Restrict Delta Sharing recipient access using IP access lists (open sharing)
This article describes how data providers can assign IP access lists to control recipient access to shared data.
If you, as a data provider, are using the open Delta Sharing protocol, you can limit a recipient to a restricted set of IP addresses when they access data that you share. This list is independent of Workspace IP access lists. Only allow lists are supported.
The IP access list affects the following:
- Delta Sharing OSS Protocol REST API access
- Delta Sharing activation URL access
- Delta Sharing credential file download
Each recipient supports a maximum of 100 IP/CIDR values, where one CIDR counts as a single value. Only IPv4 addresses are supported.
Assign an IP access list to a recipient
You can assign an IP access list to a recipient using Catalog Explorer or the Databricks Unity Catalog CLI.
Permissions required: If you are assigning an IP access list when you create a recipient, you must be a metastore admin or user with the CREATE_RECIPIENT
privilege. If you are assigning an IP access list to an existing recipient, you must be the recipient object owner.
Catalog Explorer
In your Azure Databricks workspace, click Catalog.
At the top of the Catalog pane, click the gear icon and select Delta Sharing.
Alternatively, from the Quick access page, click the Delta Sharing > button.
On the Shared by me tab, click Recipients and select the recipient.
On the IP access list tab, click Add IP address/CIDRs for each IP address (in single IP address format, like 8.8.8.8) or range of IP addresses (in CIDR format, like 8.8.8.4/10).
CLI
To add an IP access list when you create a new recipient, run the following command using the Databricks CLI, replacing <recipient-name>
and the IP address values.
databricks recipients create \
--json=-'{
"name": "<recipient-name>",
"authentication_type": "<authentication-type>",
"ip_access_list": {
"allowed_ip_addresses": [
"8.8.8.8",
"8.8.8.4/10"
]
}
}'
To add an IP access list to an existing recipient, run the following command, replacing <recipient-name>
and the IP address values.
databricks recipients update \
--json='{
"name": "<recipient-name>",
"ip_access_list": {
"allowed_ip_addresses": [
"8.8.8.8",
"8.8.8.4/10"
]
}
}'
Remove an IP access list
You can remove a recipient's IP access list using Catalog Explorer or the Databricks Unity Catalog CLI. If you remove all IP addresses from the list, the recipient can access the shared data from anywhere.
Permissions required: Recipient object owner.
Catalog Explorer
In your Azure Databricks workspace, click Catalog.
At the top of the Catalog pane, click the gear icon and select Delta Sharing.
Alternatively, from the Quick access page, click the Delta Sharing > button.
On the Shared by me tab, click Recipients and select the recipient.
On the IP access list tab, click the trash can icon next to the IP address you want to delete.
CLI
Use the Databricks CLI to pass in an empty IP access list:
databricks recipients update \
--json='{
"name": "<recipient-name>",
"ip_access_list": {}
}'
View a recipient's IP access list
You can view a recipient's IP access list using Catalog Explorer, the Databricks Unity Catalog CLI, or the DESCRIBE RECIPIENT
SQL command in a notebook or Databricks SQL query.
Permissions required: Metastore admin, user with the USE RECIPIENT
privilege, or the recipient object owner.
Catalog Explorer
In your Azure Databricks workspace, click Catalog.
At the top of the Catalog pane, click the gear icon and select Delta Sharing.
Alternatively, from the Quick access page, click the Delta Sharing > button.
On the Shared by me tab, click Recipients and select the recipient.
View allowed IP addresses on the IP access list tab.
CLI
Run the following command using the Databricks CLI.
databricks recipients get <recipient-name>
SQL
Run the following command in a notebook or the Databricks SQL query editor.
DESCRIBE RECIPIENT <recipient-name>;
Audit logging for Delta Sharing IP access lists
The following operations trigger audit logs related to IP access lists:
- Recipient management operations: create, update
- Denial of access to any of the Delta Sharing OSS Protocol REST API calls
- Denial of access to Delta Sharing activation URL (open sharing only)
- Denial of access to Delta Sharing credential file download (open sharing only)