-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot login to Databricks - auth endpoint cannot be reached. #3182
Comments
I currently worked on this in my private project. You need to create two Private Endpoints - one for private connectivity to Databricks UI, second for OAuth redirect URL. This article might be useful: Enable Azure Private Link as a standard deployment and Step 4: Create a private endpoint to support SSO (required for UI access) |
@macborowy , there are two private endpoints, in fact three (the third is for the DBFS), resource "azurerm_private_endpoint" "databricks_control_plane_private_endpoint" {
name = "pe-adb-cp-${local.service_resource_name_suffix}"
location = data.azurerm_resource_group.ws.location
resource_group_name = data.azurerm_resource_group.ws.name
subnet_id = data.azurerm_subnet.services.id
tags = local.tre_workspace_service_tags
lifecycle { ignore_changes = [tags] }
private_service_connection {
name = "private-service-connection-databricks-control-plane-${local.service_resource_name_suffix}"
private_connection_resource_id = azurerm_databricks_workspace.databricks.id
is_manual_connection = false
subresource_names = ["databricks_ui_api"]
}
private_dns_zone_group {
name = "private-dns-zone-group-databricks-control-plane-${local.service_resource_name_suffix}"
private_dns_zone_ids = [data.azurerm_private_dns_zone.databricks.id]
}
}
resource "azurerm_private_endpoint" "databricks_auth_private_endpoint" {
name = "pe-adb-auth-${local.service_resource_name_suffix}"
location = data.azurerm_resource_group.ws.location
resource_group_name = data.azurerm_resource_group.ws.name
subnet_id = data.azurerm_subnet.services.id
tags = local.tre_workspace_service_tags
lifecycle { ignore_changes = [tags] }
private_service_connection {
name = "private-service-connection-databricks-auth-${local.service_resource_name_suffix}"
private_connection_resource_id = azurerm_databricks_workspace.databricks.id
is_manual_connection = false
subresource_names = ["browser_authentication"]
}
private_dns_zone_group {
name = "private-dns-zone-group-databricks-auth-${local.service_resource_name_suffix}"
private_dns_zone_ids = [data.azurerm_private_dns_zone.databricks.id]
}
} |
I think the problem is that we have more than one auth private link per region. |
There are two options to handle this issue:
Option 1 is simpler because Databricks needs two subnets (host and container) and can have it from workspace mechanism instead of asking it from core, but we need to make sure it gets deployed only once. |
Summarizing today's discussion: Tasks: Databricks ws service: Databrick shared service:
Test on external subscription |
When trying to log into Databricks from a VM over private endpoint, I get the following:
Looks like a needed rule might be blocked.
cc @guybartal
The text was updated successfully, but these errors were encountered: