# Register a Databricks Unity Catalog Connection

## **Requirements**

* **Immuta user** with the `APPLICATION_ADMIN` Immuta permission
* [**Databricks service principal**](#user-content-fn-1)[^1] with the following privileges. For instructions on setting up this user, see the [Creating the Databricks service principal section](#creating-the-databricks-service-principal):
  * `USE CATALOG` and `MANAGE` on all catalogs containing securables you want registered as Immuta data sources.
  * `USE SCHEMA` on all schemas containing securables you want registered as Immuta data sources.
  * [`MODIFY`](#user-content-fn-2)[^2] and `SELECT` on all securables you want registered as Immuta data sources.
  * Workspace admin on the workspace configured as the host for the integration.
  * Additional privileges are required for query audit:
    * `USE CATALOG` on the `system` catalog
    * `USE SCHEMA` on the `system.access` and `system.query` schemas
    * `SELECT` on the following system tables:
      * `system.access.table_lineage`
      * `system.access.column_lineage`
      * `system.access.audit`
      * `system.query.history`
* **Databricks user to run the script to register the connection** with the following privileges:
  * [Metastore admin and account admin](#user-content-fn-3)[^3]
  * `CREATE CATALOG` privilege on the Unity Catalog metastore to create an Immuta-owned catalog and tables

See the [Databricks documentation](https://docs.databricks.com/en/data-governance/unity-catalog/manage-privileges/privileges.html) for more details about Unity Catalog privileges and securable objects.

#### **Prerequisites**

* Unity Catalog [metastore created](https://docs.databricks.com/data-governance/unity-catalog/create-metastore.html) and attached to a Databricks workspace.
* Unity Catalog enabled on your Databricks cluster or SQL warehouse. All SQL warehouses have Unity Catalog enabled if your workspace is attached to a Unity Catalog metastore. Immuta recommends linking a SQL warehouse to your Immuta tenant rather than a cluster for both performance and availability reasons.

## Register a connection

{% hint style="warning" %}
**Create a separate Immuta catalog for each Immuta tenant**

If multiple Immuta tenants are connected to your Databricks environment, create a separate **Immuta catalog** for each of those tenants. Having multiple Immuta tenants use the same Immuta catalog causes failures in policy enforcement.
{% endhint %}

