stackoom
  简体   繁体   中英

Error while assigning admin role to SCIM provisioned AAD groups in Databricks

 原文  2023-01-14 14:17:46       databricks/ azure-databricks/ terraform-provider-azure/ terraform-provider-databricks/ databricks-unity-catalog

Question

We use Azure databricks and managing via terraform. We have configured SCIM connector provisioner(AAD Enterprise app) to sync users and groups from AAD to Databricks. This works good. I can able to assign job or cluster permissions to these SCIM synced groups but when I try to assign admin role(entire workspace admin) to SCIM synced group the terraform error shows "API is not available for this worspace". Sorry, I don't what it means, Is it related to terraform provider or Am I putting something wrong? Please suggest me what should I use or correct. Please find below code 'principal_id' argument accepts user id or group id or service principal id as per terraform documentation here https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permission_assignment#principal_id

Provider configuration:

terraform {
  required_version = ">= 1.1.4"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.8.0"
    }
      databricks = {
      source  = "databricks/databricks"
      version = ">= 1.6.3"
    }
  }
}


provider "databricks" { #Assign databricks workspace id to provider
  azure_workspace_resource_id = 
     data.azurerm_databricks_workspace.adb_ws.id
}

Resource Block:

resource "databricks_permission_assignment" "assign_scim_admingroup" {
  principal_id = data.databricks_group.dbricks_admin_group.id
  permissions  = ["ADMIN"]
}

Error in terraform: 

│ Error: cannot create permission assignment: Permission assignment APIs are not available for this workspace.
│ 
│   with databricks_permission_assignment.assign_scim_admingroup,
│   on Dbricks-permission.tf line 104, in resource "databricks_permission_assignment" "assign_scim_admingroup":
│   43: resource "databricks_permission_assignment" "assign_scim_admingroup" {

My expectation is Databricks group synced with AAD via SCIM connecter provisioner groups should be assigned as "ADMIN" role using terraform.

1 answers

solution1
 0  2023-01-17 10:05:28

I tried to reproduce the same in my environment:

Code:

resource "azuread_group" "example" {
  display_name     = "kavyaMyGroup"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true

  members = [
    azuread_user.example.object_id,
    # more users 
   ]
}
resource "databricks_user" "me" {
 // user_name    = "testuser@databricks.com"
 user_name = azuread_user.example.user_principal_name
  display_name = "Test User"
}




resource "databricks_group" "this" {
//  display_name               = "vsakaSomeGroup"
display_name = azuread_group.example.display_name
  allow_cluster_create       = true
  allow_instance_pool_create = true
  workspace_access      = true
  databricks_sql_access = true
}

resource "databricks_group_member" "vip_member" {
  group_id = databricks_group.this.id
  member_id = databricks_user.me.id
}

I received the same error:

│ Error: cannot create permission assignment: Permission assignment APIs are not available for this workspace.
│
│   with databricks_permission_assignment.assign_scim_admingroup,
│   on main.tf line 145, in resource "databricks_permission_assignment" "assign_scim_admingroup":

在此处输入图像描述

Please note:

The admins group is a reserved group in Azure Databricks and cannot be removed. Note that Workspace-local groups cannot be granted access to data in a Unity Catalog metastore or assigned to other workspaces.

To add groups to a workspace using the account console, the workspace must be enabled for identity federation . Only account-level groups are assignable.

Manage groups - Azure Databricks | Microsoft Learn

  • If I checked my environment, the group created is local and not account level, so I did not have permissions to assign admin role to it.

在此处输入图像描述

The account admins can assign them using,the principal ID which can be retrieved using the SCIM API.

resource "databricks_permission_assignment" "assign_scim_admingroup" {
 /principal_id = databricks_group.this.id
  permissions  = ["ADMIN"]
}

Make sure to enable identity federation , to assign group roles and have premium plan in order to manage the assignment of users to workspaces

在此处输入图像描述

You can also check Automate SCIM provisioning using Microsoft Graph from

Reference: Configure SCIM provisioning using Microsoft Azure Active Directory - Azure Databricks | Microsoft Learn

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Bicep roleAssignments/write permission error when assigning a role to Keyvault What should be principal id while assigning role access to App? Is it possible to use authentication by OIDC and provisioning of users/groups by SCIM at the same time? BigQuery Permission error when using to_dataframe() as BigQuery Admin role Admin role update Impacts AWS Admin Role Policy Is it possible to assign permissions automatically to groups for newly created components in Databricks? Internal Server Error on Terraform provisioned API Gateway Trigger Unable to add in bulk the guest users to AAD groups, whereas I can add them manually one at a time GCP - IAM Restrict Delete access for Admin Role
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM