Azure Data Lake Storage Gen1

Note

Microsoft has released its next-generation data lake store, Azure Data Lake Storage Gen2.

Azure Data Lake Storage Gen1 (formerly Azure Data Lake Store, also known as ADLS) is an enterprise-wide hyper-scale repository for big data analytic workloads. Azure Data Lake Storage Gen1 enables you to capture data of any size, type, and ingestion speed in a single place for operational and exploratory analytics. Azure Data Lake Storage Gen1 is specifically designed to enable analytics on the stored data and is tuned for performance for data analytics scenarios.

Note

Azure Databricks also supports the following Azure data sources: Azure Blob Storage, Azure Cosmos DB, and Azure SQL Data Warehouse.

There are three ways of accessing Azure Data Lake Storage Gen1:

  1. Pass your Azure Active Directory credentials, also known as credential passthrough.
  2. Mount an Azure Data Lake Storage Gen1 filesystem to DBFS using a service principal and OAuth 2.0.
  3. Use a service principal directly.

Access automatically with your Azure Active Directory credentials

You can authenticate automatically to Azure Data Lake Storage Gen1 from Azure Databricks clusters using the same Azure Active Directory (Azure AD) identity that you use to log into Azure Databricks. When you enable your cluster for Azure AD credential passthrough, commands that you run on that cluster will be able to read and write your data in Azure Data Lake Storage Gen1 without requiring you to configure service principal credentials for access to storage.

Note

Azure Data Lake Storage credential passthrough for Azure Data Lake Storage Gen1 requires Databricks Runtime 5.1 and above.

For complete setup and usage instructions, see Authenticate to Azure Data Lake Storage with your Azure Active Directory Credentials.

Create and grant permissions to service principal

If your selected access method requires a service principal with adequate permissions, and you do not have one, follow these steps:

  1. Create an Azure AD application and service principal that can access resources. Note the following properties:
    • client-id: An ID that uniquely identifies the client application.
    • directory-id: An ID that uniquely identifies the Azure AD instance.
    • service-credential: A string that the application uses to prove its identity.
  2. Register the service principal, granting the correct role assignment, such as Contributor, on the Azure Data Lake Storage Gen1 account.

Mount Azure Data Lake Storage Gen1 resource using a service principal and OAuth 2.0

You can mount an Azure Data Lake Storage Gen1 resource or a folder inside it to Databricks File System. The mount is a pointer to data lake storage, so the data is never synced locally.

Note

Accessing Azure Data Lake Storage Gen1 requires Databricks Runtime 4.0 or above. Once an Azure Data Lake Storage Gen1 account is mounted, you can use Databricks Runtime 3.4 or above to access the mount point.

Important

  • All users in the Azure Databricks workspace have access to the mounted Azure Data Lake Storage Gen1 account. The service client that you use to access the Azure Data Lake Storage Gen1 account should be granted access only to that Azure Data Lake Storage Gen1 account; it should not be granted access to other resources in Azure.
  • Once a mount point is created through a cluster, users of that cluster can immediately access the mount point. To use the mount point in another running cluster, you must run dbutils.fs.refreshMounts() on that running cluster to make the newly created mount point available for use.

DBFS uses the credential you provide when you create the mount point to access the mounted Azure Data Lake Storage Gen1 account.

Mount Azure Data Lake Storage Gen1 resource or folder

To mount an Azure Data Lake Storage Gen1 resource or a folder inside it, use the following command:

Scala
val configs = Map(
  "dfs.adls.oauth2.access.token.provider.type" -> "ClientCredential",
  "dfs.adls.oauth2.client.id" -> "<client-id>",
  "dfs.adls.oauth2.credential" -> dbutils.secrets.get(scope = "<scope-name>", key = "<key-name-for-service-credential>"),
  "dfs.adls.oauth2.refresh.url" -> "https://login.microsoftonline.com/<directory-id>/oauth2/token")

// Optionally, you can add <directory-name> to the source URI of your mount point.
dbutils.fs.mount(
  source = "adl://<storage-resource>.azuredatalakestore.net/<directory-name>",
  mountPoint = "/mnt/<mount-name>",
  extraConfigs = configs)
Python
configs = {"dfs.adls.oauth2.access.token.provider.type": "ClientCredential",
           "dfs.adls.oauth2.client.id": "<client-id>",
           "dfs.adls.oauth2.credential": dbutils.secrets.get(scope = "<scope-name>", key = "<key-name-for-service-credential>"),
           "dfs.adls.oauth2.refresh.url": "https://login.microsoftonline.com/<directory-id>/oauth2/token"}

# Optionally, you can add <directory-name> to the source URI of your mount point.
dbutils.fs.mount(
  source = "adl://<storage-resource>.azuredatalakestore.net/<directory-name>",
  mount_point = "/mnt/<mount-name>",
  extra_configs = configs)

where

<mount-name> is a DBFS path that represents where the Azure Data Lake Storage Gen1 account or a folder inside it (specified in source) will be mounted in DBFS and dbutils.secrets.get(scope = "<scope-name>", key = "<key-name>") retrieves your storage account access key that has been stored as a secret in a secret scope.

