Set up Delta Sharing for your account (for providers)

This article describes how data providers (organizations that want to use Delta Sharing to share data securely) perform initial setup of Delta Sharing on Databricks.

Note

If you are a data recipient (an organization that receives data that is shared using Delta Sharing), see instead Read data shared using Databricks-to-Databricks Delta Sharing (for recipients).

Important

A provider who wants to use the Delta Sharing server that is built into Databricks must have at least one workspace that is enabled for Unity Catalog. You do not need to migrate all of your workspaces to Unity Catalog. You can create one Unity Catalog-enabled workspace for share management. If this is not an option, you can use the open-source Delta Sharing project to deploy your own Delta Sharing server and use that to share Delta tables from any platform.

Initial provider setup includes the following steps:

  1. Enable Delta Sharing on a Unity Catalog metastore.

  2. (Optional) Install the Unity Catalog CLI.

  3. Configure audits of Delta Sharing activity.

Requirements

As a data provider who is setting up your Databricks account to be able to share data, you must have:

  • At least one Databricks workspace that is enabled for Unity Catalog.

    You do not need to migrate all of your workspaces to Unity Catalog to take advantage of Databricks support for Delta Sharing providers. See Do I need Unity Catalog to use Delta Sharing?.

    Recipients do not need to have a Unity Catalog-enabled workspace.

  • Account admin role to enable Delta Sharing for your Unity Catalog metastore and to enable audit logging.

  • Metastore admin role or the CREATE SHARE and CREATE RECIPIENT privileges. See Admin roles for Unity Catalog.

Enable Delta Sharing on a metastore

Follow these steps for each Unity Catalog metastore that manages data that you plan to share using Delta Sharing.

Note

You do not need to enable Delta Sharing on your metastore if you intend to use Delta Sharing only to share data with users on other Unity Catalog metastores in your account. Metastore-to-metastore sharing within a single Databricks account is enabled by default.

  1. As a Databricks account admin, log in to the account console.

  2. In the sidebar, click Catalog icon Catalog.

  3. Click the name of a metastore to open its details.

  4. Click the checkbox next to Enable Delta Sharing to allow a Databricks user to share data outside their organization.

  5. Configure the recipient token lifetime.

    This configuration sets the period of time after which all recipient tokens expire and must be regenerated. Recipient tokens are used only in the open sharing protocol. Databricks recommends that you configure a default token lifetime rather than allow tokens to live indefinitely.

    Note

    The recipient token lifetime for existing recipients is not updated automatically when you change the default recipient token lifetime for a metastore. In order to apply a new token lifetime to a given recipient, you must rotate their token. See Manage recipient tokens (open sharing).

    To set the default recipient token lifetime:

    1. Confirm that Set expiration is enabled (this is the default).

      If you clear this checkbox, tokens will never expire. Databricks recommends that you configure tokens to expire.

    2. Enter a number of seconds, minutes, hours, or days, and select the unit of measure.

    3. Click Enable.

    For more information, see Security considerations for tokens.

  6. Optionally enter a name for your organization that a recipient can use to identify who is sharing with them.

  7. Click Enable.

(Optional) Install the Unity Catalog CLI

To manage shares and recipients, you can use Catalog Explorer, SQL commands, or the Unity Catalog CLI. The CLI runs in your local environment and does not require Databricks compute resources.

To install the CLI, see What is the Databricks CLI?.

Enable audit logging

As a Databricks account admin, you should enable audit logging to capture Delta Sharing events, such as:

  • When someone creates, modifies, updates, or deletes a share or a recipient

  • When a recipient accesses an activation link and downloads the credential (open sharing only)

  • When a recipient accesses data

  • When a recipient’s credential is rotated or expires (open sharing only)

Delta Sharing activity is logged at the account level.

To enable audit logging, follow the instructions in Audit log reference.

Important

Delta Sharing activity is logged at the account level. When you configure log delivery, do not enter a value for workspace_ids_filter.

For detailed information about how Delta Sharing events are logged, see Audit and monitor data sharing.

Grant permission to create and manage shares and recipients

Metastore admins have the right to create and manage shares and recipients, including the granting of shares to recipients. Many provider tasks can be delegated by a metastore admin using the following privileges:

  • CREATE SHARE on the metastore grants the ability to create shares.

  • CREATE RECIPIENT on the metastore grants the ability to create recipients.

  • USE RECIPIENT on grants the ability to list and view details for all recipients in the metastore.

  • USE SHARE on the metastore grants the ability to list and view details for all shares in the metastore.

  • USE RECIPIENT, USE SHARE, and SET SHARE PERMISSION combined give a user the ability to grant share access to recipients.

  • USE SHARE and SET SHARE PERMISSION combined give a user the ability to transfer ownership of any share.

  • Share and recipient owners can update those objects and grant shares to recipients. Object creators are granted ownership by default, but ownership can be transferred.

  • Share owners can add tables and volumes to shares, as long as they have SELECT access to the tables and READ VOLUME access to the volumes.

For details, see Unity Catalog privileges and securable objects and the permissions listed for every task described in the Delta Sharing guide.