1. Click <i class="fa-database">:database:</i> **Data** and select the **Connections** tab in the navigation menu.
2. Click the **+ Add Connection** button.
3. Select the Databricks data platform tile.
4. Enter the connection information:
   * **Host**: The hostname of your Databricks workspace.
   * **Port**: Your Databricks port.
   * **HTTP Path**: The HTTP path of your Databricks cluster or SQL warehouse.
   * **Immuta Catalog**: The name of the catalog Immuta will create to store internal entitlements and other user data specific to Immuta. This catalog will only be readable for the Immuta service principal and should not be granted to other users. The catalog name may only contain letters, numbers, and underscores and cannot start with a number.
   * **Display Name**: The display name represents the unique name of your connection and will be used as prefix in the name for all data objects associated with this connection. It will also appear as the display name in the UI and will be used in all API calls made to update or delete the connection. Avoid the use of periods (`.`) or [restricted words](#user-content-fn-4)[^4] in your connection name.
5. Click **Next**.
6. Select your authentication method from the dropdown:
   * **Access Token**: Enter the **Access Token** in the Immuta System Account Credentials section. This is the access token for the Immuta service principal, which can be [an on-behalf token created in Databricks](https://docs.databricks.com/api/workspace/tokenmanagement/createobotoken). This service principal must have the metastore [privileges listed](#create-the-databricks-service-principal) for the metastore associated with the Databricks workspace. If this token is configured to expire, update this field regularly for the connection to continue to function. This authentication information will be included in the script populated later on the page.
   * **OAuth M2M**:
     * **AWS Databricks**:
       * Follow [Databricks documentation to create a client secret](https://docs.databricks.com/en/dev-tools/auth/oauth-m2m.html) for the Immuta service principal and assign this service principal the [privileges listed](#create-the-databricks-service-principal) for the metastore associated with the Databricks workspace.
       * Fill out the **Token Endpoint** with the full URL of the identity provider. This is where the generated token is sent. The default value is `https://<your workspace name>.cloud.databricks.com/oidc/v1/token`.
       * Fill out the **Client ID**. This is a combination of letters, numbers, or symbols, used as a public identifier and is the [client ID displayed in Databricks when creating the client secret for the service principal](https://docs.databricks.com/en/dev-tools/auth/oauth-m2m.html#step-3-create-an-oauth-secret-for-a-service-principal).
       * Enter the **Scope** (string). The scope limits the operations and roles allowed in Databricks by the access token. See the [OAuth 2.0 documentation](https://oauth.net/2/scope/) for details about scopes.
       * Enter the **Client Secret** you created above. Immuta uses this secret to authenticate with the authorization server when it requests a token.
     * **Azure Databricks:**
       * Follow [Databricks documentation](https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth/oauth-m2m) to create a service principal within Azure and then populate to your Databricks account and workspace.
       * Assign this service principal the [privileges listed](#create-the-databricks-service-principal) for the metastore associated with the Databricks workspace.
       * Within Databricks, [create an OAuth client secret for the service principal](https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth/oauth-m2m#step-5-create-an-azure-databricks-oauth-secret-for-the-service-principal). This completes your Databricks-based service principal setup.
       * Within Immuta, fill out the **Token Endpoint** with the full URL of the identity provider. This is where the generated token is sent. The default value is `https://<your workspace name>.azuredatabricks.net/oidc/v1/token`.
       * Fill out the **Client ID**. This is a combination of letters, numbers, or symbols, used as a public identifier and is the [client ID displayed in Databricks when creating the client secret for the service principal](https://docs.databricks.com/en/dev-tools/auth/oauth-m2m.html#step-3-create-an-oauth-secret-for-a-service-principal) (note that Azure Databricks uses the Azure SP Client ID; it will be identical).
       * Enter the **Scope** (string). The scope limits the operations and roles allowed in Databricks by the access token. See the [OAuth 2.0 documentation](https://oauth.net/2/scope/) for details about scopes.
       * Enter the **Client Secret** you created above. Immuta uses this secret to authenticate with the authorization server when it requests a token.
7. Copy the provided script and run it in Databricks as a user with the [privileges listed in the requirements section](#requirements).
8. Click **Validate Connection**.
9. If the connection is successful, click **Next**. If there are any errors, check the connection details and credentials to ensure they are correct and try again.
10. Ensure all the details are correct in the summary and click **Complete Setup**.

## Opt to enable Databricks Unity Catalog tag ingestion

{% hint style="info" %}
**Private preview**: This feature is only available to select accounts. Contact your Immuta representative to enable this feature.
{% endhint %}

**Requirements**:

* A configured Databricks Unity Catalog connection
* Fewer than 10,000 Databricks Unity Catalog data sources registered in Immuta

To allow Immuta to automatically import table and column tags from Databricks Unity Catalog, enable Databricks Unity Catalog tag ingestion in the external catalog section of the Immuta app settings page.

1. Navigate to the <i class="fa-gear">:gear:</i> **App Settings** page.
2. Scroll to **2 External Catalogs**, and click **Add Catalog**.
3. Enter a **Display Name** and select **Databricks Unity Catalog** from the dropdown menu.
4. Click **Save** and confirm your changes.

## Setting up the required Databricks service principal

If you need instruction for setting up your Databricks service principal **before registering your connection**, see the steps below.

### Creating the Databricks service principal

In Databricks, [create a service principal](https://docs.databricks.com/aws/en/admin/users-groups/manage-service-principals) with the privileges listed below. Immuta uses this service principal continuously to orchestrate Unity Catalog policies and maintain state between Immuta and Databricks.

