Audit and monitor data sharing using Delta Sharing (for providers)

This article describes how data providers can use Databricks audit logs to monitor Delta Sharing events, including:

  • When someone creates, modifies, updates, or deletes a share or a recipient

  • When a recipient accesses an activation link and downloads the credential

  • When a recipient accesses shares.

  • When a recipient accesses data in shared tables.

  • When a recipient’s credential is rotated or expires.

For information about how data recipients can audit Delta Sharing events to understand who is accessing which data, see Audit and monitor data access using Delta Sharing (for recipients).

Requirements

An account admin must set up audit logging for your Databricks account. See Enable audit logging and Configure audit logging.

Logged errors

Delta Sharing logs the following errors for data providers. Items between < and > characters represent placeholder text.

  • Delta Sharing is not enabled on the selected metastore.

    DatabricksServiceException: FEATURE_DISABLED:
    Delta Sharing is not enabled
    
  • An operation was attempted on a catalog that does not exist.

    DatabricksServiceException: CATALOG_DOES_NOT_EXIST:
    Catalog ‘<catalog>’ does not exist.
    
  • A user who is not an account admin or metastore admin attempted to perform a privileged operation.

    DatabricksServiceException: PERMISSION_DENIED:
    Only administrators can <operation_name> <operation_target>
    
  • An operation was attempted on a metastore from a workspace to which the metastore is not assigned.

    DatabricksServiceException: INVALID_STATE:
    Workspace <workspace_name> is no longer assigned to this metastore
    
  • A request was missing the recipient name or share name.

    DatabricksServiceException: INVALID_PARAMETER_VALUE: CreateRecipient/CreateShare Missing required field: <recipient_name>/<share_name>
    
  • A request included an invalid recipient name or share name.

    DatabricksServiceException: INVALID_PARAMETER_VALUE: CreateRecipient/CreateShare <recipient_name>/<share_name> is not a valid name
    
  • A user attempted to share a table that is not in a Unity Catalog metastore.

    DatabricksServiceException: INVALID_PARAMETER_VALUE: Only managed or external table on Unity Catalog can be added to a share
    
  • A user attempted to rotate a recipient that was already in a rotated state and whose previous token had not yet expired.

    DatabricksServiceException: INVALID_PARAMETER_VALUE: There are already two active tokens for recipient <recipient_name>
    
  • A user attempted to create a new recipient or share with the same name as an existing one.

    DatabricksServiceException: RECIPIENT_ALREADY_EXISTS/SHARE_ALREADY_EXISTS: Recipient/Share <name> already exists`
    
  • A user attempted to perform an operation on a recipient or share that does not exist.

    DatabricksServiceException: RECIPIENT_DOES_NOT_EXIST/SHARE_DOES_NOT_EXIST: Recipient/Share '<name>' does not exist
    
  • A user attempted to add a table to a share, but the table had already been added.

    DatabricksServiceException: RESOURCE_ALREADY_EXISTS: Shared Table '<name>' already exists
    
  • A user attempted to perform an operation that referenced a table that does not exist.

    DatabricksServiceException: TABLE_DOES_NOT_EXIST: Table '<name>' does not exist
    
  • A user attempted to perform an operation that referenced a schema that did not exist.

    DatabricksServiceException: SCHEMA_DOES_NOT_EXIST: Schema '<name>' does not exist
    

For a list of auditable events and errors logged for data recipients, see Audit and monitor data access using Delta Sharing (for recipients).