Unity Catalog SSL/TLS
Databricks Unity Catalog SSL TLS Certificate Encryption Governance Access Control Lineage Audit Compliance
| Connection | Encryption | Certificate | Config |
|---|---|---|---|
| Client → Workspace | TLS 1.2+ | Databricks managed | HTTPS (default) |
| Cluster → S3/ADLS | TLS 1.2+ | Cloud provider managed | Automatic |
| Cluster ↔ Cluster | TLS 1.2+ (Spark shuffle) | Databricks managed | spark.ssl.enabled=true |
| JDBC/ODBC | TLS 1.2+ | Databricks managed | SSL=1 in connection string |
| REST API | TLS 1.2+ | Databricks managed | HTTPS only |
| Private Link | TLS + Private network | Cloud provider | VPC/VNet endpoint |
Access Control
# === Unity Catalog Governance ===
# 3-level Namespace
# CATALOG.SCHEMA.TABLE
# e.g., production.sales.orders
# Grant examples
# GRANT USE CATALOG ON CATALOG production TO `data-team`;
# GRANT USE SCHEMA ON SCHEMA production.sales TO `analysts`;
# GRANT SELECT ON TABLE production.sales.orders TO `analyst@company.com`;
# GRANT ALL PRIVILEGES ON SCHEMA production.sales TO `data-engineers`;
# REVOKE SELECT ON TABLE production.sales.customers FROM `intern@company.com`;
# Row Level Security
# CREATE FUNCTION production.sales.region_filter(region STRING)
# RETURN IF(IS_MEMBER('admin-group'), true, region = current_user_region());
# ALTER TABLE production.sales.orders
# SET ROW FILTER production.sales.region_filter ON (region);
# Column Masking
# CREATE FUNCTION production.sales.mask_email(email STRING)
# RETURN IF(IS_MEMBER('admin-group'), email, regexp_replace(email, '(.).*@', '$1***@'));
# ALTER TABLE production.sales.customers
# ALTER COLUMN email SET MASK production.sales.mask_email;
from dataclasses import dataclass
@dataclass
class GovernanceFeature:
feature: str
sql_example: str
use_case: str
compliance: str
features = [
GovernanceFeature("GRANT/REVOKE",
"GRANT SELECT ON TABLE t TO user",
"Control who can read/write each table",
"SOC2, GDPR, HIPAA"),
GovernanceFeature("Row Level Security",
"SET ROW FILTER func ON (column)",
"Users see only their region/department data",
"GDPR, data isolation"),
GovernanceFeature("Column Masking",
"ALTER COLUMN email SET MASK func",
"Hide PII from non-authorized users",
"GDPR, HIPAA, PCI-DSS"),
GovernanceFeature("Tags",
"ALTER TABLE t SET TAGS ('pii'='true')",
"Classify data sensitivity, discoverability",
"Data classification policy"),
GovernanceFeature("Audit Logs",
"System table: system.access.audit",
"Track all data access for compliance",
"SOC2, GDPR, HIPAA"),
GovernanceFeature("Lineage",
"Unity Catalog UI / system.access.table_lineage",
"Track data flow from source to dashboard",
"Data quality, impact analysis"),
]
print("=== Governance Features ===")
for f in features:
print(f" [{f.feature}] {f.use_case}")
print(f" SQL: {f.sql_example}")
print(f" Compliance: {f.compliance}")Certificate Configuration
# === SSL/TLS Configuration ===
# JDBC Connection with SSL
# jdbc:databricks://adb-1234567890.1.azuredatabricks.net:443/default;
# transportMode=http;
# ssl=1;
# httpPath=/sql/1.0/warehouses/abc123;
# AuthMech=3;
# UID=token;
# PWD=dapi_xxxxxxxxxxxx
# Python with SSL (databricks-sql-connector)
# from databricks import sql
# connection = sql.connect(
# server_hostname="adb-1234567890.1.azuredatabricks.net",
# http_path="/sql/1.0/warehouses/abc123",
# access_token="dapi_xxxxxxxxxxxx",
# # SSL is enabled by default
# )
# REST API (always HTTPS)
# curl -X GET "https://adb-1234567890.1.azuredatabricks.net/api/2.1/unity-catalog/tables" \
# -H "Authorization: Bearer dapi_xxxxxxxxxxxx"
# Private Link setup (Azure example)
# 1. Create Private Endpoint in your VNet
# 2. Link to Databricks workspace
# 3. Disable public network access
# 4. All traffic stays in private network
@dataclass
