attach this cluster:
- Navigate to the premium Azure Databricks Workspace > Overview on Azure Portal and click Launch Workspace button, choose and TestUser1 user to login. When Azure Databricks Workspace is displayed, navigate to Workspace, then upload pattern3-AADPassthrough-group1.ipynb notebook to the Databricks Workspace and open the notebook, attach & start the cluster created in step 6 and then run all cells:
RESULT: Files unders /iot_devices folder are readable meanwhile /loans raise an exception due to lack of privileges to access these files on ADLS Gen2. These permissions are limited thanks to the privileges of group1 on ADLS Gen2 ACLs.
- Navigate to the premium Azure Databricks Workspace > Overviewon Azure Portal and click Launch Workspace button, choose and TestUser2 user to login. When Azure Databricks Workspace is displayed, navigate to Workspace, then upload pattern3-AADPassthrough-group2.ipynb notebook to the Databricks Workspace and open the notebook, attach & start the cluster created in step 7 and then run all cells:
RESULT: Files unders /loans folder are readable meanwhile /iot_devices raise an exception due to lack of privileges to access these files on ADLS Gen2. These permissions are limited thanks to the privileges of group1 on ADLS Gen2 ACLs.
This is a free white paper released into the public domain.
Anyone is free to use or distribute this white paper, for any purpose, commercial or non-commercial, and by any means.
THE WHITE PAPER IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE WHITE PAPER.