Databricks Unity Catalog SSL TLS Certificate —

Unity Catalog SSL/TLS

Databricks Unity Catalog SSL TLS Certificate Encryption Governance Access Control Lineage Audit Compliance

เนื้อหาเกี่ยวข้อง — แนะนำให้อ่าน Prefect Workflow Container Orchestration

Access Control

# === Unity Catalog Governance ===



# 3-level Namespace

# CATALOG.SCHEMA.TABLE

# e.g., production.sales.orders



# Grant examples

# GRANT USE CATALOG ON CATALOG production TO `data-team`;

# GRANT USE SCHEMA ON SCHEMA production.sales TO `analysts`;

# GRANT SELECT ON TABLE production.sales.orders TO `analyst@company.com`;

# GRANT ALL PRIVILEGES ON SCHEMA production.sales TO `data-engineers`;

# REVOKE SELECT ON TABLE production.sales.customers FROM `intern@company.com`;



# Row Level Security

# CREATE FUNCTION production.sales.region_filter(region STRING)

# RETURN IF(IS_MEMBER('admin-group'), true, region = current_user_region());

# ALTER TABLE production.sales.orders

# SET ROW FILTER production.sales.region_filter ON (region);



# Column Masking

# CREATE FUNCTION production.sales.mask_email(email STRING)

# RETURN IF(IS_MEMBER('admin-group'), email, regexp_replace(email, '(.).*@', '$1***@'));

# ALTER TABLE production.sales.customers

# ALTER COLUMN email SET MASK production.sales.mask_email;



from dataclasses import dataclass



@dataclass

class GovernanceFeature:

    feature: str

    sql_example: str

    use_case: str

    compliance: str



features = [

    GovernanceFeature("GRANT/REVOKE",

        "GRANT SELECT ON TABLE t TO user",

        "Control who can read/write each table",

        "SOC2, GDPR, HIPAA"),

    GovernanceFeature("Row Level Security",

        "SET ROW FILTER func ON (column)",

        "Users see only their region/department data",

        "GDPR, data isolation"),

    GovernanceFeature("Column Masking",

        "ALTER COLUMN email SET MASK func",

        "Hide PII from non-authorized users",

        "GDPR, HIPAA, PCI-DSS"),

    GovernanceFeature("Tags",

        "ALTER TABLE t SET TAGS ('pii'='true')",

        "Classify data sensitivity, discoverability",

        "Data classification policy"),

    GovernanceFeature("Audit Logs",

        "System table: system.access.audit",

        "Track all data access for compliance",

        "SOC2, GDPR, HIPAA"),

    GovernanceFeature("Lineage",

        "Unity Catalog UI / system.access.table_lineage",

        "Track data flow from source to dashboard",

        "Data quality, impact analysis"),

]



print("=== Governance Features ===")

for f in features:

    print(f"  [{f.feature}] {f.use_case}")

    print(f"    SQL: {f.sql_example}")

    print(f"    Compliance: {f.compliance}")

Certificate Configuration

# === SSL/TLS Configuration ===



# JDBC Connection with SSL

# jdbc:databricks://adb-1234567890.1.azuredatabricks.net:443/default;

#   transportMode=http;

#   ssl=1;

#   httpPath=/sql/1.0/warehouses/abc123;

#   AuthMech=3;

#   UID=token;

#   PWD=dapi_xxxxxxxxxxxx



# Python with SSL (databricks-sql-connector)

# from databricks import sql

# connection = sql.connect(

#     server_hostname="adb-1234567890.1.azuredatabricks.net",

#     http_path="/sql/1.0/warehouses/abc123",

#     access_token="dapi_xxxxxxxxxxxx",

#     # SSL is enabled by default

# )



# REST API (always HTTPS)

# curl -X GET "https://adb-1234567890.1.azuredatabricks.net/api/2.1/unity-catalog/tables" \

#   -H "Authorization: Bearer dapi_xxxxxxxxxxxx"



# Private Link setup (Azure example)

# 1. Create Private Endpoint in your VNet

# 2. Link to Databricks workspace

# 3. Disable public network access

# 4. All traffic stays in private network



@dataclass

class CertConfig:

    scenario: str

    cert_type: str

    managed_by: str

    rotation: str

    action: str



configs = [

    CertConfig("Default workspace", "Databricks TLS cert",

        "Databricks (automatic)", "Automatic",

        "No action needed"),

    CertConfig("Custom domain", "Custom TLS cert",

        "Customer", "90 days recommended",

        "Upload cert to cloud provider, configure DNS"),

    CertConfig("JDBC/ODBC", "Databricks TLS cert",

        "Databricks", "Automatic",

        "Set SSL=1 in connection string"),

    CertConfig("External Metastore", "Metastore TLS cert",

        "Customer", "Per org policy",

        "Configure SSL cert in metastore connection"),

    CertConfig("Private Link", "Cloud provider cert",

        "AWS/Azure/GCP", "Automatic",

        "Create private endpoint, disable public access"),

]



print("\n=== Certificate Configurations ===")

for c in configs:

    print(f"  [{c.scenario}] Cert: {c.cert_type}")

    print(f"    Managed by: {c.managed_by} | Rotation: {c.rotation}")

    print(f"    Action: {c.action}")

Compliance Checklist

# === Compliance Checklist ===



@dataclass

class ComplianceItem:

    regulation: str

    requirement: str

    databricks_feature: str

    config: str



compliance = [

    ComplianceItem("GDPR", "Data minimization, right to erasure",

        "Column masking, DELETE support, Audit logs",

        "Mask PII, implement delete workflow, enable audit"),

    ComplianceItem("HIPAA", "PHI encryption, access control",

        "TLS encryption, Unity Catalog RBAC, Audit logs",

        "Enable encryption at rest+transit, strict RBAC"),

    ComplianceItem("SOC 2", "Access logging, change management",

        "Audit logs, Lineage, Git integration",

        "Enable system tables, track all changes"),

    ComplianceItem("PCI-DSS", "Cardholder data protection",

        "Column masking, Row-level security, Encryption",

        "Mask card numbers, restrict access, TLS everywhere"),

    ComplianceItem("ISO 27001", "Information security management",

        "Full Unity Catalog governance suite",

        "Implement all governance features, regular audits"),

]



print("=== Compliance Checklist ===")

for c in compliance:

    print(f"  [{c.regulation}] {c.requirement}")

    print(f"    Feature: {c.databricks_feature}")

    print(f"    Config: {c.config}")

เคล็ดลับ

• TLS: Databricks เข้ารหัส TLS 1.2+ ทุก Connection โดย Default
• RBAC: ใช้ Unity Catalog GRANT จัดการ Permission ทุก Table
• Masking: ใช้ Column Masking ซ่อน PII จาก User ที่ไม่มีสิทธิ์
• Audit: เปิด Audit Logs ตรวจสอบทุกการ Access สำหรับ Compliance
• Private Link: ใช้ Private Link สำหรับ Production ไม่ผ่าน Public Internet

Unity Catalog คืออะไร

Unified Governance Data Assets Access Control Grants Lineage Discovery Audit Logs 3-level Namespace Catalog Schema Table Databricks

แนะนำเพิ่มเติม — แหล่งความรู้ Forex iCafeForex

เนื้อหาเกี่ยวข้อง — ทำความเข้าใจ แนวคิดทฤษฎี 4m man money material management

เนื้อหาเกี่ยวข้อง — บทความที่เกี่ยวข้อง: Prometheus Federation Zero Downtime Deployment