Description:
Databricks Personal Access Tokens (PATs) are used for authentication and API access. Configuring usage restrictions and enforcing expiry policies for these tokens helps reduce the risk of unauthorized access to Databricks resources. This ensures that tokens are only valid for a limited period and that they are not used inappropriately, enhancing security and compliance.
Rationale:
Enforcing expiry and usage restrictions on Databricks personal access tokens helps mitigate the risk of token abuse. Tokens with an enforced expiration date will automatically become invalid after a certain period, reducing the risk of stolen or misused tokens. Usage restrictions can further ensure that tokens are limited to specific resources, roles, or tasks, preventing overuse or misuse.
Impact:
Implementing expiry and usage restrictions for personal access tokens adds an additional layer of security by preventing long-term exposure to unauthorized parties. It also ensures compliance with organizational security policies. However, it may require additional administrative overhead to manage token lifecycles and ensure that users and applications have valid tokens when needed.
Default Value:
By default, personal access tokens in Databricks do not have enforced expiry or usage restrictions. These settings must be manually configured.
Pre-requisites:
Azure account with access to Azure Databricks workspace.
Admin access to Azure Databricks for managing user authentication and token settings.
The user must have Databricks Admin permissions to configure token expiry and restrictions.
Audit:
Sign in to the Azure portal as a Databricks Admin or Global Admin.
Navigate to the Azure Databricks workspace and go to User Settings.
Verify that Personal Access Tokens (PATs) are being properly configured for expiration and usage restrictions.
Implementation Steps:
Sign in to Azure Databricks:
Sign in to the Azure Databricks workspace as a Databricks Admin.
Access User Settings:
In the Databricks workspace, go to the User Settings page by selecting your user profile in the top-right corner and choosing User Settings.
Manage Personal Access Tokens:
On the User Settings page, navigate to the Access Tokens section.
Here you will see a list of tokens that have been created for the user account.
Configure Token Expiry:
When creating or updating a token, set an expiry date for the token. This will automatically invalidate the token after a set period.
Ensure that tokens are not set to "Never Expire". Specify a reasonable expiration time based on the usage requirements (e.g., 30 days, 90 days).
Implement Usage Restrictions:
If your organization supports token scopes or role-based access control (RBAC), configure tokens to have limited usage based on specific resources or actions.
Limit the token’s access scope by specifying which parts of Databricks it can access or what actions it can perform (e.g., restricting a token to read-only access to certain clusters).
Enforce Token Expiry and Usage Best Practices:
Educate users on the importance of setting expiry dates for their personal access tokens and the risks associated with long-lived tokens.
Require that tokens be rotated regularly and that any tokens that are no longer needed be revoked immediately.
Monitor Token Usage:
Review token usage logs to monitor which users or applications are using the tokens and whether they comply with the access restrictions.
Configure audit logging to track any attempts to use expired or restricted tokens.
Test Token Expiry:
After configuring token expiry, test the functionality by trying to access resources with a token after its expiration date.
Ensure that the token is automatically rejected and that no unauthorized access occurs.
Backout Plan:
Revoke Existing Tokens:
Sign in to Azure Databricks and navigate to User Settings.
Revoke the current Personal Access Token to prevent its usage.
Remove Expiry or Usage Restrictions:
If you need to revert to the previous configuration, remove the expiry date or usage restrictions from the affected tokens.
Test Access:
Test to ensure that users are able to access the necessary resources using tokens without expiry or usage restrictions, if necessary.
Re-enable Default Token Settings:
If reverting, ensure the default token settings (with no expiry or usage restrictions) are re-enabled for users, although it is recommended to leave the expiry policy active for better security.