This article describes how data providers (organizations that want to use Delta Sharing to share data securely) perform initial setup of Delta Sharing on Databricks.
If you are a data recipient (an organization that receives data that is shared using Delta Sharing), see instead Read data shared using Databricks-to-Databricks Delta Sharing (for recipients).
A provider who wants to use the Delta Sharing server that is built into Databricks must have at least one workspace that is enabled for Unity Catalog. You do not need to migrate all of your workspaces to Unity Catalog. You can create one Unity Catalog-enabled workspace for share management. If this is not an option, you can use the open-source Delta Sharing project to deploy your own Delta Sharing server and use that to share Delta tables from any platform.
Initial provider setup includes the following steps:
Enable Delta Sharing on a Unity Catalog metastore.
(Optional) Install the Unity Catalog CLI.
Configure audits of Delta Sharing activity.
As a data provider who is setting up your Databricks account to be able to share data, you must have:
At least one Databricks workspace that is enabled for Unity Catalog.
You do not need to migrate all of your workspaces to Unity Catalog to take advantage of Databricks support for Delta Sharing providers. See Do I need Unity Catalog to use Delta Sharing?.
Recipients do not need to have a Unity Catalog-enabled workspace.
Account admin role to enable Delta Sharing for your Unity Catalog metastore and to enable audit logging.
Metastore admin role or the
CREATE RECIPIENTprivileges. See Admin roles for Unity Catalog.
Follow these steps for each Unity Catalog metastore that manages data that you plan to share using Delta Sharing.
You do not need to enable Delta Sharing on your metastore if you intend to use Delta Sharing only to share data with users on other Unity Catalog metastores in your account. Metastore-to-metastore sharing within a single Databricks account is enabled by default.
As a Databricks account admin, log in to the account console.
In the sidebar, click Catalog.
Click the name of a metastore to open its details.
Click the checkbox next to Enable Delta Sharing to allow a Databricks user to share data outside their organization.
Configure the recipient token lifetime.
This configuration sets the period of time after which all recipient tokens expire and must be regenerated. Recipient tokens are used only in the open sharing protocol. Databricks recommends that you configure a default token lifetime rather than allow tokens to live indefinitely.
The recipient token lifetime for existing recipients is not updated automatically when you change the default recipient token lifetime for a metastore. In order to apply a new token lifetime to a given recipient, you must rotate their token. See Manage recipient tokens (open sharing).
To set the default recipient token lifetime:
Confirm that Set expiration is enabled (this is the default).
If you clear this checkbox, tokens will never expire. Databricks recommends that you configure tokens to expire.
Enter a number of seconds, minutes, hours, or days, and select the unit of measure.
For more information, see Security considerations for tokens.
Optionally enter a name for your organization that a recipient can use to identify who is sharing with them.
To manage shares and recipients, you can use Catalog Explorer, SQL commands, or the Unity Catalog CLI. The CLI runs in your local environment and does not require Databricks compute resources.
To install the CLI, see What is the Databricks CLI?.
As a Databricks account admin, you should enable audit logging to capture Delta Sharing events, such as:
When someone creates, modifies, updates, or deletes a share or a recipient
When a recipient accesses an activation link and downloads the credential (open sharing only)
When a recipient accesses data
When a recipient’s credential is rotated or expires (open sharing only)
Delta Sharing activity is logged at the account level.
To enable audit logging, follow the instructions in Audit log reference.
Delta Sharing activity is logged at the account level. When you configure log delivery, do not enter a value for
For detailed information about how Delta Sharing events are logged, see Audit and monitor data sharing.