faqs_and_troubleshooting.md

FAQs

---

SAT Deployment and Support

---

1. Is SAT an officially supported tool?

   SAT is not an officially supported tool. Any issues discovered through the use of this project should be filed as GitHub Issues on the repository. They will be reviewed as time permits, but there are no formal SLAs for support. Please note that the code in the SAT project is provided for your exploration only and is not formally supported by Databricks with Service Level Agreements (SLAs). It is provided AS-IS, and we do not make any guarantees of any kind. Please do not submit a support ticket relating to any issues arising from the use of these projects. The source in this project is provided subject to the Databricks License. All included or referenced third-party libraries are subject to the licenses set forth in the project license. Any issues discovered through the use of this project should be filed as GitHub Issues on the repository. They will be reviewed as time permits, but there are no formal SLAs for support.

2. Can I open Databricks support tickets if I encounter issues with SAT?

   Currently, SAT is a self-service tool which is developed and maintained by Databricks field team. Please contact your Databricks account team and open a git issue if you run into issues.

3. Can SAT be configured on an independent virtual machine?

   SAT needs to be deployed in one of your Databricks workspaces and run as a workflow. You can trigger the SAT installation process from any machine (Preferably Linux) where Databricks CLI and other prerequisites are available, installed and configured.

4. Does SAT automatically update once I set up?

   SAT is frequently upgraded and the latest versions are made available in the official Git repository. SAT deployments do not automatically update on their own. To upgrade or update SAT deployments in your environment, you need to perform the update manually. This is a design decision, so that customers have full control on the upgrade process of SAT.

5. Can SAT make modifications to my workspaces and account?

   SAT is meant to be a readonly analysis tool, it does not make changes to your workspace or account configurations.

6. I am seeing errors when I run the SAT. How can I validate my SAT configuration?

   We have created diagnostic notebooks to help you verify if your SAT setup has the necessary configurations, permissions, and network paths to run the REST API calls. Please use “Workspace -> Applications -> SAT/TF -> Files -> Notebooks -> Diagnosis” to find the appropriate notebook for your cloud.

7. If SAT is already configured, how do we add/remove other workspaces in the same account/subscription?

   If the service principal configured to be used by SAT (credentials) is added to any workspace in the account/subscription, SAT will automatically collect details for all those workspaces as well. To achieve this, add or remove the credentials used by SAT to or from the workspace, and run the initialization job to register the new workspaces under SAT.

8. If a workspace is deleted after the SAT is set up, is there a way to get the initializer to run without error without a full reinstall of the tool?

   You need to re-run the initializer, that will mark the workspace connection test as failed and will not be assessed in future. Another option is run this step if you want to manually remove the workspace

9. I added a new workspace for analysis, re-ran steps under initialize and driver, but the dashboard is not updated with the new workspace in the pulldown even though I see new data generated by the analysis scan for the new workspace in SAT database. What should I do?

   It is likely that the dashboard cached the workspaces in the pulldown. You can go to SQL view of your workspace -> Queries -> find workspace_ids query and run it. This process should refresh the cache and you should have the new workspaces in the pull-down.

10. Can I use one deployment of SAT to monitor all my workspaces across different clouds, like AWS and Azure?

    Currently one deployment of SAT in AWS can be used for monitoring all the workspaces in that AWS account. Similarly, one deployment of SAT in Azure can be used for monitoring all the workspaces in that Azure subscription. One deployment of SAT to monitor workspaces deployed across different clouds is currently not supported.

11. Do I need different SAT deployment to monitor workspaces in different regions?

    One deployment of SAT in AWS can be used for monitoring all the workspaces (in any region) in that AWS account . Similarly, one deployment of SAT in Azure can be used for monitoring all the workspaces (in any region) in that Azure subscription.

12. Can SAT be integrated with other cloud based monitoring tools?

    This is not supported at this time. SAT is a security monitoring tool used specifically for Databricks workspaces. There is an export notebook you can use to export the results of SAT that you can consider using with other tools.

---

SAT Checks

---

1. Does SAT test for all of the Databricks Security Best practices?

   We are continuously making improvements to SAT, and the majority of the checks are based on Security Best Practices. However, not all recommendations are covered, as some best practices are specific to cloud configuration, and a few practices can't be automatically checked due to the absence of REST APIs.

2. What do the severity labels specifically mean on the SAT configs? How does one interpret them?

   Severity in the SAT report is our general assessment of what a given check means for most customers, allowing them to prioritize mitigating deviations starting with the 'High' severity ones first. However, each customer can assess the applicability of the severity and prioritize according to their own security needs.

3. Can I disable a check for my assessment? Yes, this is possible. Please follow the optional step, you can modify security best practices for the SAT checks. Go to “Workspace -> Applications -> SAT/TF -> Files -> Notebooks -> Setup -> 7. update_sat_check_configuration” and use this utility to enable/disable a check, modify evaluation value, and alert configuration value for each check. You can update this file at any time, and any analysis from then on will take these values into consideration.

