Book a demo

Register a Databricks Lakebase Connection

Public preview: This feature is available to all accounts. Contact your Immuta representative for details.

Requirements

Permissions

The user registering the connection must have the permissions below.

  • APPLICATION_ADMIN Immuta permission

  • The account credentials you provide to register the connection should be a Databricks service principal and it must have these Databricks Lakebase privileges:

    • databricks_superuser

    • CREATEROLE

    For descriptions and explanations of privileges Immuta needs to enforce policies and maintain state in Databricks Lakebase, see the Databricks Lakebase connection reference guide.

Register a Databricks Lakebase connection

  1. In Immuta, click Data and select Connections in the navigation menu.

  2. Click the + Add Connection button.

  3. Select the Databricks Lakebase tile.

  4. Enter the host connection information:

    1. Display Name: This is the name of your new connection. This name will be used in the API (connectionKey), in data source names from the host, and on the connections page.

    2. Hostname

    3. Port

    4. Database: This should be the PostgreSQL dbname in the Databricks Lakebase connection details.

  5. Enter privileged credentials to register the connection using OAuth M2M:

    1. Follow Databricks documentation to create an OAuth token for machine-to-machine authentication for the Immuta service principal and assign this service principal the privileges listed above for the Databricks Lakebase.

    2. Fill out the Workspace URL (e.g., https://<your workspace name>.cloud.databricks.com).

    3. Fill out the Client ID. This is a combination of letters, numbers, or symbols, used as a public identifier and is the client ID displayed in Databricks when creating the client secret for the service principal.

    4. Enter the Client Secret you created above. Immuta uses this secret to authenticate with the authorization server when it requests a token.

  6. Click Save Connection.

Map users

Requirement: USER_ADMIN Immuta permission

Map PostgreSQL usernames to each Immuta user account to ensure Immuta properly enforces policies when the user queries the Databricks Lakebase objects in PostgreSQL.

The instructions below illustrate how to do this for individual users, but you can also configure user mapping in your IAM connection on the app settings page.

  1. Click People and select Users in the navigation menu.

  2. Click the user's name to navigate to their page and scroll to the External User Mapping section.

  3. Click Edit in the PostgreSQL row.

  4. Select one of the following options from the dropdown:

    1. Select PostgreSQL Username to map the PostgreSQL username to the Immuta user and enter the PostgreSQL username in the field. Username mapping is case insensitive.

    2. Select Unset (fallback to Immuta username) to use the Immuta username as the assumed PostgreSQL username. Use this option if the user's PostgreSQL username exactly matches the user's Immuta username. Username mapping is case insensitive.

    3. Select None (user does not exist in PostgreSQL) if this is an Immuta-only user. This option will improve performance for Immuta users who do not have a mapping to PostgreSQL users and will be automatically selected by Immuta if an Immuta user is not found in PostgreSQL. To ensure your PostgreSQL users have policies correctly applied, manually map their usernames using the first option above.

  5. Click Save.

PreviousGetting Started with Databricks LakebaseNextReference Guides

Last updated

Was this helpful?