Lakebase -- Enable RLS in synced Table

DaPo
New Contributor III

Dear all,

I am currently testing Lakebase for integration in our overall system. In particular I need to enable RLS on a Lakebase table, which is synced from a "Delta Streaming Table" in UC. Setting up the data sync was no trouble, in UC I am the owner of the table. Enabling RLS is somewhat more troublesome. Here is the steps, I have tried (without success):

  1. Create a Database role tied to my databricks User, which has all privileges including databricks_superuser (https://docs.databricks.com/aws/en/oltp/pg-roles)
  2. Open the SQL-Editor, select the Lakebase instance as compute.
  3. Run ALTER TABLE <my-table> ENABLE ROW LEVEL SECURITY; (https://www.postgresql.org/docs/17/ddl-rowsecurity.html)
  4. Get an error: "You must be Owner of the table" (Remember, in UC I am the owner).

I assume, that I am missing something here, how the interaction between databricks user and postgres role happens. So what am I missing?

Also: Are there any possibilities or plans to utilize UC Row-Filters with Lakebase (https://docs.databricks.com/aws/en/data-governance/unity-catalog/filters-and-masks/)? Would be nice to have an unified integrated RLS solution for Lakebase tables and Delta tables.

Greetings, Daniel

Advika
Community Manager
Community Manager

Hello @DaPo!

Could you please confirm whether you are the owner of the table within the Lakebase Postgres (not just in Unity Catalog)?
Also, can you try creating a view on the synced table and then configure RLS on that view?

View solution in original post

DaPo
New Contributor III

Hi @Advika,

yes, I was only owner in UC, the Lakebase owner is some databricks_writer, and features like RLS seem to be restricted. Since Lakebase is quite new, I do not yet fully understand the interaction between UC concepts and Lakebase concepts. Creating a view does the trick.

 

som_natarajan
Databricks Employee
Databricks Employee

You can't sync RLS from UC tables to Lakebase (yet). You can either create separate RLS rules on PG or you can create a custom pipeline that can read from the RLS UC table and use JDBC to write into Lakebase directly. 

View solution in original post