dbt-databricks icon indicating copy to clipboard operation
dbt-databricks copied to clipboard
verified publisher icon databricks

ACL permissions not applied to notebook jobs created by DBT Python model

Open case-k-git opened this issue 9 months ago • 2 comments

Describe the bug

A clear and concise description of what the bug is. What command did you run? What happened?

ACL permissions not applied to notebook jobs created by DBT Python model

Steps To Reproduce

In as much detail as possible, please provide steps to reproduce the issue. Sample data that triggers the issue, example model code, etc is all very helpful here.

  1. Create configs and set create_notebook: True

config.yaml python_job_config

version: 2
models:
- name: test
  config:
    materialized: table
    python_job_config:
      grants:
        view: [{"group_name": "<group_name>"}]
    database:<catalgo_name>
    schema:<schema_name>
    submission_method: all_purpose_cluster
    create_notebook: True
    cluster_id: "<cluster_id>"

OR access_control_list

version: 2
models:
- name: test
  config:
    materialized: table
    access_control_list:
    [{"group_name": "<group_name>", "permission_level": "CAN_VIEW"}]
    database:<catalgo_name>
    schema:<schema_name>
    submission_method: all_purpose_cluster
    create_notebook: True
    cluster_id: "<cluster_id>"
  1. Create sample DBT Python model

def model(dbt, session):
    dbt.config(
        materialized='table',
        tags=['test'],
    )
    return session.sql("SELECT current_timestamp() AS createdtime")
  1. Execute python model with --debug option
 dbt run  --target=nonprod --select tag:test --debug

We can confirm that the access_control_list is being passed from debug logs, but the created notebook jobs do not have the expected permissions, even when granted via python_job_config grants. Only the Owner or Admin roles have access.

'access_control_list': [{'service_principal_name': '<service_principal_name>', 'permission_level': 'IS_OWNER'}, {'group_name': '<group_name>', 'permission_level': 'CAN_VIEW'}], 'queue': {'enabled': True}} and additional_job_settings={additional_job_settings}

Expected behavior

A clear and concise description of what you expected to happen.

Grant the permission which is defined by python_job_config

grants:
    view: [{"group_name": "<group_name>"}]

Screenshots and log output

If applicable, add screenshots or log output to help explain your problem.

Only the Owner or Admin roles have access. There is no grants of python_job_config.

Image

System information

The output of dbt --version:

Core:
  - installed: 1.9.4
  - latest:    1.9.4 - Up to date!

Plugins:
  - databricks: 1.10.1 - Up to date!
  - spark:      1.9.2  - Up to date!

The operating system you're using:

The output of python --version:

Additional context

Add any other context about the problem here.

I am working on to fix this issue.

case-k-git avatar May 11 '25 13:05 case-k-git

Thanks for reporting and the PR :)

benc-db avatar May 12 '25 15:05 benc-db

I notice this would be same. Not notebook job though. https://github.com/databricks/dbt-databricks/issues/1003

case-k-git avatar May 13 '25 05:05 case-k-git