Audit and monitor data access using Delta Sharing (for recipients)

This article describes how data recipients can use Databricks audit logs to understand who is accessing which data using Delta Sharing.

For information about how data providers can audit Delta Sharing events, see Audit and monitor data sharing using Delta Sharing (for providers).

Requirements

View Delta Sharing shared table access events in the audit log

To view audit logs for your account, you need to know the S3 bucket and path to where the logs are delivered. For information about how logs are delivered, see Audit delivery details and format.

Events for Delta Sharing are logged with serviceName set to unityCatalog. The requestParams section of each event includes the following fields, which you can share with the data provider to help them troubleshoot issues.

  • recipient_name: The name of the recipient in the data provider’s system.

  • metastore_id: The name of the metastore in the data provider’s system.

  • sourceIPAddress: The IP address where the request originated.

For example, the following audit event shows that a recipient successfully listed the shares that were available to them. In this example, redacted values are replaced with <redacted>.

{
  "Version": "2.0",
  "auditLevel": "ACCOUNT_LEVEL",
  "Timestamp": 1635235341950,
  "orgId": "0",
  "shardName": "<redacted>",
  "accountId": "<redacted>",
  "sourceIPAddress": "<redacted>",
  "userAgent": null,
  "sessionId": null,
  "userIdentity": null,
  "serviceName": "unityCatalog",
  "actionName": "deltaSharingListShares",
  "requestId": "ServiceMain-cddd3114b1b40003",
  "requestParams": {
    "Metastore_id": "<redacted>",
    "Options": "{}",
    "Recipient_name": "<redacted>"
  },
  "Response": {
    "statusCode": 200,
    "errorMessage": null,
    "Result": null
  },
  "MAX_LOG_MESSAGE_LENGTH": 16384
}

The following table lists audited events for that are delivered to data recipients. These log recipient access of shared tables and management of providers.

action

requestParams

deltaSharingProxyGetTableVersion

share: The name of the share.

schema: The name of the schema.

name: The name of the table.

deltaSharingProxyGetTableMetadata

share: The name of the share.

schema: The name of the schema.

name: The name of the table.

deltaSharingProxyQueryTable

share: The name of the share.

schema: The name of the schema.

name: The name of the table.

predicateHints: The predicates included in the query.

limitHint: The maximum number of rows to return.

version: Table version, if change data feed is enabled.

deltaSharingProxyQueryTableChanges

share: The name of the share.

schema: The name of the schema.

name: The name of the table.

cdf_options: Change data feed options.

createProvider

name: The name of the provider.

comment: The comment for the provider.

updateProvider

name: The name of the provider.

updates: A JSON representation of provider attributes that were added or removed from the share. Each item includes action (add or remove) and can include name (the new provider name), owner(new owner), and comment.

deleteProvider

name: The name of the provider.

getProvider

name: The name of the provider.

listProviders

none

activateProvider

name: The name of the provider.

listProviderShares

name: The name of the provider.

Logged errors

The following Delta Sharing errors are logged for the data recipient. Items between < and > characters represent placeholder text.

  • The user attempted to access a share they do not have permission to access.

    DatabricksServiceException: PERMISSION_DENIED:
    User does not have SELECT on Share <share_name>`
    
  • The user attempted to access a share that does not exist.

    DatabricksServiceException: SHARE_DOES_NOT_EXIST: Share <share_name> does not exist.
    
  • The user attempted to access a table that does not exist in the share.

    DatabricksServiceException: TABLE_DOES_NOT_EXIST: <table_name> does not exist.
    

For a list of auditable events and errors logged for data providers, see Audit and monitor data sharing using Delta Sharing (for providers).