Skip to content

Databricks Guide

Screenshot

Satori streamlines and simplifies the process of controlling access to data in Databricks. Satori reduces the risk of data leakage caused by misconfiguring users or permissions.

Databricks Unity Catalog is designed for centralized data governance. Satori integrates with several of its features such as user management, access controls and audit logs. It only takes a few minutes to get started with Satori. Ensure that you have the following prepared in advance:

  • Access to the Satori Management Console.
  • The hostname of your Databricks Unit Catalog.

Configuring your Cloud Platform Account

This guide is divided into two separate cloud platform configuration flavors.

  • Azure
  • AWS

Azure

Perform the following steps to grant Satori access to Databricks on Azure.

Step 1 - Create a New User for Satori

Go to your Azure Databricks account and get the following configuration details using the following instructions:

Account Information Details

  • Databricks Instance
  • Account ID
  • SQL Warehouses ID

Obtaining a Databricks Instance

  1. Login to your Databricks account.
  2. Follow the instructions to obtain your databricks-instance from the link Databrick instructions.

Extracting your Account information from Databricks

To extract the relevant Account information from Databricks, perform the following steps:

  1. Get your Account ID - Go to the Databricks Admin console and click on your username located in the right hand corner of the interface and extract the Account ID.
  2. Get your SQL Warehouse ID - In the Workspace console select the SQL Warehouses tab and then copy the ID from Name input field.

Create a New Satori User

  1. Create a new Satori user as the Service Principal to access Databricks Azure.
  2. Provision a Service Principal: Learn how to get an Azure AD token from the following link Get Azure AD tokens for service principals.
  3. Click the Azure subscription service where the databricks is installed Access control (IAM).
  4. Select the Access Control (IAM) item located in the navigtion menu.
  5. Add a role assignment with the role: Reader and then select it and connect it to your service principal.
  6. In the databricks account go to User Management and select Service principals and add the Service principal using the clientID (UUID).
  7. In the Databricks User Management view, select the Satori service principle and then go to the Roles tab and assign the Satori service principle as the Account Admin role.
  8. In the Databricks User management view, select the Groups tab and then select the admin group that manages the metastore.
  9. Verify the group that manages the metastore. This configuration is located in the Metastore configuration section in the Data View.
  10. Now, go to the Workspace view and select your workspace and click the Permissions Tab and select the Satori service principle. Then, set the Permission Role to user.
  11. Now go the the Databicks Workspace and click on the SQL Warehouses view. Now locate the Satori Warehouse and grant Satori Service Principle permission to use the warehouse.

Step 2 - Enabling the Audit Log on your Account

Ensure that you have obtained the following configuration details:

  • Application (client) ID
  • Directory (tenant) ID
  • Client secret’s Value

To take advantage of the Azure Databricks system tables and the associated resources, refer to the Microsoft documentation Monitor usage with system tables and enable the Audit logs module on your account using the “Enable a system schema” API.

Step 3 - Adding a Databricks Unity Catalog to Satori

Screenshot

  1. Login to the Satori management console https://app.satoricyber.com
  2. Go to the Data Stores view and click the Add Data Store button.
  3. Select the Databricks option.
  4. Now, provide an informative name for the data store, for example: Sales Data Warehouse.
  5. Enter the Databricks Instance of your Databricks account.
  6. Enter your databricks account ID.
  7. Enter your databricks SQL Warehouse ID.
  8. Select the Authentication type to Azure Service Principal
  9. Enter your Application (client) ID
  10. Enter your Directory (tenant) ID
  11. Enter your Client secret’s value
  12. Select your Satori Data Access Controller cloud provider
  13. Select your Satori Data Access Controller region
  14. Click the Add New Data Store button.

AWS

Perform the following steps to grant Satori access to Databricks. Go to your Databricks account and get the following configuration details:

Account Information Details

  • Databricks Instance
  • Account ID
  • SQL Warehouses ID

Step 1 - Create a New User for Satori

Perform the following tasks to setup AWS for Databricks:

  1. Login to your Databricks account.
  2. Follow the instructions to obtain your databricks-instance from the following Databricks instructions.

Extract the Account Information from Databricks

To extract the relevant Account information from Databricks, perform the following steps:

  1. Get your account ID - Go to the Databricks Admin console and click on your username located in the right hand corner of the interface and extract Account ID.
  2. Get your SQL Warehouses ID - In the Workspace console select the SQL Warehouse tab and then copy the ID from Name input field.

Creating a New Satori User in AWS

To create a new Satori user with username password in the *AWS Databricks Admin console for accessing the Unity Catalog, perform the follwing tasks:

  1. Go to the User management view add a new Satori user
  2. Now press the Send Invite button.
  3. Open the email you received from Databricks and reset the password for that user. You can now generate a password.
  4. In the Databricks User Management view, select the Satori service principle and then go to the Roles tab and assign the Satori service principle as the Account Admin role.
  5. In the Databricks User management view, select the Groups tab and then select the admin group that manages the metastore.
  6. Verify the group that manages the metastore. This configuration is located in the Metastore configuration section in the Data View.
  7. Now, go to the Workspace view and select your workspace and click the Permissions Tab and select the Satori service principle. Then, set the Permission Role to user.
  8. Now go the the Databicks Workspace and click on the SQL Warehouses view. Now locate the Satori Warehouse and grant Satori Service Principle permission to use the warehouse.

Step 2 - Enabling the Audit Log on your Account

To take advantage of the system tables and the associated resources on AWS, refer to the Databricks documentation Monitor usage with system tables and enable the Audit logs module on your account using the Enable a system schema API.

Step 3 - Adding a Databricks Unity Catalog to Satori

Screenshot

  1. Login to the Satori management console https://app.satoricyber.com
  2. Go to the Data Stores view and click the Add Data Store button.
  3. Select the Databricks option.
  4. Now, provide an informative name for the data store, for example: Sales Data Warehouse.
  5. Enter the Databricks Instance of your Databricks account.
  6. Enter your databricks account ID.
  7. Enter your databricks SQL Warehouse ID.
  8. Select AWS Username / Password
  9. Enter the username and password that you created for Satori.
  10. Select your Satori Data Access Controller cloud provider
  11. Select your Satori Data Access Controller region
  12. Click the Add New Data Store button.