Use IP access lists to restrict Delta Sharing recipient access (open sharing)

This article describes how data providers can assign IP access lists to control recipient access to shared data.

If you, as a data provider, are using the open Delta Sharing protocol, you can limit a recipient to a restricted set of IP addresses when they access data that you share. This list is independent of Workspace IP access lists. Only allow lists are supported.

The IP access list affects the following:

Delta Sharing OSS Protocol REST API access
Delta Sharing activation URL access
Delta Sharing credential file download

Each recipient supports a maximum of 100 IP/CIDR values, where one CIDR counts as a single value. Only IPv4 addresses are supported.

Assign an IP access list to a recipient

You can assign an IP access list to a recipient using Catalog Explorer or the Databricks Unity Catalog CLI.

Permissions required: If you are assigning an IP access list when you create a recipient, you must be a metastore admin or user with the CREATE_RECIPIENT privilege. If you are assigning an IP access list to an existing recipient, you must be the recipient object owner.

In your Databricks workspace, click Catalog.
In the left pane, expand the Delta Sharing menu and select Shared by me.
On the Recipients tab, select the recipient.
On the IP access list tab, click Add IP address/CIDRs for each IP address (in single IP address format, like 8.8.8.8) or range of IP addresses (in CIDR format, like 8.8.8.4/10).

To add an IP access list when you create a new recipient, run the following command using the Databricks CLI, replacing <recipient-name> and the IP address values.

databricks unity-catalog recipients create \
  --name <recipient-name> \
  --allowed-ip-address=8.8.8.8 \
  --allowed-ip-address=8.8.8.4/10

To add an IP access list to an existing recipient, run the following command, replacing <recipient-name> and the IP address values.

databricks unity-catalog recipients update \
  --name <recipient-name> \
  --json='{"ip_access_list": {"allowed_ip_addresses": ["8.8.8.8", "8.8.8.4/10"]}}'

Remove an IP access list

You can remove a recipient’s IP access list using Catalog Explorer or the Databricks Unity Catalog CLI. If you remove all IP addresses from the list, the recipient can access the shared data from anywhere.

Permissions required: Recipient object owner.

In your Databricks workspace, click Catalog.
In the left pane, expand the Delta Sharing menu and select Shared by me.
On the Recipients tab, select the recipient.
On the IP access list tab, click the trash can icon next to the IP address you want to delete.

Use the Databricks CLI to pass in an empty IP access list:

databricks unity-catalog recipients update \
  --name <recipient-name> \
  --json='{"ip_access_list": {}}'

View a recipient’s IP access list

You can view a recipient’s IP access list using Catalog Explorer, the Databricks Unity Catalog CLI, or the DESCRIBE RECIPIENT SQL command in a notebook or Databricks SQL query.

Permissions required: Metastore admin, user with the USE RECIPIENT privilege, or the recipient object owner.

In your Databricks workspace, click Catalog.
In the left pane, expand the Delta Sharing menu and select Shared by me.
On the Recipients tab, find and select the recipient.
View allowed IP addresses on the IP access list tab.

Run the following command using the Databricks CLI.

databricks unity-catalog recipients get --name <recipient-name>

Run the following command in a notebook or the Databricks SQL query editor.

DESCRIBE RECIPIENT <recipient-name>;

Use IP access lists to restrict Delta Sharing recipient access (open sharing)

Assign an IP access list to a recipient

Remove an IP access list

View a recipient’s IP access list

Audit logging for Delta Sharing IP access lists