* `USE CATALOG` and `MANAGE` on all catalogs containing securables you want registered as Immuta data sources.
* `USE SCHEMA` on all schemas containing securables you want registered as Immuta data sources.
* `MODIFY` and `SELECT` on all securables you want registered as Immuta data sources. *The* `MODIFY` *privilege is not required for materialized views registered as Immuta data sources, since* `MODIFY` *is not a supported privilege on that object type in* [*Databricks*](https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/privileges#privilege-types-by-securable-object-in-unity-catalog)*.*
* [Workspace admin permissions](https://docs.databricks.com/aws/en/admin/users-groups/manage-service-principals#assign-the-workspace-admin-role-to-a-service-principal) (If your service principal is a regular user in Databricks and not an actual service principal in Databricks, follow the guidance for [managing users in Databricks documentation](https://docs.databricks.com/aws/en/admin/users-groups/users#assign-the-workspace-admin-role-to-a-user) to grant this user the workspace admin permission.)

{% hint style="info" %}
`MANAGE` and `MODIFY` are required so that the service principal can apply row filters and column masks on the securable; to do so, the service principal must also have `SELECT` on the securable as well as `USE CATALOG` on its parent catalog and `USE SCHEMA` on its parent schema. Since privileges are inherited, you can grant the service principal the `MODIFY` and `SELECT` privilege on all catalogs or schemas containing Immuta data sources, which automatically grants the service principal the `MODIFY` and `SELECT` privilege on all current and future securables in the catalog or schema. The service principal also inherits `MANAGE` from the parent catalog for the purpose of applying row filters and column masks, but that privilege must be set directly on the parent catalog in order for grants to be fully applied.
{% endhint %}

See the [Databricks documentation](https://docs.databricks.com/en/data-governance/unity-catalog/manage-privileges/privileges.html) for more details about Unity Catalog privileges and securable objects.

### Configuring query audit privileges

{% hint style="info" %}
Audit is enabled by default on all Databricks Unity Catalog connections. If you need to turn audit off, [create the connection with the connections API](https://documentation.immuta.com/saas/developer-guides/api-intro/connections-api/how-to-guides/register-a-connection/register-a-databricks-unity-catalog-connection) and set `audit` to `false` in the payload.
{% endhint %}

[Grant the service principal access to the Databricks Unity Catalog system tables](https://docs.databricks.com/en/administration-guide/system-tables/index.html#grant-access-to-system-tables). For Databricks Unity Catalog audit to work, Immuta must have, at minimum, the following access.

* `USE CATALOG` on the `system` catalog
* `USE SCHEMA` on the `system.access` and `system.query` schemas
* `SELECT` on the following system tables:

  * `system.access.table_lineage`
  * `system.access.column_lineage`
  * `system.access.audit`
  * `system.query.history`

  Access to system tables is governed by Unity Catalog. No user has access to these system schemas by default. To grant access, a user that is both a metastore admin and an account admin must grant `USE_SCHEMA` and `SELECT` privileges on the system schemas to the service principal. See [Manage privileges in Unity Catalog](https://docs.databricks.com/en/data-governance/unity-catalog/manage-privileges/index.html).

[^1]: A Databricks user authorized to create a Databricks service principal must create one for Immuta. This service principal is used continuously by Immuta to orchestrate Unity Catalog policies and maintain state between Immuta and Databricks.

[^2]: *The* `MODIFY` *privilege is not required for materialized views registered as Immuta data sources, since* `MODIFY` *is not a supported privilege on that object type in* [*Databricks*](https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/privileges#privilege-types-by-securable-object-in-unity-catalog)*.*

[^3]: These privileges are required to enable query audit. See [Manage privileges in Unity Catalog](https://docs.databricks.com/en/data-governance/unity-catalog/manage-privileges/index.html) for details.

[^4]: Your display name cannot be any of the following words: `data`, `connection`, `object`, `crawl`, `search`, `settings`, `metadata`, `permission`, `sync`, `bulk`, and `upgrade`.