Question 28
Domain 7: Ensuring Data Security and Compliancecreating secure, configurable code. The security team is exploring whether or not the Databricks secrets module can be leveraged for connecting to an external database. After testing the code with all Python variables being defined with strings, they upload the password to the secrets module and configure the correct permissions for the currently active user. They then modify their code to the following (leaving all other variables unchanged). password = dbutils.secrets.get(scope="db_creds", key="jdbc_password") print(password) df = (spark.read.format("jdbc").option("url", connection).option("dbtable", tablename).option("user", username).option("password", password) ) Which statement describes what will happen when the above code is executed?
Correct answer: A
Explanation
`dbutils.secrets.get(...)` returns the secret value, but Databricks masks it in notebook output, so `print(password)` shows "REDACTED". Because the JDBC `.option("password", password)` still receives the real secret, the external database connection will succeed.
Why each option is right or wrong
A. The connection to the external table will succeed; the string "REDACTED" will be printed.
Under the Databricks secrets API, `dbutils.secrets.get(scope, key)` returns the actual secret value to the notebook process, so the JDBC connector still receives a valid password in `.option("password", password)` and the external database authentication succeeds. However, Databricks masks secret values in notebook output and logs, so `print(password)` displays `REDACTED` rather than the plaintext secret.
B. The connection to the external table will succeed; the string value of password will printed in plain text.
Databricks masks secret values in notebook output instead of printing plaintext.
C. . An interactive input box will appear in the notebook; if the right password is provided, the connection will succeed and the password will be printed in plain text.
`dbutils.secrets.get` reads stored secrets; it does not prompt for interactive password input.
D. An interactive input box will appear in the notebook; if the right password is provided, the connection will succeed and the encoded password will be saved to DBFS.
Secrets are retrieved at runtime from a secret scope; they are not saved to DBFS by printing or JDBC use.