Skip to content

feat: Databricks grants#5436

Merged
eakmanrq merged 1 commit intoddai/grantsfrom
eakmanrq/databricks_grants
Sep 25, 2025
Merged

feat: Databricks grants#5436
eakmanrq merged 1 commit intoddai/grantsfrom
eakmanrq/databricks_grants

Conversation

@eakmanrq
Copy link
Collaborator

@eakmanrq eakmanrq commented Sep 24, 2025
edited
Loading

Unique nuances of Databricks for grants:

  • When doing Unity Catalog (UC) granting for groups, which the engine adapter assumes UC, the groups need to be defined at the account level. When creating groups with SQL they are done at the workspace level which I think means at the hive catalog level. It would require making API calls to create roles at the account level. As a result I used pre-created roles at the account level to simplify things but if this becomes a problem we could update to do the API calls.
  • Databricks doesn't support the standard UPDATE/INSERT permissions so I had to parameterize these to allow the dialects change what is used
  • When querying the information schema Databricks would return inherited privileges which couldn't even be controlled through explicit grants. For example on the test account we have ALL_PRIVILEGES given by default and this would be returned and then "revoked" but the revoke would be a no-op since it wasn't explicitly granted in the first place. Therefore we just ignore inherited grants.

Confirmed CI tests for Snow/Databricks pass.

@eakmanrq eakmanrq force-pushed the eakmanrq/databricks_grants branch 3 times, most recently from 1d5e453 to 4262f64 Compare September 24, 2025 22:42
@eakmanrq eakmanrq force-pushed the eakmanrq/databricks_grants branch from 4262f64 to 3b60eba Compare September 24, 2025 22:46
newtonapple
newtonapple reviewed Sep 25, 2025
View reviewed changes
sqlmesh/core/engine_adapter/databricks.py
Comment on lines +227 to +229
exp.column("table_catalog").eq(exp.Literal.string(catalog_name.lower())),
exp.column("table_schema").eq(exp.Literal.string(schema_name.lower())),
exp.column("table_name").eq(exp.Literal.string(table_name.lower())),
Copy link
Contributor

@newtonapple newtonapple Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume the reason we lower case everything is because we are assuming Databricks users will be using Unity catalog? Is that always the case? I know some deployments still use hive metastore. If I remember correctly, it table names etc. can be case sensitive there.

Copy link
Collaborator Author

@eakmanrq eakmanrq Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The engine adapter itself assumes Unity Catalog. So we don't need to worry about hive metastore compatibility.

@eakmanrq eakmanrq merged commit ca9588e into ddai/grants Sep 25, 2025
14 of 21 checks passed
@eakmanrq eakmanrq deleted the eakmanrq/databricks_grants branch September 25, 2025 16:12
newtonapple pushed a commit that referenced this pull request Sep 29, 2025
@eakmanrq @newtonapple
feat: Databricks grants (#5436)
f63e987
newtonapple pushed a commit that referenced this pull request Sep 30, 2025
@eakmanrq @newtonapple
feat: Databricks grants (#5436)
fb744d7
newtonapple pushed a commit that referenced this pull request Oct 2, 2025
@eakmanrq @newtonapple
feat: Databricks grants (#5436)
a7d52da
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@newtonapple newtonapple newtonapple left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eakmanrq @newtonapple