cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Spark Notebook error: Java.sql.SQLException:User does not have permissions to perform this action
By
Liliam_C_Leme
Published Jul 24 2020 01:16 AM 4,733 Views
Liliam_C_Leme
Microsoft
‎Jul 24 2020 01:16 AM

Spark Notebook error: Java.sql.SQLException:User does not have permissions to perform this action

‎Jul 24 2020 01:16 AM

I was working on this case last week with permission error on the spark notebook, so basically the scenario was: 

1. Loading data from another database to DB container.

2. Loading Data from Datawarehouse using Spark Notebook

When the second step was executed the error bellow was throw:

Error: java.sql.SQLException: com.microsoft.sqlserver.jdbc.SQLServerException:User does not have permissions to perform this action

 

So the error message is pretty clear: This is a permission error. The solution was also simple as the message.

We created a SQL User on the Db for this process specific. As this process requires only data reader permission that was the one given to the user.

---Run on Master DB
CREATE LOGIN loginmame    WITH PASSWORD = Lalala!0001'

GO

 
---Run on SQL DW DB
CREATE USER username

FOR LOGIN loginname

WITH DEFAULT_SCHEMA = dbo

GO

 

-- Add user to the database role

EXEC sp_addrolemember N'db_datareader', N'username'

GO

GRANT CONNECT TO username;

After that we changed the notebook process to run using the SQL User/Password that we just created. As it follows.

 

Spark script using SQL User to be executed on the notebook (spark Scala):

val df = spark.read.

option(Constants.SERVER, "Workspacename.sql.azuresynapse.net").

option(Constants.USER, "user ").

option(Constants.PASSWORD, "password").

sqlanalytics("Databasename.dbo.tablename")

 df.show(1)

Also as figure  1 exemplifies:

spark_notebook.png

That is it!

 

Liliam Leme

UK Engineer

0 Likes
Like
7 Comments
Johannes_Vink
Brass Contributor
‎Jul 24 2020 02:16 AM
‎Jul 24 2020 02:16 AM

And is this also possible with using a managed identity? It does not look like it:

https://docs.microsoft.com/en-us/azure/databricks/data/data-sources/azure/synapse-analytics#--authen...

0 Likes
Like
Liliam_C_Leme
Microsoft
‎Jul 24 2020 09:12 AM
‎Jul 24 2020 09:12 AM

You could use the AAD. You could also change the context of the execution using the notebook on the pipeline and than work in a different way for authentication. For the notebook let me look into it.

rebremer
Microsoft
‎Oct 06 2020 01:37 PM
‎Oct 06 2020 01:37 PM

@Liliam_C_Leme @Johannes_Vink I ran into same error. When I added the Synapse Workspace Managed Identity as external user in the database and subsequently granted db_owner rights (instead of only db_datareader) to the external user, then I did not get this error. Not sure what role is minimally required for the external user, but db_datareader is not sufficient (also when you only need to read data in your pipeline)

0 Likes
Like
Liliam_C_Leme
Microsoft
‎Oct 07 2020 01:17 AM
‎Oct 07 2020 01:17 AM

@rebremer , thanks for sharing. but, were you reading data from SQLPool with managed identities on the notebook and db_datareader failed? Is that what happened? Or were you trying to read the data from the pipeline and the permission was not enough?

@Johannes_Vink  - I forgot to add more information about your question:

there are limitations for managed identities on SQL Pool documented here:

https://docs.microsoft.com/en-us/sql/t-sql/statements/copy-into-transact-sql?view=azure-sqldw-latest

But the syntax would be like: spark.read.option("useAzureMSI","true")  - anyway, there is some discussion about this here https://github.com/MicrosoftDocs/azure-docs/issues/45261 and they updated the docs here: https://docs.microsoft.com/en-us/azure/databricks/data/data-sources/azure/synapse-analytics

Alternatively, if you use ADLS Gen2 + OAuth 2.0 authentication or your Azure Synapse instance is configured to have a Managed Service Identity (typically in conjunction with a VNet + Service Endpoints setup), you must set useAzureMSI to true. In this case the connector will specify IDENTITY = 'Managed Service Identity' for the databased scoped credential and no SECRET.

rebremer
Microsoft
‎Oct 07 2020 02:36 AM
‎Oct 07 2020 02:36 AM

@Liliam_C_Leme , my setup was as follows:

- External SQLDW in which the Synapse workspace MI is added as external user

- Spark notebook in Synapse workspace that retrieves data from external SQLDW (and builds an ML model)

- Spark notebook is triggered using Synapse pipeline

 

The following happens:

- If I grant Synapse workspace MI user db_datareader rights in external SQLDW, then pipeline fails

- If I grant Synapse workspace MI user full db_owner rights in external SQLDW, then pipeline runs successfully

 

0 Likes
Like
Liliam_C_Leme
Microsoft
‎Oct 07 2020 02:51 AM
‎Oct 07 2020 02:51 AM

@rebremer interesting scenario. Let me check.

0 Likes
Like
Sreekumar_Prabhakaran
Microsoft
‎Jun 21 2023 03:38 AM
‎Jun 21 2023 03:38 AM

It has to be added to the role db_exporter and then the pipeline should run fine

Version history
Last update:
‎Jul 24 2020 01:16 AM
Updated by: