以编程方式授予权限

重要

Lakebase Autoscaling 是 Lakebase 的最新版本更新,具有自动缩放计算、缩放到零、分支和即时还原功能。 有关支持的区域,请参阅 区域可用性。 如果你是 Lakebase 预配的用户,请参阅 Lakebase 预配

可以使用标准Azure Databricks权限 API、Azure Databricks CLI、Azure Databricks SDK 和 Terraform 以编程方式管理 Lakebase 项目权限。

有关权限类型、默认权限以及如何在 Lakebase UI 中管理权限的概述,请参阅 “管理项目权限”。

权限级别

Lakebase 项目的可授予权限级别是 CAN_USECAN_MANAGECAN_CREATE 是一个继承的级别,该级别自动从工作区流向所有用户,不能在项目上显式授予或撤销。 尝试通过 API 授予 CAN_CREATE HTTP 400。

权限 API 按项目 ID(例如, my-app)标识项目。 可以在“获取项目”和“列出项目 API”返回的项目状态字段中找到此值 project_id

注释

project_id 字段在 REST API 响应中可用,但在 SDK 或 CLI 响应对象中尚不可用。 如果使用 SDK,可以通过删除name前缀(例如projects/,变为projects/my-app)从my-app字段中提取项目 ID。

REST API

项目权限使用标准的 Azure Databricks 权限 API /api/2.0/permissions/database-projects/{project_id}

获取当前权限

curl -X GET "https://${DATABRICKS_HOST}/api/2.0/permissions/database-projects/${PROJECT_ID}" \
  -H "Authorization: Bearer ${DATABRICKS_TOKEN}" | jq

授予或更新权限 (PATCH)

curl -X PATCH "https://${DATABRICKS_HOST}/api/2.0/permissions/database-projects/${PROJECT_ID}" \
  -H "Authorization: Bearer ${DATABRICKS_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "access_control_list": [
      {
        "user_name": "user@example.com",
        "permission_level": "CAN_USE"
      }
    ]
  }'

若要向组或服务主体授予权限,请将user_name替换为group_nameservice_principal_name

注释

PATCH 是累加性的,无法降级现有的更高权限。 例如,将 CAN_USE 应用到已经持有 CAN_MANAGE 的用户身上不会产生任何效果。 若要降级或删除权限,请改用 PUT。

替换所有显式权限(PUT)

警告

PUT 替换整个显式 ACL。 请求正文中未包含的任何用户、组或服务主体将失去其显式授予的权限。 继承的权限(如工作区管理员)不受影响。

curl -X PUT "https://${DATABRICKS_HOST}/api/2.0/permissions/database-projects/${PROJECT_ID}" \
  -H "Authorization: Bearer ${DATABRICKS_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "access_control_list": [
      {
        "user_name": "user@example.com",
        "permission_level": "CAN_MANAGE"
      }
    ]
  }'

有关完整的权限 API 参考,请参阅 权限 API

CLI

使用databricks permissions命令(封装了权限 API),从命令行管理项目权限。

授予或更新权限

# PROJECT_ID is your project ID (e.g., my-app).
databricks permissions update database-projects ${PROJECT_ID} \
  --json '{
    "access_control_list": [
      {
        "user_name": "user@example.com",
        "permission_level": "CAN_USE"
      }
    ]
  }'

获取当前权限

databricks permissions get database-projects ${PROJECT_ID}

注释

databricks permissions (不 databricks postgres) 用于项目 ACL 管理。 databricks postgres子命令管理项目资源(分支、计算等),而不是权限。

SDK

使用 Python、Java 或 Go SDK 中的 WorkspaceClient.permissions 接口来管理项目权限。

Python SDK

from databricks.sdk import WorkspaceClient
from databricks.sdk.service.iam import AccessControlRequest, PermissionLevel

w = WorkspaceClient()

# Your project ID (e.g., "my-app")
PROJECT_ID = "<project-id>"

# Grant CAN_USE to a user (PATCH is additive and cannot downgrade)
w.permissions.update(
    request_object_type="database-projects",
    request_object_id=PROJECT_ID,
    access_control_list=[
        AccessControlRequest(
            user_name="user@example.com",
            permission_level=PermissionLevel.CAN_USE,
        )
    ],
)

# Get current permissions
permissions = w.permissions.get(
    request_object_type="database-projects",
    request_object_id=PROJECT_ID,
)
print(permissions)

# Revoke or downgrade: use set() (PUT), not update() (PATCH)
# update() with an empty list is a no-op; set() replaces the full explicit ACL
w.permissions.set(
    request_object_type="database-projects",
    request_object_id=PROJECT_ID,
    access_control_list=[
        # Include every identity that should retain explicit access
        AccessControlRequest(
            user_name="owner@example.com",
            permission_level=PermissionLevel.CAN_MANAGE,
        )
    ],
)

Java SDK

import com.databricks.sdk.WorkspaceClient;
import com.databricks.sdk.service.iam.*;

WorkspaceClient w = new WorkspaceClient();

// Your project ID (e.g., "my-app")
String projectId = "<project-id>";

// Grant CAN_USE to a user (PATCH is additive and cannot downgrade)
w.permissions().update(new UpdateObjectPermissions()
    .setRequestObjectType("database-projects")
    .setRequestObjectId(projectId)
    .setAccessControlList(List.of(
        new AccessControlRequest()
            .setUserName("user@example.com")
            .setPermissionLevel(PermissionLevel.CAN_USE)
    ))
);

// Get current permissions
ObjectPermissions permissions = w.permissions().get(
    new GetPermissionRequest()
        .setRequestObjectType("database-projects")
        .setRequestObjectId(projectId)
);

Go 软件开发工具包 (SDK)

import (
    "github.com/databricks/databricks-sdk-go"
    "github.com/databricks/databricks-sdk-go/service/iam"
)

w, _ := databricks.NewWorkspaceClient()

// Your project ID (e.g., "my-app")
projectID := "<project-id>"

// Grant CAN_USE to a user (Update is additive and cannot downgrade)
_, err := w.Permissions.Update(ctx, iam.UpdateObjectPermissions{
    RequestObjectType: "database-projects",
    RequestObjectId:   projectID,
    AccessControlList: []iam.AccessControlRequest{
        {
            UserName:        "user@example.com",
            PermissionLevel: iam.PermissionLevelCanUse,
        },
    },
})

// Get current permissions
permissions, err := w.Permissions.Get(ctx, iam.GetPermissionRequest{
    RequestObjectType: "database-projects",
    RequestObjectId:   projectID,
})

后续步骤

  • Last updated on