Audit and monitor data access using Delta Sharing (for recipients)

This article describes how data recipients can use Databricks audit logs to understand who is accessing which data using Delta Sharing.

For information about how data providers can audit Delta Sharing events, see Audit and monitor data sharing using Delta Sharing (for providers).

Requirements

  • You must have a Databricks account.

  • To access audit logs, an account admin must enable the audit log system table for your Databricks account. See Enable system tables. If you are not an account admin or metastore admin, you must be given access to system.access.audit to read audit logs.

View Delta Sharing shared table access events in the audit log

Audit logs are stored in system.access.audit. Delta Sharing events have unityCatalog as their serviceName. If, alternatively, your account has an audit log delivery setup, you need to know the bucket and path where the logs are delivered.

The requestParams section of each event includes the following fields, which you can share with the data provider to help them troubleshoot issues.

  • recipient_name: The name of the recipient in the data provider’s system.

  • metastore_id: The name of the metastore in the data provider’s system.

  • sourceIPAddress: The IP address where the request originated.

For example, the following audit event shows that a recipient successfully listed the shares that were available to them. In this example, redacted values are replaced with <redacted>.

{
  "Version": "2.0",
  "auditLevel": "ACCOUNT_LEVEL",
  "Timestamp": 1635235341950,
  "orgId": "0",
  "shardName": "<redacted>",
  "accountId": "<redacted>",
  "sourceIPAddress": "<redacted>",
  "userAgent": null,
  "sessionId": null,
  "userIdentity": null,
  "serviceName": "unityCatalog",
  "actionName": "deltaSharingListShares",
  "requestId": "ServiceMain-cddd3114b1b40003",
  "requestParams": {
    "Metastore_id": "<redacted>",
    "Options": "{}",
    "Recipient_name": "<redacted>"
  },
  "Response": {
    "statusCode": 200,
    "errorMessage": null,
    "Result": null
  },
  "MAX_LOG_MESSAGE_LENGTH": 16384
}

The following table lists audited actions that are delivered to data recipients. These actions record recipient access of shared tables and management of providers.

action

requestParams

deltaSharingProxyGetTableVersion

share: The name of the share.

schema: The name of the schema.

name: The name of the table.

deltaSharingProxyGetTableMetadata

share: The name of the share.

schema: The name of the schema.

name: The name of the table.

deltaSharingProxyQueryTable

share: The name of the share.

schema: The name of the schema.

name: The name of the table.

predicateHints: The predicates included in the query.

limitHint: The maximum number of rows to return.

version: Table version, if change data feed is enabled.

deltaSharingProxyQueryTableChanges

share: The name of the share.

schema: The name of the schema.

name: The name of the table.

cdf_options: Change data feed options.

createProvider

name: The name of the provider.

comment: The comment for the provider.

updateProvider

name: The name of the provider.

updates: A JSON representation of provider attributes that were added or removed from the share. Each item includes action (add or remove) and can include name (the new provider name), owner(new owner), and comment.

deleteProvider

name: The name of the provider.

getProvider

name: The name of the provider.

listProviders

none

activateProvider

name: The name of the provider.

listProviderShares

name: The name of the provider.

Logged errors

The following Delta Sharing errors are logged for the data recipient. Items between < and > characters represent placeholder text.

  • The user attempted to access a share they do not have permission to access.

    DatabricksServiceException: PERMISSION_DENIED:
    User does not have SELECT on Share <share-name>`
    
  • The user attempted to access a share that does not exist.

    DatabricksServiceException: SHARE_DOES_NOT_EXIST: Share <share-name> does not exist.
    
  • The user attempted to access a table that does not exist in the share.

    DatabricksServiceException: TABLE_DOES_NOT_EXIST: <table-name> does not exist.
    

For a list of auditable events and errors logged for data providers, see Audit and monitor data sharing using Delta Sharing (for providers).