Controlling Access to UDF
In Databricks, Java UDFs typically run within the Spark executor context, which does not directly declare the user information. With CRDP 1.1 user information is provided in the JWT.
Grants
In Databricks you can manage permissions on UDFs (user-defined functions) using Unity Catalog. Unity Catalog allows you to control access to UDFs, as well as databases, tables, and views, via GRANT and REVOKE commands. You can specify which users or roles are allowed to run certain UDFs by assigning privileges.
Note
When Unity Catalog is used in Databricks, only then you can manage access control for UDFs directly using GRANT and REVOKE commands. In non-Unity Catalog environments, UDFs generally do not have per-user permission management beyond the standard Databricks workspace access control like cluster or notebook permissions.
To Grant Permissions on UDFs in Unity Catalog:
Create a UDF in Unity Catalog. When you create a UDF in a catalog that is managed by Unity Catalog, the UDF becomes an object in the catalog. This allows you to manage access to it.
Example of creating a UDF in SQL:
CREATE FUNCTION catalog_name.schema_name.my_udf AS ( x INT ) RETURNS INT COMMENT 'UDF to multiply by 2' LANGUAGE PYTHON RETURN x * 2;
After creating the UDF, you can grant EXECUTE permission on it to specific users, groups, or roles.
Example SQL to grant execute permission to a specific user
GRANT EXECUTE ON FUNCTION catalog_name.schema_name.my_udf TO `user@example.com`;
If you want to grant permissions to a group or role.
GRANT EXECUTE ON FUNCTION catalog_name.schema_name.my_udf TO `data_scientist_group`;
Revoke Execute Permission.
REVOKE EXECUTE ON FUNCTION catalog_name.schema_name.my_udf FROM `user@example.com`;
To verify the permissions on the UDF, you can use the
SHOW GRANTS
command.SHOW GRANTS ON FUNCTION catalog_name.schema_name.my_udf;
Privileges to Grant on UDFs
You can grant the following privileges on UDFs:
- EXECUTE: Allows the user to run the UDF.
- USAGE: Allows the user to refer the schema or catalog containing the UDF. This might be required alongside the
EXECUTE
privilege, depending on your environment setup.