Databricks workspace setup guide

Home

Databricks workspace setup guide

Configuring a Databricks Workspace

Use the following command to configure Azure Key Vault for Unravel:

<Unravel Directory>/manager config databricks set-azure-keyvault <client-id> <tenant-id> <client-secret> <keyvault-url> <token-key-name-pattern>

Here:

<client-id> is the Azure service principal ID.
<tenant-id> is the Azure tenant ID.
<client-secret> is the Secret of the Azure service principal.
<keyvault-url> is the URL of the Azure Key Vault.
<token-key-name-pattern> (Optional) defines a pattern for token secret names. Use {workspace.id} as a placeholder for dynamic secret name creation. For example, workspace-{workspace.id}-token could result in secret names like workspace-124-token.

Note

Ensure that the service principal has "Get" and "List" permissions for the configured Key Vault URI.

Disabling the Token Key Vault Feature

Run the following command to disable the Token Key Vault feature:

<Unravel Directory>/manager config databricks unset-azure-keyvault

Configuring Azure Active Directory (AAD) for Token Retrieval

<Unravel Directory>/manager config databricks set-azure-ad <databricks-client-id> <databricks-tenant-id>

Here:

Ensure the appropriate permissions and configurations are set for the service principal used.

<databricks-client-id> is the client ID of the Databricks service principal.
<databricks-tenant-id> is the tenant ID of the Databricks service principal.

Create a Workspace

Sign in to Unravel UI, and from the upper right, click > Workspaces. The Workspaces Manager page is displayed.
Click Add Workspace. The Add Workspace dialog box is displayed. Enter the following details:

Enable Personal Access Token in Databricks

Follow these steps if you haven't configured the Azure Key Vault and you prefer to create the workspace with a Personal Access Token.

Enable Personal Access Token in Databricks.
Note
If you are using Service Principals for generating the Personal Access Token (PAT), refer to Manage service principals for the steps to enable the PAT on Databricks for AWS and Manage service principals for the steps to enable PAT on Databricks for Azure.
1. Enable personal access token authentication for the workspace.
  1. Go to your workspace, and from the dropdown located in the upper right corner, select Settings.
  2. Click the Advanced tab and click the Personal Access Tokens toggle. For more details, refer to Manage personal access tokens.
2. Create a Databricks personal access token for your Databricks workspace user.
  1. Go to your workspace, and from the dropdown located in the upper right corner, select Settings.
  2. Click Developer > Access Tokens > Manage. The Access Tokens page is displayed.
  3. Click the Generate New Token button. The new token is generated. You must save this token and keep it handy to register a new Databricks workspace. For more details, refer to Authentication using Databricks personal access tokens.
Register a new Databricks workspace or edit details of an existing Databricks workspace.
1. Sign in to Unravel UI, and from the upper right, click > Workspaces. The Workspaces Manager page is displayed.
2. Click Add Workspace. The Add Workspace dialog box is displayed. Enter the following details:

Add Workspace fields

Field	Description
Workspace Id	Databricks workspace ID can be found in the Databricks URL. The numbers shown after o= in the Databricks URL become the workspace ID. For example, in this URL:https://<databricks-instance>/?o=3205148689792956, the Databricks workspace ID is the number after o=, which is 3205148689792956.
Workspace Name	Databricks workspace name. A name for the workspace. For example, `ACME-Workspace`. The Workspace name can be got from the Azure portal.
Instance (Region) URL	Regional URL where the Databricks workspace is deployed. Specify the complete URL. The expected format is protocol://dns or ip(:port). Ensure that the URL does not end with a slash. For example, a valid input is: https://eastus.azuredatabricks.net. An invalid input is: https://eastus.azuredatabricks.net/. The URL can be got from the Azure portal.
Tier	Select a subscription option from: Standard, Premium, Enterprises, and Dedicated. For Databricks Azure, you can get the pricing information from the Azure portal. For Databricks AWS you can get detailed information about pricing tiers from Databricks AWS pricing. Note You have to select the Premium or Enterprises option and select Enable Databricks SQL to enable the Databrick SQL monitoring.
Token Secret Name	Provide the Azure Key Vault secret name associated with the PAT. For details on how to configure the Azure Key Vault in Unravel, see here. Note This option is available only after configuring Azure Key Vault in Unravel. You are responsible for keeping PAT tokens up to date in the Azure Key Vault.
Token	Use the personal access token to secure authentication to the Databricks APIs. You can generate the token from your Databricks workspace. See here for generating a personal access token through SPN on Databricks for AWS and here for Databricks on Azure.. See Authentication using Databricks personal access tokens for more details. Note Users with admin or non-admin roles can create personal access tokens. Non-admin users must ensure to fulfill certain requirements before creating personal access tokens.

