Share via

Enable external data access to Unity Catalog

Azure Databricks provides access to Unity Catalog tables using the Unity REST API and Apache Iceberg REST catalog.

A metastore admin must enable external data access for each metastore you need to access externally. The user or service principal that configures the connection must have the EXTERNAL USE SCHEMA privilege for each schema where they need to perform supported operations: reading from managed tables or creating, reading, and writing to external tables.

The Unity REST API supports direct reads for Delta tables. The Iceberg REST catalog supports reads for Delta tables and reads and writes for Iceberg tables. See Access Databricks data using external systems.

Enable external data access on the metastore

To allow external engines to access data in a metastore, a metastore admin must enable external data access for the metastore. This option is disabled by default to prevent unauthorized external access.

To enable external data access, do the following:

  1. In an Azure Databricks workspace attached to the metastore, click Data icon. Catalog.
  2. Click the Gear icon. gear icon at the top of the Catalog pane and select Metastore.
  3. On the Details tab, enable External data access.

Note

These options are only displayed for sufficiently privileged users. If you do not see these options, you do not have permissions to enable external data access for a metastore.

Grant a principal Unity Catalog privileges

External clients connecting to Azure Databricks need authorization from a sufficiently privileged principal.

Azure Databricks supports OAuth and personal access tokens (PAT) for authentication. See Authorizing access to Azure Databricks resources.

The principal who requests the temporary credential must have:

  • The EXTERNAL USE SCHEMA privilege on the containing schema or its parent catalog.

    This privilege must always be granted explicitly. Only the parent catalog owner can grant it. To avoid accidental exfiltration, ALL PRIVILEGES does not include the EXTERNAL USE SCHEMA privilege, and schema owners do not have this privilege by default.

  • SELECT permission on the table, USE CATALOG on its parent catalog, and USE SCHEMA on its parent schema.

  • If creating external tables, the principal must also have the CREATE TABLE privilege on the schema and both the CREATE EXTERNAL TABLE and EXTERNAL USE LOCATION privileges on the target external location.

    EXTERNAL USE LOCATION must always be granted explicitly. Only users with the MANAGE privilege on the external location can grant it. To avoid accidental exfiltration, ALL PRIVILEGES does not include the EXTERNAL USE LOCATION privilege, and location owners do not have this privilege by default.

The following example syntax demonstrates granting EXTERNAL USE SCHEMA to a user:

GRANT EXTERNAL USE SCHEMA ON SCHEMA catalog_name.schema_name TO `user@company.com`

The following example syntax demonstrates granting EXTERNAL USE LOCATION to a user:

GRANT EXTERNAL USE LOCATION ON EXTERNAL LOCATION external_location_name TO `user@company.com`

Assuming the user has the permissions to read all desired tables in the schema, no additional permissions are needed. If you need to grant additional permissions to read tables, see Unity Catalog privileges and securable objects.