Restricting files/folders to upload into External volumes in Azure databricks UC workspace

Ashwini Gaikwad 110

Hello Team,

Is there a way to restrict the files or folders to upload/download from external volumes same like DBFS? Is there any option to disable the uploading files/folders feature in external volumes of azure databricks workspace with Unity Catalog.

How can we manage the volumes and keep an audit on what is downloaded or uploaded in volumes considering the security guidelines apart from strict ACL's?

Regards,

Ashwini Gaikwad

BhargavaGunnam-MSFT 28,616 Reputation points Microsoft Employee

2024-06-06T19:43:40.59+00:00

Hello Ashwini Gaikwad,

Welcome to the Microsoft Q&A forum.

To upload files to a Unity Catalog volume, You need to have the WRITE VOLUME privilege on the volume you want to upload files to, and the USE SCHEMA and USE CATALOG privileges on the parent schema and catalog, respectively

For disabling file uploads, workspace admins can disable the file upload feature by not granting the WRITE VOLUME privilege to users. This way, users won't be able to upload files to volumes

Reference document: https://docs.databricks.com/en/ingestion/add-data/upload-to-volume.html

To manage the volumes and keep an audit on what is downloaded or uploaded in volumes, you can use Azure Monitor to monitor the activities on the external volumes. You can also use Azure Log Analytics to collect and analyze the logs generated by Azure Databricks workspace and external volumes.

I hope this helps. Please let me know if you have any further questions.
Ashwini Gaikwad 110 Reputation points

2024-06-07T07:57:14.7166667+00:00

@BhargavaGunnam-MSFT isn't it possible without WRITE VOLUME privilege. Like data engineers can write the files but cannot download or upload it, since considering security reasons they can upload/download anything from their local laptop to and fro from external volumes.

Regards,

Ashwini Gaikwad
BhargavaGunnam-MSFT 28,616 Reputation points Microsoft Employee

2024-06-11T20:34:53.27+00:00

The WRITE VOLUME privilege is designed to control both uploading and writing operations on the volume. If you grant this privilege, users will be able to upload files.

if the goal is to allow data engineers to write files to a volume without the ability to download or upload from their local machines, this would require a more granular permissions.

You can try creating a custom role that includes only the permissions they need, excluding upload capabilities(the custom role does not include the WRITE VOLUME privilege)

(Or) you may consider implementing custom solutions that uses services like Azure Functions or Azure Logic Apps to trigger actions or notifications based on specific events or conditions in the data lifecycle.
Ashwini Gaikwad 110 Reputation points

2024-06-12T16:09:13.3533333+00:00

@BhargavaGunnam-MSFT I looked for the options of custom role that includes only the permissions they need, excluding upload capabilities(the custom role does not include the WRITE VOLUME privilege) but there is no possibility there, since databricks UI only consist READ, WRITE, ALL PRIVILIGES for the volumes and no custom privileges.

I wonder why databricks has kept uploading/downloading features for volumes and even if it is one of the feature there should be option to disable it, considering the security reasons where data engineers can upload any data in volumes, even if keep the audits in check.

1 answer

BhargavaGunnam-MSFT 28,616 Reputation points Microsoft Employee

2024-06-19T17:44:17.9266667+00:00

Current Databricks UI offers only READ, WRITE, and ALL privileges for volumes, which does limit the granularity of permissions you can set.

one alternative is to Implement network security measures to restrict access to Databricks from only trusted networks or IP addresses.

or implementing custom solutions that use services like Azure Functions or Azure Logic Apps to trigger actions or notifications based on specific events or conditions in the data lifecycle

You can submit a feature request in the Azure databricks feedback channel for more granular control over volume permissions.

databricks feedback channel:

https://feedback.azure.com/d365community/forum/2efba7dc-ef24-ec11-b6e6-000d3a4f0da0
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Restricting files/folders to upload into External volumes in Azure databricks UC workspace

1 answer