Databricks Permissions MCP Server: Access Control & Credential Mgmt

What is Databricks Permissions MCP Server: Access Control & Credential Mgmt?

This server acts as a bridge between large language models (LLMs) like Claude and Databricks' permission management systems. By implementing the Model Completion Protocol (MCP), it enables automated interaction with Databricks APIs to control access rights, manage service principals, and handle Git credentials securely. Think of it as the nerve center for programmatically enforcing governance policies across your Databricks workspace.

How to Use Databricks Permissions MCP Server: Access Control & Credential Mgmt?

Start by cloning the repo and setting up a Python 3.10+ environment. Configure required environment variables including your Databricks host and personal access token. Once running, integrate the server with tools like Claude Desktop using custom command configurations. Key steps involve:
- Listing Git credentials via API calls
- Querying permissions for clusters/jobs/workspaces
- Updating access levels programmatically
The async architecture ensures efficient handling of multiple concurrent requests.

Key Features of Databricks Permissions MCP Server: Access Control & Credential Mgmt?

• MCP Protocol Integration: Direct LLM access to permission workflows
• Granular Resource Control: Manage permissions for clusters, jobs, warehouses, Unity Catalog objects, and workspace entities
• Service Principal Lifecycle: Full CRUD operations for service principals
• Git Credential Security: Encrypted storage and rotation capabilities
• Asynchronous Execution: Built with asyncio for high-performance API interactions

Use Cases of Databricks Permissions MCP Server: Access Control & Credential Mgmt?

Organizations leverage this tool to:

• Automate compliance audits by exporting permission matrices
• Create temporary access credentials for CI/CD pipelines
• Enforce least-privilege principles across all Databricks resources
• Implement self-service credential management for developers
• Orchestrate permissions during multi-environment deployments

FAQ from Databricks Permissions MCP Server: Access Control & Credential Mgmt?

Q: Does this require a specific Databricks version?
A: Works with all Databricks Runtime versions supporting the associated REST APIs

Q: Can it manage permissions for Delta Sharing resources?
A: Yes, through the Unity Catalog API integration for shares and schemas

Q: How are sensitive credentials protected?
A: All credentials are encrypted at rest and in transit, following Databricks' native security controls

Q: What's the recommended deployment pattern?
A: Run as a Kubernetes pod within the same network segment as your Databricks workspace for optimal latency

Databricks Permissions MCP Server

A Model Completion Protocol (MCP) server that provides access to Databricks permissions, credentials, and Git credentials via the MCP protocol. This allows LLM-powered tools like Claude to interact with Databricks permissions management systems.

Features

• MCP Protocol Support : Implements the MCP protocol to allow LLMs to manage Databricks permissions
• Databricks API Integration : Provides secure access to Databricks permissions REST APIs
• Permission Management : Comprehensive tools for managing permissions on various Databricks resources
• Git Credentials Management : Tools for creating, listing, updating, and deleting Git credentials
• Async Support : Built with asyncio for efficient operation

Available Tools

The Databricks Permissions MCP Server exposes the following tools:

Permissions Management

• get_permissions : Get permissions for a Databricks object
• set_permissions : Set permissions for a Databricks object
• update_permissions : Update permissions for a Databricks object
• get_permission_levels : Get available permission levels for a Databricks object type

Resource-Specific Permissions

• get_cluster_permissions : Get permissions for a cluster
• set_cluster_permissions : Set permissions for a cluster
• update_cluster_permissions : Update permissions for a cluster
• get_job_permissions : Get permissions for a job
• set_job_permissions : Set permissions for a job
• get_warehouse_permissions : Get permissions for a SQL warehouse
• get_workspace_object_permissions : Get permissions for a workspace object (notebooks, directories)

Service Principals

• list_service_principals : List all service principals in the workspace
• get_service_principal : Get details of a specific service principal
• create_service_principal : Create a new service principal
• update_service_principal : Update an existing service principal
• delete_service_principal : Delete a service principal

Unity Catalog Permissions

• get_catalog_permissions : Get permissions for a Unity Catalog catalog
• get_schema_permissions : Get permissions for a Unity Catalog schema
• get_table_permissions : Get permissions for a Unity Catalog table

Git Credentials Management

• list_git_credentials : List all Git credentials
• create_git_credential : Create a new Git credential
• update_git_credential : Update an existing Git credential
• delete_git_credential : Delete a Git credential

Installation

Prerequisites

• Python 3.10 or higher
• MCP-compatible client (e.g., Claude Desktop)

Setup

1. Clone the repository:

   git clone https://github.com/yourusername/databricks-permissions-mcp-server.git

cd databricks-permissions-mcp-server

2. Set up the project:

   Create and activate virtual environment

python -m venv .venv

# On Windows
.\.venv\Scripts\activate

# On Linux/Mac
source .venv/bin/activate

# Install dependencies in development mode
pip install -e .

3. Set up environment variables:

   Windows

set DATABRICKS_HOST=https://your-databricks-instance.azuredatabricks.net
set DATABRICKS_TOKEN=your-personal-access-token

# Linux/Mac
export DATABRICKS_HOST=https://your-databricks-instance.azuredatabricks.net
export DATABRICKS_TOKEN=your-personal-access-token

You can also create an .env file based on the .env.example template.

Running the MCP Server

To start the MCP server, run:

# Windows
.\start_mcp_server.ps1

# Linux/Mac
./start_mcp_server.sh

Using with Claude Desktop

1. In Claude Desktop, click the "+" button to add a new tool
2. Select "Custom command"
3. Enter a name like "Databricks Permissions"
4. For the command, enter: python -m src.server.databricks_permissions_mcp_server
5. Click "Save"
6. You can now ask Claude to perform tasks like:
   * "List all Git credentials in Databricks"
   * "Show permissions for cluster X"
   * "Update permissions for job Y to give user Z 'CAN_MANAGE' access"

Project Structure

databricks-permissions-mcp-server/
├── src/                             # Source code
│   ├── api/                         # Databricks API clients
│   │   ├── permissions.py           # Permissions API client
│   │   ├── service_principals.py    # Service principals API client
│   │   ├── unity_catalog.py         # Unity Catalog API client
│   │   ├── shares.py                # Delta Sharing API client
│   │   └── git_credentials.py       # Git credentials API client
│   ├── core/                        # Core functionality
│   ├── server/                      # Server implementation
│   │   ├── databricks_permissions_mcp_server.py # Main MCP server
│   │   └── app.py                   # FastAPI app for tests
│   └── cli/                         # Command-line interface
├── tests/                           # Test directory
├── scripts/                         # Helper scripts
└── pyproject.toml                   # Project configuration

Development

Code Standards

• Python code follows PEP 8 style guide with a maximum line length of 100 characters
• All classes, methods, and functions should have Google-style docstrings
• Type hints are required for all code except tests

Testing

The project uses pytest for testing. To run the tests:

# Run all tests
pytest tests/

# Run with coverage report
pytest --cov=src tests/ --cov-report=term-missing

License

This project is licensed under the MIT License - see the LICENSE file for details.