Delta Sharing IP access list guide
Preview
<DS> is in Public Preview. To participate in the preview, you must enable the External Data Sharing feature group in the <Databricks> Account Console. See Enable the External Data Sharing feature group for your account.
<DS> is subject to additional Service Specific Terms. Enabling the External Data Sharing feature group represents acceptance of those service terms.
The Delta Sharing IP access list API enables the provider metastore admin to configure an IP access list for each recipient. This list is independent of Workspace IP Access Lists. This API supports allowlists (inclusion) only.
The IP access list affects:
Delta Sharing OSS Protocol REST API access.
Delta Sharing Activation URL access.
Delta Sharing Credential File download.
Each recipient supports a maximum of 100 IP/CIDR values, where one CIDR counts as a single value. Only IPv4 addresses are supported.
Create an IP access list
Use the Databricks Unity Catalog CLI to create and attach an IP access list to a recipient. To do so while creating a recipient:
databricks unity-catalog create-recipient \
--name <recipient-name> \
--allowed_ip_address=8.8.8.8 \
--allowed_ip_address=8.8.8.4/10
Update an IP access list
To update an IP access list for a recipient, use the Databricks Unity Catalog CLI:
databricks unity-catalog update-recipient \
--name <recipient-name> \
--json='{"ip_access_list": {"allowed_ip_addresses": ["8.8.8.8", "8.8.8.4/10"]}}'
Delete an IP access list
To delete an IP access list for a recipient, use the Databricks Unity Catalog CLI to pass in an empty IP access list:
databricks unity-catalog update-recipient \
--name <recipient-name> \
--json='{"ip_access_list": {}}'
Note
This will remove the restrictions, and the recipient can access the shared data from anywhere.
Retrieve an IP access list
To retrieve an IP access list for a recipient, use the Databricks CLI:
databricks unity-catalog get-recipient \
--name <recipient-name>
Audit Logging
The following operations have audit logs related to IP access lists:
Recipient management operations: create, update
Denial of access to any of the Delta Sharing OSS Protocol REST API calls
Denial of access to Delta Sharing Activation URL
Denial of access to Delta Sharing Credential File download
To learn more about how to enable and read audit logs for Delta Sharing, please refer to Audit access and activity for Delta Sharing resources. The following table lists audited events related to IP access lists:
actionNAME |
requestParams |
sourceIPAddress |
---|---|---|
|
|
N/A |
|
|
N/A |
|
|
The recipient IP address. |
|
|
The recipient IP address. |
deltaSharing* (All Delta Sharing actions would have this audit log.) |
|
The recipient IP address. |