Databricks Community

Yes, I understood that creation of CONNECTION type= "Snowflake":

• snowflake acc url is enough for JDBC, and CATALOG BASICS provide the EXTERNAL LOCATION & paths (Iceberg tables).

My understanding is (please confirm):

1. DBX pulls via JDBC all Snowflake schemas, tables of specified database.
2. upon access: if its Iceberg table try direct storage access, fallback to jdbc if something wrong with metadata/storage access/definition.
3. For all non-iceberg tables --> use JDBC.

But how about the 3rd type of access - type "Snowflake Horizon" REST Iceberg API - access to only Snowflake Iceberg tables):

• is this a new type of CONNECTION that I don't see because I'm on DBX  free tier ?
• Or connection just same "Snowflake", meaning despite DBX user never sees "Snowflake Horizon rest catalog", implicitly DBX will indeed try connect to Snowflake end point on above step 2. instead of just using jdbc to pull info on snowflake iceberg tables, does DBX just appends "/iceberg" to the only physical supplied host field ~ snowflake account provided in the connection resulting on: https://<account_identifier>.snowflakecomputing.com/iceberg

Hope its clear my doubt now? Thanks in advance ~ 

If you see the text in the second link I sent, you'll see this:

"Create a connection to Snowflake Horizon Catalog and create a foreign catalog using one of the authentication methods listed above. You must specify a location in cloud storage where metadata will be stored for Iceberg tables in this catalog."

ie, there's no 3rd mechanism needed.

And yes, your general understanding is correct.

To summarize that specifically:

• When a table qualifies (Iceberg with supported URI/scheme), Databricks reads directly from object storage; otherwise it automatically falls back to JDBC (query federation).
• Only specific schemes are supported (s3, abfs, gs, r2, wasb/wasbs, etc.); special characters or metadata outside the table location block direct access, triggering fallback.
• Writing/reading via JDBC to Iceberg in a catalog‑federated catalog is disabled once a storage location is configured on the catalog; non‑Iceberg tables are unaffected.

Thanks for your feedback, but I still don't have the insight Im trying ton<understand, sorry if it's on my side the way I expressed.

Horizon in Snowflake catalog.
BUT.. Recently Snowflake opened up a new REST ICEBERG API endpoint that that gives access to Snowflake Iceberg tables (it's comply to the standard iceberg rest api; similar to Unity Catalog REST ICEBERG API endpoint.
Snowflake SQL client drivers (JDBC, ODBC, etc) communicate with another  Snowflake REST SQL API underneath.
Meaning one can refer to Snowflake Horizon as just 1 thing, but in fact theres 2 endpoints: JDBC via SQL REST API, and the new endpoint ICEBERG REST API.

I been trying to understand in the context of acessing Snowflake managed Iceberg tables, if Databricks already supported the recent Snowflake REST ICEBERG API or not?

The future is multi compute sharing Iceberg tables via the standsrd REST ICEBERG API that both Unit Catalog and Snowflake Horizon exposes. I know how Snowflake can federate READ/WRITE with vended credentials connecting to UC rest iceberg api.

So just trying understand if the other way also possible:

Can Databricks connect to Snowflake Horizon via Snowflake REST ICEBERG API. (not JDBC) ?
Hope this clarifies, because documentation referring to Snowflake Horizon, but doesn't share if physical API only JDBC, orif DBX already supports Snowflake Horizon acccess via new REST ICEBERG API endpoint.

Hope this helps, maybe Databricks needs update documentation, but for now just trying confirm if DBX can or not uses the advanced rest iceberg.

Thanks in advance ~

Thanks @SteveOstrowski exactly the detail I was expecting and kinda suspected but wanted to besure, and surely will help both communities 😊.

Steve's answer is incorrect about Databricks using Iceberg Rest APIs. Catalog Federation is simply a workaround & marketing term for NOT supporting Databricks UNITY from accessing Iceberg Rest Catalog APIs to read or write from external IRC Catalogs.  

Steve, your answer incorrect. Databricks does NOT use Horizon/Polaris or any other IRC rest APIs to talk to any external system.  Access to any external Iceberg Catalog like Glue, Google. Horizon, Polaris & etc. is blocked by UNITY either to read or write data.

This is exactly why you have to provide a JDBC connection string for the federated catalogs. Databricks needs to run SQL queries for each table to figure out the schema, columns but more importantly where the actual iceberg files are located.

Because UNITY won't allow IRC Rest Catalog APIs to other catalogs, running bunch of DESC TABLE or SHOW COLUMNS type SQL queries for metadata using Provider's compute (Snowflake compute in the case of Horizon) for each query is both a bottle neck for performance, adds cost to provider but more importantly does not provide the temp vended creds to access the table locations as IRC APIs would.

Because it has no way of fetching vended creds via SQL, it required provider (Snowflake admin) to grant permanent full read/write access to Databricks for their main iceberg table storage locations (Unsecure, major compliancy issues) as Databricks owner can mistakenly blow up any file or folder with that kind of access w/o any knowledge of catalog owner (Snowflake).

