Controlling Access to UDF

In Databricks, Java UDFs typically run within the Spark executor context, which does not directly declare the user information. With CRDP 1.1 user information is provided in the JWT.

Grants

In Databricks you can manage permissions on UDFs (user-defined functions) using Unity Catalog. Unity Catalog allows you to control access to UDFs, as well as databases, tables, and views, via GRANT and REVOKE commands. You can specify which users or roles are allowed to run certain UDFs by assigning privileges.

To Grant Permissions on UDFs in Unity Catalog:

1. Create a UDF in Unity Catalog. When you create a UDF in a catalog that is managed by Unity Catalog, the UDF becomes an object in the catalog. This allows you to manage access to it.

   Example of creating a UDF in SQL:

   CREATE FUNCTION catalog_name.schema_name.my_udf AS (
       x INT
   ) RETURNS INT
   COMMENT 'UDF to multiply by 2'
   LANGUAGE PYTHON
   RETURN x * 2;
   

2. After creating the UDF, you can grant EXECUTE permission on it to specific users, groups, or roles.

   Example SQL to grant execute permission to a specific user

   GRANT EXECUTE ON FUNCTION catalog_name.schema_name.my_udf TO `user@example.com`;
   

   If you want to grant permissions to a group or role.

   GRANT EXECUTE ON FUNCTION catalog_name.schema_name.my_udf TO `data_scientist_group`;
   

3. Revoke Execute Permission.

   REVOKE EXECUTE ON FUNCTION catalog_name.schema_name.my_udf FROM `user@example.com`;
   

4. To verify the permissions on the UDF, you can use the SHOW GRANTS command.

   SHOW GRANTS ON FUNCTION catalog_name.schema_name.my_udf;
   

Privileges to Grant on UDFs

You can grant the following privileges on UDFs:

• EXECUTE: Allows the user to run the UDF.
• USAGE: Allows the user to refer the schema or catalog containing the UDF. This might be required alongside the EXECUTE privilege, depending on your environment setup.