Databricks - Unity Catalog
Databricks is a cloud-based data analytics platform that integrates data engineering, data science, and machine learning tools to enable seamless processing, analysis, and exploration of large datasets, offering services like Databricks Delta Lake and Databricks Runtime. Unity Catalog is a unified governance solution build on top of Databricks.
The connector is available here and supports
- Synchronizing Databricks users to an identity store in Raito Cloud.
- Synchronizing Databricks Unity Catalog meta data (data structure, known permissions, …) to a data source in Raito Cloud.
- Synchronizing Databricks Unity Catalog grants from an to Raito.
- Synchronize the data usage information to Raito Cloud.
Prerequisites
Unity Catalog
Databricks Unity Catalog should be enabled on the account and workspaces, as this is essential to the Raito Databricks plugin.
Authentication
We support the following authentication methods:
- OAuth
- Personal Access Token
- Azure managed identities
- GCP ID authentication
The associated account should be admin in the Databricks account and on all workspaces. There are no required permissions within the Databricks Unity catalog.
OAuth (Azure, AWS, GCP)
Authentication using OAuth, requires a valid client_id and client_secret.
The client_id and client_secret should be provided in the databricks-client-id and databricks-client-secret parameter respectively.
More information can be found on the following pages: azure, aws, gcp.
Personal Access Token (Azure, AWS, GCP)
To authenticate using a personal access token, the token should be provided in the databricks-token parameter.
More information can be found on the following pages: azure, aws, gcp.
Azure managed identities
A Microsoft Entra ID service principal can be used to authenticate against the Databricks account.
To use this authentication method, databricks-azure-client-id, databricks-azure-client-secret and databricks-azure-tenant-id should be provided.
More information can be found on the following here.
GCP ID authentication
To authenticate using GCP ID authentication, the GCP Service Account Credentials JSON or the location of these credentials on the local filesystem should be provided in the databricks-google-credentials parameter.
Additionally, a GCP service account e-mail should be provided in the databricks-google-service-account parameter.
More information can be found on the following here.
Basic Authentication
To authenticate by email and password, email and password can be provided in the databricks-user and databricks-password parameters respectively.
We recommend to use basic authentication only for testing purposes.
Databricks-specific CLI parameters
To see all parameters, type
$> raito info raito-io/cli-plugin-databricks
in a terminal window.
Currently, the following configuration parameters are available:
| Configuration name | Description | Mandatory | Default value |
|---|---|---|---|
databricks-account-id |
The Databricks account to connect to. | True | |
databricks-platform |
The Databricks platform to connect to (AWS/GCP/Azure). | True | |
databricks-client-id |
The (oauth) client ID to use when authenticating against the Databricks account. | False | |
databricks-client-secret |
The (oauth) client Secret to use when authentic against the Databricks account. | False | |
databricks-token |
The Databricks personal access token (PAT) (AWS, Azure, and GCP) or Azure Active Directory (Azure AD) token (Azure). | False | |
databricks-azure-use-msi |
true to use Azure Managed Service Identity passwordless authentication flow for service principals. Requires AzureResourceID to be set. |
False | false |
databricks-azure-client-id |
The Azure AD service principal’s client secret. | False | |
databricks-azure-client-secret |
The Azure AD service principal’s application ID. | False | |
databricks-azure-tenant-id |
The Azure AD service principal’s tenant ID. | False | |
databricks-azure-environment |
The Azure environment type (such as Public, UsGov, China, and Germany) for a specific set of API endpoints. | False | PUBLIC |
databricks-google-credentials |
GCP Service Account Credentials JSON or the location of these credentials on the local filesystem. | False | |
databricks-google-service-account |
The Google Cloud Platform (GCP) service account e-mail used for impersonation in the Default Application Credentials Flow that does not require a password. | False | |
databricks-data-usage-window |
The maximum number of days of usage data to retrieve. Maximum is 90 days. | False | 90 |
databricks-sql-warehouses |
A map of deployment IDs to workspace and warehouse IDs, required to support data object tags, row level filtering and column masking (see sql-warehouse) | False |
SQL Warehouses
To enable row filtering and column masking, the plugin needs access to a SQL warehouse to manage those filters and masks.
The configuration file should be update in such a way that the databricks-sql-warehouses parameter is a list that defines the workspace deployment ID and warehouse ID. Note that no duplicate workspace IDs are allowed.
For example:
databricks-sql-warehouses:
- workspace-id: abc-12345678-fedc
warehouse-id: 1234567891234567
- workspace-id: 123-12345678-fedc
warehouse-id: 9234567891234567
Where abc-12345678-fedc and 123-12345678-fedc are the workspace IDs and 1234567891234567 and 9234567891234567 are the corresponding SQL warehouse IDs.