I have a group of users that should have permission to see the log of a databricks job started by ADF and I don't want to give admin to them. I found only documentation of how ytou can set the permitions for an individual job, I want to set it to all existing and future jobs. Is that possible?
PS.: I already enabled the "Job Visibility Control" https://learn.microsoft.com/en-us/azure/databricks/administration-guide/access-control/jobs-acl#jobs-visibility
I managed to build a script that run every day and grants access to each job individually.
This is the main idea:
...
# get the jobs ran from the last 24h
end_date = datetime.utcnow().replace(hour=0, minute=0, second=0, microsecond=0)
start_date = end_date - timedelta(days=1)
params = {
"active_only": "true",
"completed_only": "true",
"start_time": str(start_date.timestamp()),
"end_time": str(end_date.timestamp())
}
headers={"Authorization": "Bearer " + api_databricks_token,
"Content-Type": "application/json"}
url = f"{api_databricks_base_url}/api/2.0/jobs/runs/list"
if DEBUG_MODE:
print(url)
response = requests.get(url, headers=headers, params=params)
....
group_names = ["Group1", "Group2"]
# Grant view access for each group
for job_id in job_ids:
print()
for group_name in group_names:
permissions_payload = {
'access_control_list': [
{
'group_name': group_name,
'permission_level': 'CAN_VIEW'
}
]
}
print(f"Granting access to Job '{job_id}' for group '{group_name}'", end=" ")
url = f"{api_databricks_base_url}/api/2.0/permissions/jobs/{job_id}"
if DEBUG_MODE:
print(f"URL: {url}")
# API call to adjust job permissions
response = requests.patch(url, headers=headers, json=permissions_payload)