---

SAT Reports

---

1. Do we need to address all of the deviations reported by SAT?

   Not necessarily. Please make sure to review the SAT report with your business stakeholders, administrators, security team, auditors, and other relevant parties. Assess your organizational security requirements before making any security improvements based on the report, as not all deviations need to be mitigated by all customers. Some of the recommendations may have cost implications, and some of the recommended security features may have dependencies or feature limitations. Please thoroughly review individual feature documentation before making changes to your security configurations

2. Why are SSO, SCIM, Table ACLs etc not properly reflected in the SAT report?

   Please refer to the usage section of the setup guide. There are a few checks that rely on self-assessment due to the lack of REST APIs to automatically check them. Please go to “Workspace -> Applications -> SAT -> Files -> self_assessment_checks.yaml” and ensure the 'enabled' values reflect your environment for the listed manual checks with either true or false. SAT will automatically check the rest of the configurations. Rerun the SAT jobs.

---

Troubleshooting

---

We created diagnosis notebooks for respective clouds to help troubleshoot your SAT setup. Please go to Workspace -> Applications -> SAT -> files -> notebooks -> diagnosis/ folder and run the respective cloud sat_diagnosis_ notebook.

• SAT AWS troubleshooting notebook
• SAT Azure troubleshooting notebook
• SAT GCP troubleshooting notebook

---

Incorrectly configured secrets

• Error:

  Secret does not exist with scope: sat_scope and key: sat_tokens
  

• Resolution:

  Check if the tokens are configured with the correct names by listing and comparing with the configuration.

  databricks --profile e2-sat secrets list-secrets sat_scope
  

Firewall blocking Databricks accounts console

• Error:

  Traceback (most recent call last): 
  File "/databricks/python/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen  
  httplib_response = self._make_request(  
  File "/databricks/python/lib/python3.8/site-packages/urllib3/connectionpool.py", line 381, in _make_request  
  self._validate_conn(conn)  
  File "/databricks/python/lib/python3.8/site-packages/urllib3/connectionpool.py", line 978, in _validate_conn  
  conn.connect()  
  File "/databricks/python/lib/python3.8/site-packages/urllib3/connection.py", line 362, in connect  
  self.sock = ssl_wrap_socket(  
  File "/databricks/python/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 386, in ssl_wrap_socket  
  return context.wrap_socket(sock, server_hostname=server_hostname)  
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket  
  return self.sslsocket_class._create(  
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create  
  self.do_handshake()  
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake  
  self._sslobj.do_handshake() 
  ConnectionResetError: [Errno 104] Connection reset by peer 
  During handling of the above exception, another exception occurred:
  

• Resolution:

  Run this following command in your notebook:

  %sh 
  curl -X GET -H "Authorization: Basic /<base64 of userid:password/>" -H "Content-Type: application/json" https://accounts.cloud.databricks.com/api/2.0/accounts/<account_id>/workspaces
  

  or

  %sh 
  curl -u 'user:password' -X GET "Content-Type: application/json" https://accounts.cloud.databricks.com/api/2.0/accounts/<account_id>/workspaces
  

  If you don’t see a JSON with a clean listing of workspaces, you are likely having a firewall issue that is blocking calls to the accounts console. Please have your infrastructure team add accounts.cloud.databricks.com to the allow-list. Ensure that the private IPv4 address from the NAT gateway is added to the IP allow list.

Offline install of libraries in case of no PyPI access

• Steps:

  1. Download the dbl_sat_sdk version specified in the notebook notebooks/utils/initialize from PyPi:

     https://pypi.org/project/dbl-sat-sdk/
     

  2. Upload the dbl_sat_sdk-w.x.y-py3-none-any.whl to a dbfs location. You can use the databricks-cli as one mechanism to upload. For example:

     databricks --profile e2-satfs cp /localdrive/whlfile/dbl_sat_sdk-w.x.y-py3-none-any.whl dbfs:/FileStore/wheels/
     

  3. Additionally, download the following wheel files and upload them to the dbfs location as above:

     https://github.com/databricks-industry-solutions/security-analysis-tool/tree/main/docs/wheels
     

  4. Upload all wheel files to /FileStore/wheels in your workspace.

  5. Verify all files are there by running:

     %fs ls /FileStore/wheels
     

  6. Then change the cell in your notebook install_sat_sdk to this:

     %pip install cachetools --find-links /dbfs/FileStore/wheels/cachetools-5.3.1-py3-none-any.whl
     
     %pip install pyasn1 --find-links /dbfs/FileStore/wheels/pyasn1-0.5.0-py2.py3-none-any.whl
     
     %pip install pyasn1-modules --find-links /dbfs/FileStore/wheels/pyasn1_modules-0.3.0-py2.py3-none-any.whl
     
     %pip install rsa --find-links /dbfs/FileStore/wheels/rsa-4.9-py3-none-any.whl
     
     %pip install google-auth --find-links /dbfs/FileStore/wheels/google_auth-2.22.0-py2.py3-none-any.whl
     
     %pip install PyJWT[crypto] --find-links /dbfs/FileStore/wheels/PyJWT-2.8.0-py3-none-any.whl
     
     %pip install msal --find-links /dbfs/FileStore/wheels/msal-1.22.0-py2.py3-none-any.whl
     
     %pip install dbl-sat-sdk==0.1.37 --find-links /dbfs/FileStore/wheels/dbl_sat_sdk-0.1.37-py3-none-any.whl

  7. Make sure the versions for the above libraries match.

---