cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Hide VIEW definition in Unity-Catalog

Go to solution
BMex
New Contributor III

‎09-19-2023 01:53 AM

Hi,

I am trying to set up Unity-Catalog for my company and ran into a problem today. Basically, for each new source of data we ingest, we create a view-layer on top of the "tables". We do that because we have pseudonymized information in our datalake environment, and we decrypt the information on-the-fly using views.

We organize the view-layer by putting views that belong to a source inside a database/schema. We then provide access to the whole database/schema for users that need it.

BEFORE UNITY-CATALOG:

Back then I discovered that, if you can view the metadata of VIEWS, you could see the key that was used to decrypt columns in plain-text. I could, however, restrict this by simply removing READ_METADATA permission from users. That way, users could not see the schema, history, or any other detail about the view (see screenshot depicted below).

BMex_1-1695113477735.png

WITH UNITY-CATALOG:

Even if I provide only USE CATALOG (on catalog level), USE SCHEMA and SELECT (on database/schema level) permission to users, they can still see the "View definition" in the Details tab of that view. This exposes the decryption key in plain-text (see screenshot depicted below).

BMex_0-1695113280990.png

I searched and I don't see anything like READ_METADATA permission we had before, in order to restrict this for our users in Unity-Catalog. Do you have any idea on how can I hide this information?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
BMex
New Contributor III

‎09-19-2023 02:24 AM

One solution I found is, creating a function which does the decryption of the column, and from the view creation, I simply call the function and pass the column.

This solution however pushes me to put the decryption key inside the function in plain-text. But, to be honest, this wouldn't be a problem since I can make this function highly secure.

Should someone else have a better solution, please feel free to share. 

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
BMex
New Contributor III

‎09-19-2023 02:24 AM

One solution I found is, creating a function which does the decryption of the column, and from the view creation, I simply call the function and pass the column.

This solution however pushes me to put the decryption key inside the function in plain-text. But, to be honest, this wouldn't be a problem since I can make this function highly secure.

Should someone else have a better solution, please feel free to share. 

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements