Skip to main content

Set up Delta Sharing for your account (for providers)

This page describes how to setup Delta Sharing on Databricks for data providers (organizations that want to use Delta Sharing to share data securely).

If you are a data recipient (an organization that receives data that is shared using Delta Sharing), see Read data shared using Databricks-to-Databricks Delta Sharing (for recipients).

important

Delta Sharing requires a Unity Catalog-enabled workspace. You can create one Unity Catalog-enabled workspace for share management. In some accounts, new workspaces are enabled for Unity Catalog automatically. See Automatic enablement of Unity Catalog.

If creating a new Unity Catalog-enabled workspace is not an option, you can use the open-source Delta Sharing project to deploy your own Delta Sharing server to share Delta tables from any platform.

Initial provider setup includes the following steps:

  1. Enable Delta Sharing on a Unity Catalog metastore.
  2. (Optional) Install the Unity Catalog CLI.
  3. Grant privileges to create and manager shares and recipients.
  4. Configure audits of Delta Sharing activity.
  5. Configure storage network access.

Requirements

As a data provider who is setting up your Databricks account to be able to share data, you must have:

Enable Delta Sharing on a metastore

You do not need to enable Delta Sharing on your metastore if you intend to use Delta Sharing only to share data with users on other Unity Catalog metastores in your account. Metastore-to-metastore sharing within a single Databricks account is enabled by default.

Otherwise, follow these steps for each Unity Catalog metastore that manages data that you plan to share using Delta Sharing.

  1. As a Databricks account admin, log in to the account console.

  2. In the sidebar, click Catalog icon Catalog.

  3. Click the name of a metastore to open its details.

  4. Click the checkbox next to Enable Delta Sharing to allow a Databricks user to share data outside their organization.

  5. Configure the recipient token lifetime.

    This configuration sets the period of time after which all recipient tokens expire and must be regenerated. Recipient tokens are used only in the open sharing protocol. Databricks recommends that you configure a default token lifetime rather than allow tokens to live indefinitely.

    note

    The recipient token lifetime for existing recipients is not updated automatically when you change the default recipient token lifetime for a metastore. In order to apply a new token lifetime to a given recipient, you must rotate their token. See Manage recipient tokens.

    To set the default recipient token lifetime:

    1. Confirm that Set expiration is enabled (this is the default).

      If you clear this checkbox, tokens will never expire. Databricks recommends that you configure tokens to expire.

    2. Enter a number of seconds, minutes, hours, or days, and select the unit of measure.

    3. Click Enable.

    For more information, see Security considerations for tokens.

  6. Optionally enter a name for your organization that a recipient can use to identify who is sharing with them.

  7. Click Enable.

(Optional) Install the Unity Catalog CLI

To manage shares and recipients, you can use Catalog Explorer, SQL commands, or the Unity Catalog CLI. The CLI runs in your local environment and does not require Databricks compute resources.

To install the CLI, see What is the Databricks CLI?.

Grant permission to create and manage shares and recipients

Metastore admins have the ability to create and manage shares and recipients, including the granting of shares to recipients. Many provider tasks can be delegated by a metastore admin using the following privileges:

  • CREATE SHARE on the metastore grants the ability to create shares.
  • CREATE RECIPIENT on the metastore grants the ability to create recipients.
  • USE RECIPIENT on grants the ability to list and view details for all recipients in the metastore.
  • USE SHARE on the metastore grants the ability to list and view details for all shares in the metastore.
  • USE RECIPIENT, USE SHARE, and SET SHARE PERMISSION combined give a user the ability to grant share access to recipients.
  • USE SHARE and SET SHARE PERMISSION combined give a user the ability to transfer ownership of any share.
  • Share and recipient owners can update those objects and grant shares to recipients. Object creators are granted ownership by default, but ownership can be transferred.
  • Share owners can add tables and volumes to shares, as long as they have SELECT access to the tables and READ VOLUME access to the volumes.

For details, see Unity Catalog privileges and securable objects and the permissions listed for the Delta Sharing tasks described.

Enable audit logging

As a Databricks account admin, you should enable audit logging to capture Delta Sharing events, such as:

  • When someone creates, modifies, updates, or deletes a share or a recipient
  • When a recipient accesses an activation link and downloads the credential (open sharing only)
  • When a recipient accesses data
  • When a recipient’s credential is rotated or expires (open sharing only)
important

Delta Sharing activity is logged at the account level. When you configure log delivery, do not enter a value for workspace_ids_filter.

To enable audit logging, follow the instructions in Audit log reference.

For detailed information about how Delta Sharing events are logged, see Audit and monitor data sharing.

Allow network access to storage

If your underlying cloud storage is configured with access controls, add your recipient's network to the allowlist so they can read shared tables.

For details, see Bucket policies for Amazon S3.

Last updated on