Restrict Delta Sharing recipient access using IP access lists (open sharing)

This article describes how data providers can assign IP access lists to control recipient access to shared data.

If you, as a data provider, are using the open Delta Sharing protocol, you can limit a recipient to a restricted set of IP addresses when they access data that you share. This list is independent of Workspace IP access lists. Only allow lists are supported.

The IP access list affects the following:

  • Delta Sharing OSS Protocol REST API access
  • Delta Sharing activation URL access
  • Delta Sharing credential file download

Each recipient supports a maximum of 100 IP/CIDR values, where one CIDR counts as a single value. Only IPv4 addresses are supported.

Assign an IP access list to a recipient

You can assign an IP access list to a recipient using Catalog Explorer or the Databricks Unity Catalog CLI.

Permissions required: If you are assigning an IP access list when you create a recipient, you must be a metastore admin or user with the CREATE_RECIPIENT privilege. If you are assigning an IP access list to an existing recipient, you must be the recipient object owner.

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.

  2. At the top of the Catalog pane, click the Gear icon gear icon and select Delta Sharing.

    Alternatively, from the Quick access page, click the Delta Sharing > button.

  3. On the Shared by me tab, click Recipients and select the recipient.

  4. On the IP access list tab, click Add IP address/CIDRs for each IP address (in single IP address format, like 8.8.8.8) or range of IP addresses (in CIDR format, like 8.8.8.4/10).

CLI

To add an IP access list when you create a new recipient, run the following command using the Databricks CLI, replacing <recipient-name> and the IP address values.

databricks recipients create \
--json=-'{
  "name": "<recipient-name>",
  "authentication_type": "<authentication-type>",
  "ip_access_list": {
    "allowed_ip_addresses": [
      "8.8.8.8",
      "8.8.8.4/10"
    ]
  }
}'

To add an IP access list to an existing recipient, run the following command, replacing <recipient-name> and the IP address values.

databricks recipients update \
--json='{
  "name": "<recipient-name>",
  "ip_access_list": {
    "allowed_ip_addresses": [
      "8.8.8.8",
      "8.8.8.4/10"
    ]
  }
}'

Remove an IP access list

You can remove a recipient's IP access list using Catalog Explorer or the Databricks Unity Catalog CLI. If you remove all IP addresses from the list, the recipient can access the shared data from anywhere.

Permissions required: Recipient object owner.

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.

  2. At the top of the Catalog pane, click the Gear icon gear icon and select Delta Sharing.

    Alternatively, from the Quick access page, click the Delta Sharing > button.

  3. On the Shared by me tab, click Recipients and select the recipient.

  4. On the IP access list tab, click the trash can icon next to the IP address you want to delete.

CLI

Use the Databricks CLI to pass in an empty IP access list:

databricks recipients update \
--json='{
  "name": "<recipient-name>",
  "ip_access_list": {}
}'

View a recipient's IP access list

You can view a recipient's IP access list using Catalog Explorer, the Databricks Unity Catalog CLI, or the DESCRIBE RECIPIENT SQL command in a notebook or Databricks SQL query.

Permissions required: Metastore admin, user with the USE RECIPIENT privilege, or the recipient object owner.

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.

  2. At the top of the Catalog pane, click the Gear icon gear icon and select Delta Sharing.

    Alternatively, from the Quick access page, click the Delta Sharing > button.

  3. On the Shared by me tab, click Recipients and select the recipient.

  4. View allowed IP addresses on the IP access list tab.

CLI

Run the following command using the Databricks CLI.

databricks recipients get <recipient-name>

SQL

Run the following command in a notebook or the Databricks SQL query editor.

DESCRIBE RECIPIENT <recipient-name>;

Audit logging for Delta Sharing IP access lists

The following operations trigger audit logs related to IP access lists:

  • Recipient management operations: create, update
  • Denial of access to any of the Delta Sharing OSS Protocol REST API calls
  • Denial of access to Delta Sharing activation URL (open sharing only)
  • Denial of access to Delta Sharing credential file download (open sharing only)