Databricks Certified Generative AI Engineer - Associate

Explanation

The best approach is to use an OAuth 2.0 access token issued by an external identity provider and verify it in a custom validation layer before accessing the model endpoint. This method is widely used for secure, scalable, and flexible access control in enterprise environments.

OAuth 2.0 Benefits:

• Secure and Standardized Authentication: OAuth 2.0 is a well-established standard for token-based authentication.
• Integration with Identity Providers: External identity providers (e.g., Azure AD, Okta, Google Identity) can issue tokens, enabling single sign-on (SSO) and centralized access management.
• Granular Access Control: Tokens can carry claims or scopes, allowing fine-grained authorization policies for different user roles or permissions.
• Scalability: OAuth 2.0 supports dynamic token issuance and validation, making it suitable for environments with multiple users or applications.

Custom Validation Layer:

Before processing a request, a custom validation layer can verify the token by checking its signature, expiration, and claims, ensuring that only authorized users can access the endpoint.

Why not the others:

• A. Configure a Databricks Personal Access Token (PAT) for each user and validate it within the serving endpoint:

  • PATs are designed for individual user access to the Databricks workspace and are less scalable for shared or multi-user environments. They also don't offer the flexibility of claims-based authorization.

• C. Use Databricks' built-in role-based access control (RBAC):

  • While RBAC can control access to the workspace and resources, it does not directly apply to securing REST API requests for model serving.

• D. Set up API keys in Databricks Workspace and authenticate API requests by checking for the presence of a valid API key:

  • API keys provide basic authentication but lack the flexibility and scalability of OAuth 2.0. They do not support claims-based authorization or integrate with enterprise identity providers.

B is the best approach as it leverages a secure, standardized, and scalable authentication mechanism.