You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This command helps to delete the IAM role created by UCX. It lists all the IAM Roles generated by the principal-prefix-access
1247
+
command and allows user to select multiple roles to delete. It also checks if selected roles are mapped to any storage credentials
1248
+
and asks for confirmation from user. Once confirmed, it deletes the role and its associated inline policy.
1249
+
1250
+
[[back to top](#databricks-labs-ucx)]
1251
+
1241
1252
## `create-uber-principal` command
1242
1253
1243
1254
```text
@@ -1313,6 +1324,15 @@ Once the [`assessment` workflow](#assessment-workflow) finished successfully, an
1313
1324
run this command to have Unity Catalog external locations created. The candidate locations to be created are extracted from guess_external_locations
1314
1325
task in the assessment job. You can run [`validate-external-locations` command](#validate-external-locations-command) to check the candidate locations.
1315
1326
1327
+
**Location ACLs:**
1328
+
`migrate-locations` command applies any location ACL from existing cluster.
1329
+
For Azure, it checks if there are any interactive cluster or SQL warehouse
1330
+
which has service principals configured to access storage. It maps the storage account to the external location created and grants `CREATE_EXTERNAL_TABLE`,
1331
+
`CREATE_EXTERNAL_VOLUME` and `READ_FILES` permission on the location to all the user who have access to the interactive cluster or SQL warehouse
1332
+
For AWS, it checks any instance profiles mapped to the interactive cluster or SQL warehouse. It checks the mapping of instance profiles to the bucket. It then
1333
+
maps the bucket to the external locations created and grants `CREATE_EXTERNAL_TABLE`, `CREATE_EXTERNAL_VOLUME` and `READ_FILES` permission on the location to all the user who have access to the interactive cluster
1334
+
or SQL warehouse
1335
+
1316
1336
Once you're done with this command, proceed to the [`create-table-mapping` command](#create-table-mapping-command).
After [`create-table-mapping` command](#create-table-mapping-command) is executed, you can run this command to have the required UC catalogs and schemas created.
1378
1398
This command is supposed to be run before migrating tables to UC using [table migration process](#Table-Migration).
1379
-
1399
+
Catalog & Schema ACL:
1400
+
`create-catalogs-schemas` command also applies any catalog and schema ACL from existing clusters.
1401
+
For Azure it checks if there are any interactive cluster or sql warehouse which has service principals configured to access storage.
1402
+
It maps the storage account to the tables which has external location on those storage account created and grants `USAGE` access to
1403
+
the schema and catalog if at least one such table is migrated to it.
1404
+
For AWS, it checks any instance profiles mapped to the interactive cluster or sql warehouse. It checks the mapping of instance profiles
1405
+
to the bucket. It then maps the bucket to the tables which has external location on those bucket created and grants `USAGE` access to
1406
+
the schema and catalog if at least one such table is migrated to it.
1380
1407
[[back to top](#databricks-labs-ucx)]
1381
1408
1382
1409
## `migrate-tables` command
@@ -1390,6 +1417,15 @@ Anytime after [`create-table-mapping` command](#create-table-mapping-command) is
1390
1417
This command kicks off the [table migration](#Table-Migration) process. It triggers the `migrate-tables` workflow,
1391
1418
and if there are HiveSerDe tables detected, prompt whether to trigger the `migrate-external-hiveserde-tables-in-place-experimental` workflow.
1392
1419
1420
+
Table and View ACL:
1421
+
`migrate-tables` command also applies any table and view ACL from existing clusters.
1422
+
For Azure it checks if there are any interactive cluster or sql warehouse which has service principals configured to access storage.
1423
+
It maps the storage account to the tables which has external location on those storage account created and grants either `SELECT` permission if
1424
+
the service principal only has read access on the storage account and `ALL_PRIVILEGES` if the service principal has write access on the storage account
1425
+
For AWS, it checks any instance profiles mapped to the interactive cluster or sql warehouse. It checks the mapping of instance profiles
1426
+
to the bucket. It then maps the bucket to the tables which has external location on those bucket created and grants either `SELECT` permission if
1427
+
the instance profile only has read access on the bucket and `ALL_PRIVILEGES` if the instance profile has write access on the bucket.
1428
+
1393
1429
[[back to top](#databricks-labs-ucx)]
1394
1430
1395
1431
## `revert-migrated-tables` command
@@ -1814,20 +1850,21 @@ run the commands that need cloud administrator rights.
0 commit comments