We’re excited to announce the Public Preview of credential merchandising for Unity Catalog’s open APIs, permitting exterior purchasers to securely entry Unity Catalog exterior and managed tables by way of open supply Unity REST APIs, and UniForm-enabled tables by means of the Iceberg REST catalog APIs. This characteristic facilitates seamless interoperability throughout a variety of engines and instruments corresponding to Apache Spark™, DuckDB, Daft, PuppyGraph, StarRocks, Spice AI, Microsoft Material, Salesforce Information Cloud, and Iceberg REST catalog engines like Trino and Dremio.
Because the business’s solely unified and open governance answer for knowledge and AI belongings, Unity Catalog continues to evolve with a concentrate on interoperability throughout the trendy knowledge and AI stack. This open method empowers organizations to undertake best-in-class options for his or her knowledge and AI use circumstances whereas avoiding vendor lock-in. Credential merchandising for open APIs is a key a part of our complete open supply roadmap, following the announcement of the open-sourcing Unity Catalog on the 2024 Information and AI Summit. Credential merchandising can be obtainable within the open supply Unity Catalog 0.2 launch.
Unified governance throughout any engine with credential merchandising
Governance challenges with out credential merchandising
Question execution in cloud environments trusted static, broad entry insurance policies for each metadata and knowledge retrieval, making it tough to scale. Question engines, like Apache Spark™, are given broad entry to the metadata catalog and depend on cloud storage entry insurance policies to fetch knowledge from cloud storage. For instance, when a consumer runs a question, the engine must entry metadata from the catalog and the precise knowledge from the cloud storage like AWS S3, Azure ADLS and GCS. Directors usually grant the engine full entry to the metadata catalog (corresponding to Hive metastore) and create Occasion Profiles/Managed Service Identities to outline which cloud storage areas the engine can entry primarily based on the consumer’s permissions. These occasion profiles map user-level entry to particular knowledge storage insurance policies.
Whereas this mannequin works for small environments with few customers and datasets, it breaks down when scaling to giant organizations with 1000’s of customers, completely different instruments/compute engines, and a whole lot of 1000’s of knowledge objects. Directors want to make sure that catalog and storage permissions are in sync, which could be difficult because the variety of customers and knowledge belongings grows. This static method turns into more and more advanced, error-prone, and tough to maintain, resulting in inefficiencies, safety dangers, and governance challenges at scale.
Scalable governance with credential merchandising
Credential merchandising permits a catalog to grant non permanent entry to storage for an engine performing knowledge processing. That is performed by means of time-limited, downscoped storage credentials generated on demand. These credentials are restricted to the particular storage wanted for a higher-level object, like a desk. The catalog manages each metadata and governance, which means it has everlasting entry to all knowledge, whereas the engine solely will get just-in-time entry. For instance, if an engine must entry a particular desk saved at a path on AWS S3, the catalog generates a credential restricted to that path and gives it to the engine, permitting entry. Credential merchandising leverages the downscoping mechanisms supplied by cloud suppliers like AWS session tokens or Azure delegation SAS credentials.
Key advantages:
- Centralized entry management: Permits for centralized administration of knowledge entry permissions by means of the catalog, fairly than having to configure entry controls individually for every underlying knowledge supply.
- Momentary, scoped entry: Supplies non permanent, scoped-down credentials to entry knowledge, enhancing safety by limiting the lifetime and permissions of entry tokens.
- Simplified permissions administration: Admins need not replace particular person storage bucket insurance policies or IAM roles – permissions could be managed centrally by means of the catalog.
- Basis for superior governance options: This gives the foundational constructing blocks for implementing higher-level entry insurance policies. These might embody primary entry controls or extra superior insurance policies like RBAC (Function-Primarily based Entry Management) or ABAC (Attribute-Primarily based Entry Management) which can be dynamic in nature.
Implement insurance policies as soon as in Unity Catalog, and implement them all over the place
How credential merchandising allows safe entry for exterior purchasers
Unity Catalog gives open supply REST APIs, permitting exterior purchasers to securely entry objects corresponding to tables. Admins can outline entry insurance policies for these objects in Unity Catalog, with Unity Catalog retaining everlasting storage entry. When an exterior engine, like Apache Spark™, requests entry to a desk by means of the REST APIs utilizing UC credentials like PAT or OAuth tokens, Unity Catalog points non permanent credentials and URLs to manage storage entry primarily based on the consumer’s particular IAM roles or managed identities, enabling knowledge retrieval and question execution. This simplifies administration, enhances interoperability throughout engines and instruments, and lays the muse for superior governance options like RBAC and ABAC to scale entry administration.
This functionality additionally extends to Iceberg tables managed in Unity Catalog by means of Iceberg REST Catalog interface, leveraging the identical non permanent credential merchandising course of to learn Iceberg tables. By enhancing accessibility for a variety of exterior engines built-in by means of Unity REST APIs—corresponding to Apache Spark™, DuckDB, Daft, PuppyGraph, StarRocks, Spice AI, Microsoft Material, Salesforce Information Cloud, and Iceberg REST catalog engines like Trino and Dremio—organizations can leverage the instruments of their selection whereas sustaining constant discovery and governance experiences throughout platforms. We additionally plan to increase credential merchandising help to different Unity Catalog belongings, together with volumes (unstructured knowledge, arbitrary recordsdata). Keep tuned!
See it in motion with Apache Spark™ and Unity Catalog
Unity Catalog Open APIs enable exterior purchasers, like Apache Spark™, to work together with the catalog with unified governance. You’ll be able to fulfill operations like creating, studying, and writing to your Delta tables by means of merchandising non permanent credentials. You not want to substantiate and handle IAM permissions to your workloads and maintain them in sync throughout completely different techniques.
The next instance demonstrates how one can arrange your Spark Session to connect with Unity Catalog on Databricks for accessing tables saved in AWS S3.
Entry to learn tables is ruled by Catalog/Schema/Desk privileges. Customers require USE CATALOG, USE SCHEMA, EXTERNAL USE SCHEMA, SELECT privileges to learn a desk.
To create a desk customers require CREATE EXTERNAL TABLE on the exterior storage location, in addition to the catalog privileges USE CATALOG, USE SCHEMA and EXTERNAL USE SCHEMA.
Equally, you question your UniForm Iceberg tables from the Unity Catalog by means of the Iceberg REST API. This lets you entry these tables from any consumer that helps Iceberg REST with out introducing new dependencies!
Subsequent steps
That is simply the beginning of our ongoing roadmap to ship open entry and unified governance for any knowledge or AI asset, in any format, throughout any workload, and suitable with any compute engine or device. Credential merchandising is a robust constructing block for governance, and look out for additional updates to help safe exterior entry to volumes (Unstructured knowledge, arbitrary recordsdata).
- To be taught extra about credential merchandising in Unity Catalog and necessities, check with the documentation for AWS, Azure, GCP.
- To get began with the Unity Catalog, discover the setup guides obtainable for AWS, Azure, and GCP.
- It’s also possible to learn concerning the open supply 0.2 launch of Unity Catalog for extra particulars
