Enable external data access to Unity Catalog
Azure Databricks provides access to Unity Catalog tables using the Unity REST API and Iceberg REST catalog.
A metastore admin must enable external data access for each metastore you need to access externally. The user or service principal that configures the connection must have the EXTERNAL USE SCHEMA
privilege for each schema containing tables you need to read externally.
The Unity REST API supports direct reads for Delta tables, which the Iceberg REST catalog supports reads on tables enabled for Iceberg reads. See Access Databricks data using external systems.
Enable external data access on the metastore
To allow external engines to access data in a metastore, a metastore admin must enable external data access for the metastore. This option is disabled by default to prevent unauthorized external access.
To enable external data access, do the following:
- In an Azure Databricks workspace attached to the metastore, click Catalog.
- Click the gear icon at the top of the Catalog pane and select Metastore.
- On the Details tab, enable External data access.
Note
These options are only displayed for sufficiently privileged users. If you do not see these options, you do not have permissions to enable external data access for a metastore.
Grant a principal EXTERNAL USE SCHEMA
External clients connecting to Azure Databricks need authorization from a sufficiently privileged principal.
Azure Databricks supports OAuth and personal access tokens (PAT) for authentication. See Authenticate access to Azure Databricks resources.
The principal who requests the temporary credential must have:
The
EXTERNAL USE SCHEMA
privilege on the containing schema or its parent catalog.This privilege must always be granted explicitly. Only the parent catalog owner can grant it. To avoid accidental exfiltration,
ALL PRIVILEGES
does not include theEXTERNAL USE SCHEMA
privilege, and schema owners do not have this privilege by default.SELECT
permission on the table,USE CATALOG
on its parent catalog, andUSE SCHEMA
on its parent schema.
The following example syntax demonstrates granting EXTERNAL USE SCHEMA
to a user:
GRANT EXTERNAL USE SCHEMA ON SCHEMA catalog_name.schema_name TO `user@company.com`
Assuming the user has the permissions to read all desired tables in the schema, no additional permissions are needed. If you need to grant additional permissions to read tables, see Unity Catalog privileges and securable objects.