Share data using the Delta Sharing open sharing protocol (for providers)

This article gives an overview of how providers can use the Delta Sharing open sharing protocol to share data from your Unity Catalog-enabled Databricks workspace with any user on any computing platform, anywhere.

Note

If you are a data recipient (a user or group of users with whom data is being shared), see instead Access data shared with you using Delta Sharing (for recipients).

Who should use the Delta Sharing open sharing protocol?

There are three ways to share data using Delta Sharing:

  1. The Databricks open sharing protocol, covered in this article, lets you share data that you manage in a Unity Catalog-enabled Databricks workspace with users on any computing platform.

    This approach uses the Delta Sharing server that is built into Databricks and is useful when you manage data using Unity Catalog and want to share it with users who don’t use Databricks or don’t have access to a Unity Catalog-enabled Databricks workspace. The integration with Unity Catalog on the provider side simplifies setup and governance for providers.

  2. A customer-managed implementation of the open-source Delta Sharing server lets you share from any platform to any platform, whether Databricks or not.

    See github.com/delta-io/delta-sharing.

  3. The Databricks-to-Databricks sharing protocol lets you share data from your Unity Catalog-enabled workspace with users who also have access to a Unity Catalog-enabled Databricks workspace.

    See Share data using the Delta Sharing Databricks-to-Databricks protocol (for providers).

For an introduction to Delta Sharing and more information about these three approaches, see Share data and AI assets securely using Delta Sharing.

Delta Sharing open sharing workflow

This section provides a high-level overview of the open sharing workflow, with links to detailed documentation for each step.

In the Delta Sharing open sharing model:

  1. The data provider creates a recipient, which is a named object that represents a user or group of users that the data provider wants to share data with.

    When the data provider creates the recipient, Databricks generates a token, a credential file that includes the token, and an activation link that the data provider can send to the recipient to access the credential file.

    For details, see Step 1: Create the recipient.

  2. The data provider creates a share, which is a named object that contains a collection of tables registered in a Unity Catalog metastore in the provider’s account.

    For details, see Create and manage shares for Delta Sharing.

  3. The data provider grants the recipient access to the share.

    For details, see Grant and manage access to Delta Sharing data shares (for providers).

  4. The data provider sends the activation link to the recipient over a secure channel, along with instructions for using the activation link to download the credential file that the recipient will use to establish a secure connection with the data provider to receive the shared data.

    For details, see Step 2: Get the activation link.

  5. The data recipient follows the activation link to download the credential file, and then uses the credential file to access the shared data.

    Shared data is available to read only. Users can access data using their platform or tools of choice.

    For details, see Read data shared using Delta Sharing open sharing (for recipients).

Setup and security considerations for open sharing

Good token management is key to sharing data securely when you use the open sharing model:

  • Data providers who intend to use open sharing must configure the default recipient token lifetime when they enable Delta Sharing for their Unity Catalog metastore. Databricks recommends that you configure tokens to expire. See Enable Delta Sharing on a metastore.

  • If you need to modify the default token lifetime, see Modify the recipient token lifetime.

  • Encourage recipients to manage their downloaded credential file securely.

  • For more information about token management and open sharing security, see Manage recipient tokens (open sharing).

Data providers can provide additional security by assigning IP access lists to restrict recipient access to specific network locations. See Use IP access lists to restrict Delta Sharing recipient access (open sharing).