It still needs WRITE access even if it needs to only read the table because Databricks compute (mainly Photon) does not currently have ability to directly read Iceberg tables. It will generate Delta metadata for each IB table and use that to query instead of reading Iceberg directly.

If it did use IRC APIs for external catalogs for read & write ops like Glue or Snowflake can, it would :

1. Not need a JDBC Connection (APIs are Driverless.Only login creds would be enough to talk to IRC Apis)
2. Not need SNOWFLAKE_WAREHOUSE for that connection as IRC Rest APIs do not use any provider compute clusters to run queries.
3. Not need permanent read/write access to root storage locations for all iceberg table because IRC dynamically sends Temp Vended Creds for compliant engines to access the files.

Hi Steve,

Again, it is not entirely accurate.

1. Databricks Snowflake Warehouses for Non-Iceberg Tables however for Iceberg Tables, it will use Snowflake Compute in the Global Services (GS) layer to run SQL metadata queries (SHOW TABLE, SHOW COLUMNS DESCRIBE TABLE & etc.).  GS layer in Snowflake is shared compute that allows Snowflake customers to run many metadata queries for free w/o needing to start a paid warehouse. Unfortunately it is free compute ONLY if the usage on this layer stays below 10% of the actual warehouse compute spend. For 99.9% of the case, no-one runs abnormal amount of metadata queries where it exceed 10% of their compute so they never pay.  Problem with Databricks using this JDBX + SQL method to fetch metadata from Snowflake per each table & per each query means, Databricks is running exclusively metadata queries in the hundreds or many thousands (if these tables are queried often). Since warehouse is not used for these queries, their cost exceeds 10% of compute usage and customers are billed for all this compute. Databricks SEs and AEs tell Snowflake customers that these queries are free without knowing how the GS compute is billed. It is designed to be FREE when used as intended. When the Free Metadata options is abused and you run 10K DESC or SHOW table queries then that is billed at the warehouse rate. 

2. Unfortunately is does not. It was a little mistake on my part for where you need the WRITE access. For Federated Catalog, you need to set tup 2 storage location. 

Authorized Paths: This is the root storage bucket of all Iceberg tables from the provider which the provider has to grant read-only ACCESS. Again, because you don't use IRC APIs and not able to fetch temp vend creds, there is no way to easily lock down the sub folders for the tables DBX needs access by the provider. If they 1000 Iceberg tables but want to grant you 100 of them via the catalog, they either need to give read access to root for all tables (which is not secure) OR they somehow have to come up with complex IAM rules that grants access to only those 100 tables(that is a maintenance nightmare as IAM rules are separate than RBAC.  IF they grant you access to more tables or remove RBAC access to existing tables, provider than has to to their IAM rules and make sure they fix them each time to match the proper folders). Either way, this is not something anyone would use unless it is the same company, provider fully trusts the Databricks team with their files and no compliancy issues. 

Storage Location: This is where you need to define an additional cloud storage for Federated Catalog to be able to WRITE.  It needs this because Databricks Serverless & PHOTON engines & UNITY does not read ICEBERG table format directly. They can read the actual Data Parquet files but the IB metadata files. This is why it needs this access as it needs to create Delta version of the iceberg table metadata and that's what Databricks Engines use to query the tables directly.  

3. I explain the WRITE requirement. It is not for the IB storage location but can be any Storage bucket. It is required to read IB tables using Databricks compute for federated catalog.

4. This is where Databricks keeps giving the same unrelated wrong answer to this same question and creating confusion in the field and the customer base who manage data in external Iceberg Catalogs like Horizon, Glue & etc.. Reminder: The question was CAN DATABRICKS COMPUTE TALK TO OTHER EXTERNAL IRC CATALOGS USING IRC APIS & USE VENDED CREDS to access their Iceberg tables. 

It was NOT "Does Databricks uses IRC APIs and Vended Creds to Serve its own tables within UNITY?."  Databricks seems to purposefully give this misleading answer every time to avoid giving the correct answer. The answer is about Whether Databricks can to access other catalogs and not the other way around. The correct answer is Databricks currently HAS NO NATIVE SUPPORT FOR READING OR WRITING to external Iceberg tables using IRC API or by using Vended Creds to access the data files.

This is why it still needs JDBC connection to run SQL metadata queries to find what the table columns look like, where the tables files are stored and pre-approved permanent READ-ONLY access to read those files + another storage bucket with WRITE access to generate the Delta Matadata files for their compute to be able to query these tables.

If Databricks has support for "Their compute to read/write other external catalogs" using IRC APIs, then none of the above would be needed. No need for JDBC because you wouldn't run SQL "metadata" queries that cost Snowflake customers money as APIs give you all that info, Wouldn't need permanent read access IB files ahead of time as IRC APIs give temp vended creds to access the files.