cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Governance
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Hide VIEW definition in Unity-Catalog

Go to solution
BMex
New Contributor III

‎09-19-2023 01:53 AM

Hi,

I am trying to set up Unity-Catalog for my company and ran into a problem today. Basically, for each new source of data we ingest, we create a view-layer on top of the "tables". We do that because we have pseudonymized information in our datalake environment, and we decrypt the information on-the-fly using views.

We organize the view-layer by putting views that belong to a source inside a database/schema. We then provide access to the whole database/schema for users that need it.

BEFORE UNITY-CATALOG:

Back then I discovered that, if you can view the metadata of VIEWS, you could see the key that was used to decrypt columns in plain-text. I could, however, restrict this by simply removing READ_METADATA permission from users. That way, users could not see the schema, history, or any other detail about the view (see screenshot depicted below).

BMex_1-1695113477735.png

WITH UNITY-CATALOG:

Even if I provide only USE CATALOG (on catalog level), USE SCHEMA and SELECT (on database/schema level) permission to users, they can still see the "View definition" in the Details tab of that view. This exposes the decryption key in plain-text (see screenshot depicted below).

BMex_0-1695113280990.png

I searched and I don't see anything like READ_METADATA permission we had before, in order to restrict this for our users in Unity-Catalog. Do you have any idea on how can I hide this information?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
BMex
New Contributor III

‎09-19-2023 02:24 AM

One solution I found is, creating a function which does the decryption of the column, and from the view creation, I simply call the function and pass the column.

This solution however pushes me to put the decryption key inside the function in plain-text. But, to be honest, this wouldn't be a problem since I can make this function highly secure.

Should someone else have a better solution, please feel free to share. 

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
BMex
New Contributor III

‎09-19-2023 02:24 AM

One solution I found is, creating a function which does the decryption of the column, and from the view creation, I simply call the function and pass the column.

This solution however pushes me to put the decryption key inside the function in plain-text. But, to be honest, this wouldn't be a problem since I can make this function highly secure.

Should someone else have a better solution, please feel free to share. 

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.