Note

After you click Add, it takes around 2-3 minutes to register the Databricks Workspace with Unravel.

Configure the Databricks cluster with Unravel using Global init script:

Global init script applies the Unravel configurations to all clusters in a workspace. The following steps take you through the cluster configuration with Global init. If you are configuring the clusters without Global init, proceed to the next step.

Global init is deployed automatically on the Workspace and needs to be enabled manually from the location shown in the following image:

Go to your workspace, and from the dropdown located in the upper right corner, select Admin Settings.
From Settings, click Compute and then click Manage next to Global init scripts. The Global init scripts page is shown.
Use the toggle key under the Enabled column to enable the Global init scripts.
You can also find the Global initialization script in your workspace at this path: /Workspace/Unravel/install-unravel.sh
If it is not deployed automatically, you can do one of the following
- Use this script as a Cluster init script.
- Add Unravel configuration to Databricks clusters using the Global init script by referring to these instructions.

Note

Cluster logging should be enabled at the cluster level. See Logging in Cluster init script for instructions.

Configuring Databricks clusters without Global init

Under Logging, set Destination to DBFS and copy the below snippet as Cluster Log Path.
Under Init Script, set Destination to Workspace, copy the snippet below as the Init Script Path, and click Add.

From your Azure Workspace, access Settings > Advanced and apply the following settings:

Requirements for non-admin tokens

Set the following permissions to use a non-admin token with Unravel:

In Admin Settings, the Token Usage must have CAN USE permission either as a user or as a group or All Users, or SP for the non-admin user; otherwise, an error is shown.
If in the Admin Settings, the Workspace Access Control is enabled, create the Unravel folder at the workspace root file system, and ensure that the CAN MANAGE permission is granted on the Unravel folder for the non-admin user/group/SP used by Unravel.
If, in the Admin Settings, Workspace Visibility Control is enabled, Unravel User/group/SP needs to have Workspace access and Databricks SQL access permission
Create init script manually; see Connect Databricks cluster to Unravel for setting up Unravel sensor via Global init script or Cluster init script.
If in the Admin Settings, the Cluster Visibility Control is enabled, you must grant the Unravel token the CAN ATTACH permission to all the clusters (per cluster) manually.
If in the Admin Settings, the Job Visibility Control is enabled, you must grant Unravel token with the CAN ATTACH permission to all the jobs (per job) manually.

The following API endpoint permissions should be also granted:

Endpoint	Permission
`/api/2.0/workspace/mkdirs`	CAN MANAGE permission in the parent folder.
`/api/2.0/clusters/get?cluster_id`	No extra permission
`/api/2.0/clusters/events`	No extra permission
`/api/2.0/clusters/list-node-types`	No extra permission
`/api/2.0/clusters/list`	CAN ATTACH permission is needed to be granted per cluster to see the clusters
`/api/2.0/clusters/events`	CAN ATTACH permission is needed to be granted per cluster to see the clusters
`/api/2.0/jobs/runs/get?run_id`	CAN VIEW permission is needed to be granted per job run
`/api/2.0/jobs/runs/list`	CAN VIEW permission is needed to be granted per job run
`/api/2.0/sql/history/queries`	Only two permissions admin can see all, user can only see their queries.
`/api/2.0/sql/warehouses`	CAN USE permission required per warehouse
`/api/2.1/unity-catalog/catalogs`	USE CATALOG permission to see the catalog.
`/api/2.1/unity-catalog/metastores`	admin only
`/api/2.1/unity-catalog/schemas`	USE_SCHEMA permission per schema or catalog.
`/api/2.1/unity-catalog/tables`	USE_SCHEMA permission per schema or catalog.
`/api/2.1/unity-catalog/storage-credentials`	Storage credentials the caller has permission to access. If the caller is a metastore admin, all storage credentials will be retrieved.
`/api/2.0/workspace/import`	admin only
`/api/2.0/global-init-scripts`	admin only

In this section:

Would you like to provide feedback? Just click here to suggest edits.

Home

Databricks workspace setup guide

Note

Disabling the Token Key Vault Feature

Configuring Azure Active Directory (AAD) for Token Retrieval

Create a Workspace

Enable Personal Access Token in Databricks

Note

Add Workspace fields

Note

Note

Note

Note

Configure the Databricks cluster with Unravel using Global init script:

Note

Configuring Databricks clusters without Global init

Requirements for non-admin tokens

Search results