Databricks Cluster or Job With None Or Insecure Permission(s)
- Query id: a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5
- Query name: Databricks Cluster or Job With None Or Insecure Permission(s)
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
Databricks Cluster and Job must have restricted permissions
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "databricks_job" "positive1" {
name = "Featurization"
max_concurrent_runs = 1
new_cluster {
num_workers = 300
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
}
notebook_task {
notebook_path = "/Production/MakeFeatures"
}
}
resource "databricks_job" "positive1_error" {
name = "Featurization"
max_concurrent_runs = 1
new_cluster {
num_workers = 300
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
}
notebook_task {
notebook_path = "/Production/MakeFeatures"
}
}
resource "databricks_permissions" "positive1" {
job_id = databricks_job.positive1.id
access_control {
group_name = "users"
permission_level = "CAN_VIEW"
}
access_control {
group_name = databricks_group.auto.display_name
permission_level = "CAN_MANAGE_RUN"
}
access_control {
group_name = databricks_group.eng.display_name
permission_level = "CAN_MANAGE"
}
access_control {
service_principal_name = databricks_service_principal.aws_principal.application_id
permission_level = "IS_OWNER"
}
}
Positive test num. 2 - tf file
resource "databricks_cluster" "positive2" {
cluster_name = "Shared Autoscaling"
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
autotermination_minutes = 60
autoscale {
min_workers = 1
max_workers = 10
}
}
resource "databricks_cluster" "positive2_error" {
cluster_name = "Shared Autoscaling"
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
autotermination_minutes = 60
autoscale {
min_workers = 1
max_workers = 10
}
}
resource "databricks_permissions" "positive2" {
cluster_id = databricks_cluster.positive2.id
access_control {
group_name = databricks_group.auto.display_name
permission_level = "CAN_ATTACH_TO"
}
access_control {
group_name = databricks_group.eng.display_name
permission_level = "CAN_RESTART"
}
access_control {
group_name = databricks_group.ds.display_name
permission_level = "CAN_MANAGE"
}
}
Positive test num. 3 - tf file
resource "databricks_job" "positive3" {
name = "Featurization"
max_concurrent_runs = 1
new_cluster {
num_workers = 300
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
}
notebook_task {
notebook_path = "/Production/MakeFeatures"
}
}
resource "databricks_permissions" "positive3" {
job_id = databricks_job.positive3.id
access_control {
group_name = "users"
permission_level = "CAN_VIEW"
}
access_control {
group_name = databricks_group.auto.display_name
permission_level = "CAN_MANAGE_RUN"
}
access_control {
group_name = databricks_group.eng.display_name
permission_level = "CAN_MANAGE"
}
access_control {
group_name = databricks_group.eng.display_name
permission_level = "IS_OWNER"
}
}
Positive test num. 4 - tf file
resource "databricks_job" "positive4" {
name = "Featurization"
max_concurrent_runs = 1
new_cluster {
num_workers = 300
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
}
notebook_task {
notebook_path = "/Production/MakeFeatures"
}
}
resource "databricks_permissions" "positive4" {
job_id = databricks_job.positive4.id
access_control {
group_name = databricks_group.eng.display_name
permission_level = "IS_OWNER"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "databricks_job" "negative1" {
name = "Featurization"
max_concurrent_runs = 1
new_cluster {
num_workers = 300
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
}
notebook_task {
notebook_path = "/Production/MakeFeatures"
}
}
resource "databricks_permissions" "negative1" {
job_id = databricks_job.negative1.id
access_control {
group_name = "users"
permission_level = "CAN_VIEW"
}
access_control {
group_name = databricks_group.auto.display_name
permission_level = "CAN_MANAGE_RUN"
}
access_control {
group_name = databricks_group.eng.display_name
permission_level = "CAN_MANAGE"
}
access_control {
service_principal_name = databricks_service_principal.aws_principal.application_id
permission_level = "IS_OWNER"
}
}
Negative test num. 2 - tf file
resource "databricks_cluster" "negative2" {
cluster_name = "Shared Autoscaling"
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
autotermination_minutes = 60
autoscale {
min_workers = 1
max_workers = 10
}
}
resource "databricks_permissions" "negative2" {
cluster_id = databricks_cluster.negative2.id
access_control {
group_name = databricks_group.auto.display_name
permission_level = "CAN_ATTACH_TO"
}
access_control {
group_name = databricks_group.eng.display_name
permission_level = "CAN_RESTART"
}
access_control {
group_name = databricks_group.ds.display_name
permission_level = "CAN_MANAGE"
}
}
Negative test num. 3 - tf file
resource "databricks_job" "negative3" {
name = "Featurization"
max_concurrent_runs = 1
new_cluster {
num_workers = 300
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
}
notebook_task {
notebook_path = "/Production/MakeFeatures"
}
}
resource "databricks_permissions" "negative3" {
job_id = databricks_job.negative3.id
access_control {
service_principal_name = databricks_service_principal.aws_principal.application_id
permission_level = "IS_OWNER"
}
}