Skip to content

Connect a Databricks Unity Catalog Host

Info

This feature is being gradually rolled out to customers and may not be available to your account yet.

Requirements:

  • Immuta permission CREATE_DATA_SOURCE

  • Databricks privileges:

    • An account with the CREATE CATALOG privilege on the Unity Catalog metastore to create an Immuta-owned catalog and tables.

    • A personal access token has been generated for a user account or service principal that Immuta will use with the Databricks permissions outlined below. The Immuta system account user or service principal needs these privileges to connect to Databricks to create the integration catalog, configure the necessary procedures and functions, and maintain state between Databricks and Immuta:

      • OWNER permission on the Immuta catalog you configure.
      • OWNER permission on catalogs with schemas and tables registered as Immuta data sources so that Immuta can administer Unity Catalog row-level and column-level security controls. You can apply this permission to the Immuta system account user by granting OWNER on these catalogs to a Databricks group that includes the Immuta system account user (to allow for multiple owners). If the OWNER permission cannot be applied at the catalog- or schema-level, grant the Immuta system account user the OWNER permission for each table registered as an Immuta data source.
      • USE CATALOG and USE SCHEMA on parent catalogs and schemas of tables registered as Immuta data sources so that the Immuta system account user can interact with those tables.
      • SELECT and MODIFY on all tables registered as Immuta data sources so that the system account user can grant and revoke access to tables and apply Unity Catalog row- and column-level security controls.

  • No Databricks Unity Catalog integrations configured in Immuta. If your Databricks Unity Catalog integration is already configured on the app settings page, register your data sources using the legacy method.

To register a Databricks Unity Catalog catalog with all its schemas and tables, follow the instructions below.

  1. Click the App Settings icon in the navigation menu.
  2. Scroll to the Native Integration Settings section and check the Enable Databricks Unity Catalog support in Immuta checkbox. The additional settings in this section are only relevant to the Databricks Spark with Unity Catalog integration and will not have any effect on the Unity Catalog integration. These can be left with their default values.
  3. Click Save and confirm your changes.
  4. Click Data and select the Infrastructure tab in the navigation menu.
  5. Click the + Add Host button.
  6. Select the Databricks data platform tile.
  7. Enter the host connection information:
    • Host: The hostname of your Databricks workspace.
    • Port: Your Databricks port.
    • HTTP Path: The HTTP path of your Databricks cluster or SQL warehouse.
    • Immuta Catalog: The name of the catalog Immuta will create to store internal entitlements and other user data specific to Immuta. This catalog will only be readable for the Immuta service principal and should not be granted to other users. The catalog name may only contain letters, numbers, and underscores and cannot start with a number.
    • Connection Key: A unique name for your host. This connection key will be used to create data source names for this host.
  8. Click Next.
  9. Select Access Token authentication method from the dropdown menu.
  10. Enter the Access Token in the Immuta System Account Credentials section. This is the access token for the Immuta service principal. This service principal must have the metastore privileges listed in the requirements section at the top of this page for the metastore associated with the Databricks workspace. If this token is configured to expire, update this field regularly for the integration to continue to function. This authentication information will be included in the script populated later on the page.
  11. Copy the provided script and run it in Databricks as a user with the CREATE CATALOG privilege on the Unity Catalog metastore.
  12. Click Validate Connection.
  13. If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.
  14. Ensure all the details are correct in the summary and click Complete Setup.