Register a Databricks Unity Catalog Host

The enhanced onboarding API is a REST API which allows users to register a Databricks Unity Catalog host to Immuta with a single set of credentials rather than configuring an integration and creating data sources separately. Then Immuta can manage and enforce access controls on your data through that host. To manage your host, see the Manage a host reference guide.

Requirements

The following permissions and personas are used in the registration process:

• Immuta permission: CREATE_DATA_SOURCE

• Databricks privileges for the user registering the host and running the script:

  • Account or workspace admin

  • CREATE CATALOG privilege on the Unity Catalog metastore to create an Immuta-owned catalog and tables

• Databricks privileges for the service principal you create:

  • OWNER privilege on the Immuta catalog you configure.

  • OWNER privilege on catalogs with schemas and tables registered as Immuta data sources so that Immuta can administer Unity Catalog row-level and column-level security controls. This privilege can be applied by granting OWNER on a catalog to a Databricks group that includes the Immuta service principal to allow for multiple owners. If the OWNER privilege cannot be applied at the catalog- or schema-level, each table registered as an Immuta data source must individually have the OWNER privilege granted to the Immuta service principal.

  • USE CATALOG and USE SCHEMA on parent catalogs and schemas of tables registered as Immuta data sources so that the Immuta service principal can interact with those tables.

  • SELECT and MODIFY on all tables registered as Immuta data sources so that the Immuta service principal can grant and revoke access to tables and apply Unity Catalog row- and column-level security controls.

  • USE CATALOG on the system catalog for native query audit.

  • USE SCHEMA on the system.access schema for native query audit.

  • SELECT on the following system tables for native query audit:

    • system.access.audit

    • system.access.table_lineage

    • system.access.column_lineage

Prerequisites

• Unity Catalog metastore created and attached to a Databricks workspace. See the Databricks Unity Catalog reference guide for information on workspaces and catalog isolation support with Immuta.

• Unity Catalog enabled on your Databricks cluster or SQL warehouse. All SQL warehouses have Unity Catalog enabled if your workspace is attached to a Unity Catalog metastore. Immuta recommends linking a SQL warehouse to your Immuta tenant rather than a cluster for both performance and availability reasons.

Complete the following steps to register a Databricks Unity Catalog host:

1. Create a service principal in Databricks Unity Catalog with the proper Databricks privileges for Immuta to use to manage policies in Unity Catalog.

2. Enable Databricks Unity Catalog in Immuta.

3. Set up Unity Catalog system tables for native query audit.

4. Use the /integrations/scripts/create endpoint to receive a script.

5. Run the script in Databricks Unity Catalog.

6. Use the /data/connection endpoint to finish registering your host in Immuta.

Step 1: Create your service principal

Create a Databricks service principal with the Databricks privileges outlined above and set up with personal access token (PAT) authentication.

The Immuta service principal you create requires specific Databricks privileges to connect to Databricks to create the integration catalog, configure the necessary procedures and functions, and maintain state between Databricks and Immuta.

Step 2: Enable Unity Catalog in Immuta

Enable Databricks Unity Catalog on the Immuta app settings page:

1. Click the App Settings icon in the left sidebar.

2. Scroll to the Global Integrations Settings section and check the Enable Databricks Unity Catalog support in Immuta checkbox.

Step 3: Set up native query audit

Enable native query audit by completing these steps in Unity Catalog:

1. Enable a system schema where the <SCHEMA_NAME> is access.

2. Grant the service principal from step 1 access to the Databricks Unity Catalog system tables. For Databricks Unity Catalog audit to work, Immuta must have, at minimum, the following access.

   • USE CATALOG on the system catalog

   • USE SCHEMA on the system.access schema

   • SELECT on the following system tables:

     • system.access.audit

     • system.access.table_lineage

     • system.access.column_lineage

3. Enable verbose audit logs in Unity Catalog.

Step 4: Generate the script

POST /integrations/scripts/create

1. Using the example request, update the <placeholder_values> with your connection details.

2. Copy the config object to use later in the setup process.

3. Run the request.

4. Copy the returned script and use it in the next step.

Find descriptions of the editable attributes in the table below and of the full payload in the Integration configuration payload reference guide.

curl -X 'POST' \
    'https://<your-immuta-url>/integrations/scripts/create' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: <your-bearer-token>' \
    -d '{
    "type": "Databricks",
    "autoBootstrap": false,
    "config": {
      "workspaceUrl": "<www.your-workspace.cloud.databricks.com>",
      "httpPath": "<sql/protocolv1/o/0/your-path>",
      "authenticationType": "token",
      "token": "<service-principal-pat>",
      "catalog": "<new-catalog>",
      "audit": {"enabled": true}
    }
    }'

Payload parameters

Step 5: Run the script in Databricks Unity Catalog

Step one will return a script. Copy the script and run it in your Databricks Unity Catalog environment as a user with the privileges listed in the requirements section.

The script will use the service principal that will authenticate using the personal access token (PAT) that you specified in step four. Additionally, the script will create the catalog you specified in step four.

Step 6: Create the host in Immuta

POST /data/connection

Copy the request and update the <placeholder_values> with your connection details. Note that the connection details here should match the ones used in step four. Then submit the request.

Find descriptions of the editable attributes in the table below and of the full payload in the Databricks Unity Catalog host payload table. All values should be included and those you should not edit are noted.

curl -X 'POST' \
    'https://<your-immuta-url>/data/connection' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: <your-bearer-token>' \
    -d '{
     "connectionKey": "<your-connection-key-name>",
     "connection": {
       "technology": "Databricks",
       "hostname": "<www.your-workspace.cloud.databricks.com>",
       "port": <your-Databricks-port>,
       "httpPath": "<your-Databricks-warehouse-path>",
       "authenticationType": "token",
       "token": "<your-service-principal-pat>"
     },
     "settings": {
        "isActive": false
     },
     "options": {
        "forceRecursiveCrawl": true
     },
     "nativeIntegration": {
       "type": "Databricks",
       "autoBootstrap": false,
       "unityCatalog": true,
       "config": {
         "authenticationType": "token",
         "token": "<your-service-principal-pat>",
         "host": "<www.your-workspace.cloud.databricks.com>",
         "port": <your-Databricks-port>,
         "catalog": "<your-immuta-catalog>",
         "audit": { "enabled": true },
         "workspaceIds": ["<your-workspace>", <"another-workspace">],
         "enableNativeQueryParsing": false,
         "groupPattern": { "deny": "<your-exemption-group>" },
         "jobConfig": {
           "workspaceDirectoryPath": "/Workspace/ImmutaArtifacts",
           "jobClusterId": "undefined"
       }
     }
    }'
    

Payload parameters

Response schema

Example response

{
  "objectPath": ['<your-connection-key-name>'],
  "bulkId": "a-new-uuid"
}