Simple bash script based tool for automating Azure Databricks IP access lists add, update, replace and delete operations along with listing
First things first, run the ipacltool.sh script with a -h flag to show your usage :
$ sh ./ipacltool.sh -h
showing usage!
./ipacltool.sh -h --> shows usage
-H <Databricks workspace URL>
-f IP list Filename
-P <Pat Token>
(optional : used for setting up .netrc file
-c <COMMAND>
ADD UPDATE DELETE REPLACE LIST
-A <ACLNAME>
-I <ACL ID> needed for update of acl name
-t <ACL Type>
ALLOW BLOCK
-T Azure Service Tag
-d Disable ACL
-e Enable ACL
-x No Execute - for testing, returns command listing
-s IP Access List Status
-z <ON or OFF> turns on or off the IP access list feature.
Status shown by the -s flag
Flags can be combined ! You will see an example of this below.
The simplest way to setup ipacltool for the first time is to run the tool with your Databricks url -H and pat token -P. This will setup your netrc file that is tied to your workspace so you will no longer need to use the -P pat token flag again.
$ sh ./ipacltool.sh -H https://adb-6499070522450209.9.azuredatabricks.net -P dapxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Databricks Workspace
https://adb-6499070522450209.9.azuredatabricks.net H
Pat Token
creating netrc file ./adb-6499070522450209.netrc
JQ Mode
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3 100 3 0 0 6 0 --:--:-- --:--:-- --:--:-- 6
{}
You will notice, for example, a new netrc file adb-6499070522450209.netrc thats named for your Databricks workspace.
Before we can work with IP access lists we need to turn this feature on. Run ipacltool with the -s flag to show status
$ sh ./ipacltool.sh -H https://adb-6499070522450209.9.azuredatabricks.net -s
Databricks Workspace
https://adb-6499070522450209.9.azuredatabricks.net H
JQ Mode
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 29 100 29 0 0 55 0 --:--:-- --:--:-- --:--:-- 55
{
"enableIpAccessLists": null
}
IP access lists will return null if its never been enabled. The -z flag turns IP access lists on or off. You can combine the -z flag with the -s flag to show status as well.
$ sh ./ipacltool.sh -H https://adb-6499070522450209.9.azuredatabricks.net -z ON -s
Databricks Workspace
https://adb-6499070522450209.9.azuredatabricks.net H
No JQ Mode
JQ Mode
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 31 100 31 0 0 114 0 --:--:-- --:--:-- --:--:-- 113
{
"enableIpAccessLists": "true"
}
$ sh ./ipacltool.sh -H https://adb-6499070522450209.9.azuredatabricks.net -z OFF -s
Databricks Workspace
https://adb-6499070522450209.9.azuredatabricks.net H
No JQ Mode
JQ Mode
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 32 100 32 0 0 125 0 --:--:-- --:--:-- --:--:-- 125
{
"enableIpAccessLists": "false"
}
One additional flag you may find useful is the -x flag. If you add the -x flag before any other flags, ipacltool will not execute your commands / flags but dump out the curl command code for you to inspect or use in another application. Example running the -z flag above combined with the -x flag :
$ sh ./ipacltool.sh -H https://adb-6499070522450209.9.azuredatabricks.net -x -z OFF -s
Databricks Workspace
https://adb-6499070522450209.9.azuredatabricks.net H
no exec enabled
curl --netrc-file ./adb-6499070522450209.netrc -X PATCH https://adb-6499070522450209.9.azuredatabricks.net/api/2.0/workspace-conf?keys=enableIpAccessLists -d '{
"enableIpAccessLists": "false"
}'
curl --netrc-file ./adb-6499070522450209.netrc -X GET https://adb-6499070522450209.9.azuredatabricks.net/api/2.0/workspace-conf?keys=enableIpAccessLists
For ADD, REPLACE and UPDATE, you can supply either an IP list in a file (-f filename) or an Azure Service Tag (-T Service Tag ID/Name). A sample file has been included in this repo mylist1.sample.
"44.230.222.179/32",
"44.228.166.17/32",
"136.226.64.0/21"
I've included a Azure Service Tag JSON file, which is downloadable from https://www.microsoft.com/en-us/download/details.aspx?id=56519 In the ipacltool.sh script on line #7 the service tag file is added :
service_tag_file="ServiceTags_Public_20221024.json"
The Service tag file is a JSON document with CIDR ranges for almost all of Azure services worldwide (even Databricks!)
Example for Active Directory for SCIM :
$ sh ./ipacltool.sh -H https://adb-6499070522450209.9.azuredatabricks.net -c ADD -A activedir -T AzureActiveDirectory
- All commands are run using -c flag If the command needs additional flags it will try to remind you. Some have optional addition flags, for example LIST command can use -A (ACL Name) to show only that list.
- List ACLS : Can be run on its own and will dump out all of the defined ACLs. If Combined with -A (ACL Name) you can show only that specific ACL
- ADD an ACL : ADD command adds an access list and requires an ACL NAme (-A flag), and either a IP list file (-f filename) or a service tag (-T service tag name). You can optionally set the type (ALLOW or BLOCK) with the -t flag, by default type is set to ALLOW.
- UPDATE an ACL : UPDATE allows you to change an aspect of an exisint ACL. You can update the following :
- -A ACL NAme : ACL Name can be changed if you include the ACL ID (-I)
- Type with -t
- IP List with -f (file) or -T (Service Tag)
- Enable or Disble with the -e or -d flag
- REPLACE an ACL : Unlike Update which changes individual elements of an ACL, REPLACE completely replaces the existing ACL using the same syntax as ADD with an additional option of setting it enabled for disables with the -d and -e flags.
- DELETE an ACL : Delete needs just the ACL Name to delete with the -A flag