Access files in your container as if they were local files, for example:

Scala
val df = spark.read.text("/mnt/<mount-name>/....")
val df = spark.read.text("dbfs:/<mount-name>/....")
Python
df = spark.read.text("/mnt/%s/...." % <mount-name>)
df = spark.read.text("dbfs:/<mount-name>/....")

Unmount a mount point

To unmount a mount point, use the following command:

dbutils.fs.unmount("/mnt/<mount-name>")

Access directly with Spark APIs using a service principal and OAuth 2.0

You can access an Azure Data Lake Storage Gen1 storage account directly (as opposed to mounting with DBFS) with OAuth 2.0 using the service principal.

Access using the DataFrame API

To read from your Azure Data Lake Storage Gen1 account, you can configure Spark to use service credentials with the following snippet in your notebook:

spark.conf.set("dfs.adls.oauth2.access.token.provider.type", "ClientCredential")
spark.conf.set("dfs.adls.oauth2.client.id", "<client-id>")
spark.conf.set("dfs.adls.oauth2.credential", dbutils.secrets.get(scope = "<scope-name>", key = "<key-name-for-service-credential>"))
spark.conf.set("dfs.adls.oauth2.refresh.url", "https://login.microsoftonline.com/<directory-id>/oauth2/token")

where dbutils.secrets.get(scope = "<scope-name>", key = "<key-name>") retrieves your storage account access key that has been stored as a secret in a secret scope.

Once your credentials are set up, you can use standard Spark and Databricks APIs to read from the resource. For example:

val df = spark.read.parquet("adl://<storage-resource>.azuredatalakestore.net/<directory-name>")

dbutils.fs.ls("adl://<storage-resource>.azuredatalakestore.net/<directory-name>")

Azure Data Lake Storage Gen1 provides directory level access control, so the service principal must have access to the directories that you want to read from as well as the Azure Data Lake Storage Gen1 resource.

Access with the RDD API

Hadoop configuration options set using spark.conf.set(...) are not accessible via SparkContext. This means that while they are visible to the DataFrame and Dataset API, they are not visible to the RDD API. If you are using the RDD API to read from Azure Data Lake Storage Gen1, you must set the credentials using one of the following methods:

  • Specify the Hadoop credential configuration options as Spark options when you create the cluster. You must add the spark.hadoop. prefix to the corresponding Hadoop configuration keys to propagate them to the Hadoop configurations used for your RDD jobs:

    spark.hadoop.dfs.adls.oauth2.access.token.provider.type ClientCredential
    spark.hadoop.dfs.adls.oauth2.client.id <client-id>
    spark.hadoop.dfs.adls.oauth2.credential <service-credential>
    spark.hadoop.dfs.adls.oauth2.refresh.url "https://login.microsoftonline.com/<directory-id>/oauth2/token"
    
  • Scala users can set the credentials in spark.sparkContext.hadoopConfiguration:

    spark.sparkContext.hadoopConfiguration.set("dfs.adls.oauth2.access.token.provider.type", "ClientCredential")
    spark.sparkContext.hadoopConfiguration.set("dfs.adls.oauth2.client.id", "<client-id>")
    spark.sparkContext.hadoopConfiguration.set("dfs.adls.oauth2.credential", dbutils.secrets.get(scope = "<scope-name>", key = "<key-name-for-service-credential>"))
    spark.sparkContext.hadoopConfiguration.set("dfs.adls.oauth2.refresh.url", "https://login.microsoftonline.com/<directory-id>/oauth2/token")
    

    where dbutils.secrets.get(scope = "<scope-name>", key = "<key-name>") retrieves your storage account access key that has been stored as a secret in a secret scope.

Warning

These credentials are available to all users who access the cluster.

Access through metastore

To access adl:// locations specified in the metastore, you must specify Hadoop credential configuration options as Spark options when you create the cluster by adding the spark.hadoop. prefix to the corresponding Hadoop configuration keys to propagate them to the Hadoop configurations used by the metastore:

spark.hadoop.dfs.adls.oauth2.access.token.provider.type ClientCredential
spark.hadoop.dfs.adls.oauth2.client.id <client-id>
spark.hadoop.dfs.adls.oauth2.credential <service-credential>
spark.hadoop.dfs.adls.oauth2.refresh.url "https://login.microsoftonline.com/<directory-id>/oauth2/token"

Warning

These credentials are available to all users who access the cluster.

Example notebook

The following notebook demonstrates how to access Azure Data Lake Storage Gen1 directly and with a mount.