Delta Sharing IP access list guide

Preview

<DS> is in Public Preview. To participate in the preview, you must enable the External Data Sharing feature group in the <Databricks> Account Console. See Enable the External Data Sharing feature group for your account.

<DS> is subject to additional Service Specific Terms. Enabling the External Data Sharing feature group represents acceptance of those service terms.

The Delta Sharing IP access list API enables the provider metastore admin to configure an IP access list for each recipient. This list is independent of Workspace IP Access Lists. This API supports allowlists (inclusion) only.

The IP access list affects:

Delta Sharing OSS Protocol REST API access.
Delta Sharing Activation URL access.
Delta Sharing Credential File download.

Each recipient supports a maximum of 100 IP/CIDR values, where one CIDR counts as a single value. Only IPv4 addresses are supported.

Create an IP access list

Use the Databricks Unity Catalog CLI to create and attach an IP access list to a recipient. To do so while creating a recipient:

databricks unity-catalog create-recipient \
  --name <recipient-name> \
  --allowed_ip_address=8.8.8.8 \
  --allowed_ip_address=8.8.8.4/10

Update an IP access list

To update an IP access list for a recipient, use the Databricks Unity Catalog CLI:

databricks unity-catalog update-recipient \
  --name <recipient-name> \
  --json='{"ip_access_list": {"allowed_ip_addresses": ["8.8.8.8", "8.8.8.4/10"]}}'

Delete an IP access list

To delete an IP access list for a recipient, use the Databricks Unity Catalog CLI to pass in an empty IP access list:

databricks unity-catalog update-recipient \
  --name <recipient-name> \
  --json='{"ip_access_list": {}}'

Note

This will remove the restrictions, and the recipient can access the shared data from anywhere.

Retrieve an IP access list

To retrieve an IP access list for a recipient, use the Databricks CLI:

databricks unity-catalog get-recipient \
  --name <recipient-name>

Audit Logging

The following operations have audit logs related to IP access lists:

Recipient management operations: create, update
Denial of access to any of the Delta Sharing OSS Protocol REST API calls
Denial of access to Delta Sharing Activation URL
Denial of access to Delta Sharing Credential File download

To learn more about how to enable and read audit logs for Delta Sharing, please refer to Audit access and activity for Delta Sharing resources. The following table lists audited events related to IP access lists:

actionNAME	requestParams	sourceIPAddress
`createRecipient`	`ip_access_list.allowed_ip_addresses`: Allowlist of IP access list.	N/A
`updateRecipient`	`ip_access_list.allowed_ip_addresses`: Allowlist of IP access list.	N/A
`getActivationUrlInfo`	`is_ip_access_denied`: None if there is no IP access list configured. Otherwise, `true` if the request was denied and `false` if the request was not denied.	The recipient IP address.
`retrieveRecipientToken`	`is_ip_access_denied`: None if there is no IP access list configured. Otherwise, `true` if the request was denied and `false` if the request was not denied.	The recipient IP address.
deltaSharing* (All Delta Sharing actions would have this audit log.)	`is_ip_access_denied`: None if there is no IP access list configured. Otherwise, `true` if the request was denied and `false` if the request was not denied.	The recipient IP address.