Exam DP-201 topic 3 question 28 discussion

Answer is Correct https://docs.databricks.com/dev-tools/api/latest/authentication.html https://docs.microsoft.com/en-us/azure/databricks/data/data-sources/azure/azure-datalake-gen2 https://docs.microsoft.com/en-us/azure/databricks/data/data-sources/azure/azure-datalake-gen2#adls2-aad-credentials

To minimize the admin effort the best option would be a creating a High Concurrency cluster enable AD credential passthrough, using RBAC to assign contributor role to the AD users (data engineers and data analyst) to the databricks workspace, apply ACLs to the specific folders for the AD users. Active Directory authentication perfectly works for both.

both shud be AD. ADB auto authenticates with AD

This seems a lot like Azure Active Directory in both boxes for me. First of all, I am authenticating to the Databrick UI itself to create and run notebooks and not the REST API. I would rather use the standard AAD to access Databricks and use the same AAD credentials to access ADLS Gen 2 to for the files. Of course, I will be implementing ACL to restrict access tothe folders each user should be able to access only on AAD. Ref: https://docs.microsoft.com/en-us/azure/databricks/security/credential-passthrough/adls-passthrough

This seems a lot like Azure Active Directory in both boxes for me. First of all, I am authenticating to the Databrick UI itself to create and run notebooks and not the REST API. I would rather use the standard AAD to access Databricks and use the same AAD credentials to access ADLS Gen 2 to for the files. Of course, I will be implementing ACL to restrict access tothe folders each user should be able to access only on AAD. Ref: https://docs.microsoft.com/en-us/azure/databricks/security/credential-passthrough/adls-passthrough

All the answers above are wrong. The correct answers are: 1.Databricks: Azure Active Directory 2.Data Lake Storage: Azure Active Directory 1. There is no mention of connecting with the Databricks API, instead the descriptions days that users will connect to ADLS using Interactive Notebooks. For that they will have to log in to Databricks itself, which will be done with their AD accounts. 2. Shared access signature or shared access keys do not use ACLs, but RBAC, and are applied on container or storage account level, NOT on directory or file level. I quote from https://docs.microsoft.com/nl-nl/azure/storage/blobs/data-lake-storage-access-control "ACLs apply only to security principals in the same tenant, and they don't apply to users who use Shared Key or shared access signature (SAS) token authentication. That's because no identity is associated with the caller and therefore security principal permission-based authorization cannot be performed."

I would say the answer is correct https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/authentication: "To authenticate to and access Databricks REST APIs, you can use Azure Databricks personal access tokens or Azure Active Directory (Azure AD) tokens." https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control: "Always use Azure AD security groups as the assigned principal in an ACL entry"

Where in the question does it talk about accessing the REST API? Personal access tokens are used to access the Databricks REST API. For interactive notebooks, AAD is the way to authenticate the users!

Databricks - Azure Key Vault https://docs.microsoft.com/en-us/azure/databricks/security/secrets/example-secret-workflow ADLS Gen 2 - AAD

AAD cant do folder level permissions in ADLS, it needs ACL to do that.

It looks like a bad wording in the question. The requirements are not to secure the Notebook, but only the storage access, so What I do in those cases - define access using KeyVault (so user of that notebook won't see the credentials) and secure ADLS2 with Service Identity in AAD - that allows granular authorization and project scope.

I think for ADLS Gen2, it should use SAS rather than AAD (RBAC). Shared Key is not quite suitable as it make user effectively gains 'super-user' access, meaning full access to all operations on all resources, including setting owner and changing ACLs.