class CertConfig:
scenario: str
cert_type: str
managed_by: str
rotation: str
action: str
configs = [
CertConfig("Default workspace", "Databricks TLS cert",
"Databricks (automatic)", "Automatic",
"No action needed"),
CertConfig("Custom domain", "Custom TLS cert",
"Customer", "90 days recommended",
"Upload cert to cloud provider, configure DNS"),
CertConfig("JDBC/ODBC", "Databricks TLS cert",
"Databricks", "Automatic",
"Set SSL=1 in connection string"),
CertConfig("External Metastore", "Metastore TLS cert",
"Customer", "Per org policy",
"Configure SSL cert in metastore connection"),
CertConfig("Private Link", "Cloud provider cert",
"AWS/Azure/GCP", "Automatic",
"Create private endpoint, disable public access"),
]
print("\n=== Certificate Configurations ===")
for c in configs:
print(f" [{c.scenario}] Cert: {c.cert_type}")
print(f" Managed by: {c.managed_by} | Rotation: {c.rotation}")
print(f" Action: {c.action}")Compliance Checklist
# === Compliance Checklist ===
@dataclass
class ComplianceItem:
regulation: str
requirement: str
databricks_feature: str
config: str
compliance = [
ComplianceItem("GDPR", "Data minimization, right to erasure",
"Column masking, DELETE support, Audit logs",
"Mask PII, implement delete workflow, enable audit"),
ComplianceItem("HIPAA", "PHI encryption, access control",
"TLS encryption, Unity Catalog RBAC, Audit logs",
"Enable encryption at rest+transit, strict RBAC"),
ComplianceItem("SOC 2", "Access logging, change management",
"Audit logs, Lineage, Git integration",
"Enable system tables, track all changes"),
ComplianceItem("PCI-DSS", "Cardholder data protection",
"Column masking, Row-level security, Encryption",
"Mask card numbers, restrict access, TLS everywhere"),
ComplianceItem("ISO 27001", "Information security management",
"Full Unity Catalog governance suite",
"Implement all governance features, regular audits"),
]
print("=== Compliance Checklist ===")
for c in compliance:
print(f" [{c.regulation}] {c.requirement}")
print(f" Feature: {c.databricks_feature}")
print(f" Config: {c.config}")เคล็ดลับ
- TLS: Databricks เข้ารหัส TLS 1.2+ ทุก Connection โดย Default
- RBAC: ใช้ Unity Catalog GRANT จัดการ Permission ทุก Table
- Masking: ใช้ Column Masking ซ่อน PII จาก User ที่ไม่มีสิทธิ์
- Audit: เปิด Audit Logs ตรวจสอบทุกการ Access สำหรับ Compliance
- Private Link: ใช้ Private Link สำหรับ Production ไม่ผ่าน Public Internet
Unity Catalog คืออะไร
Unified Governance Data Assets Access Control Grants Lineage Discovery Audit Logs 3-level Namespace Catalog Schema Table Databricks
SSL TLS ใน Databricks ทำงานอย่างไร
TLS 1.2 Encryption Transit Client Workspace Cluster Storage Shuffle JDBC ODBC REST API Private Link Certificate อัตโนมัติ
Certificate Management ทำอย่างไร
Databricks Default อัตโนมัติ Custom ACM Key Vault JDBC SSL Connection REST HTTPS IAM Role Rotate 90 วัน Private Link
Data Governance ทำอย่างไร
GRANT REVOKE Permission Row Level Security Column Masking PII Tags Audit Logs Lineage Quality Rules Information Schema Compliance
สรุป
Databricks Unity Catalog SSL TLS Certificate Encryption Governance RBAC Masking Lineage Audit Compliance GDPR HIPAA SOC2 Production
