Access Controls with Unity Catalog
Summary
TLDRIn this video, Pearl uu from Databricks demonstrates Unity Catalog's central governance and auditing capabilities for data access control. The script showcases how to organize data assets, set permissions at different levels, and utilize a shared cluster for fine-grained access control. It also covers creating a feature store, training and registering a model using MLflow, and setting up row and column-level security for sensitive data, ensuring data analysts can access relevant subsets safely.
Takeaways
- π Unity Catalog is a central governance tool that manages and audits data access across workspaces.
- π₯ Data governance leaders and central governance teams have full admin capabilities to grant access to workspaces or metastores.
- π Access can be granted to users, groups, or service principles within an organization for specific data assets.
- π The demonstration uses a Databricks ML Workshop notebook to showcase the power of access controls within Unity Catalog.
- ποΈ Catalogs are the first layer of Unity Catalog's three-level namespace, used for organizing data assets and setting permissions.
- π Schemas, the second layer, organize tables, views, volumes, and models, with permissioning set for teams to use them.
- πΎ Volumes, the third layer, contain directories and files for data stored in any format, providing non-tabular data access.
- π Demonstrated the process of granting read and write privileges on a volume to a data science team for a specific dataset.
- π οΈ The video shows setting up a cluster with Unity Catalog for data analysis and machine learning workflows.
- π The data science team creates a feature store table for training and testing models, leveraging the catalog and schema setup.
- π Unity Catalog provides row and column-level security through row filters and column masks to protect sensitive data.
- π SQL functions are used to create row filters and column masks, tailoring data access for different teams' needs.
Q & A
What is the role of Pearl uu in the video?
-Pearl uu is a technical marketing engineer at Databricks, and she presents a demonstration on how Unity Catalog governs and audits data access.
What capabilities are granted to the data governance leader and central governance team in Unity Catalog?
-The data governance leader and central governance team are granted full admin capabilities, allowing them to grant access to workspaces or metastores to users, groups, or service principles within the organization.
What is a catalog in Unity Catalog and how is it used?
-A catalog in Unity Catalog is the first layer of the three-level namespace. It is used to organize data assets and set permissions for teams to use within the catalog.
What is a schema in Unity Catalog and what is its purpose?
-A schema in Unity Catalog is the second layer of the three-level namespace. It organizes tables, views, volumes, and models, and allows for permissioning to be set at the schema level.
What is a volume in Unity Catalog and how does it relate to data storage?
-A volume in Unity Catalog is part of the third layer of the namespace. It resides under a schema and contains directories and files for data stored in any format, providing non-tabular access to data.
What is the significance of the 'NP volume' in the demonstration?
-The 'NP volume' is significant as it contains a dataset called 'Lending Club' that the data science team will use. It demonstrates how to grant read and write privileges on a volume.
What is the purpose of creating a shared cluster in Unity Catalog?
-A shared cluster in Unity Catalog is used for most use cases where users can share resources and support fine-grained access control. It is suitable for collaborative work environments.
What is a feature store table and how is it utilized in the script?
-A feature store table, such as 'loan features Test 2' in the script, is used to house features needed for model training and testing. It is created to manage and organize the features for machine learning models.
How does Unity Catalog facilitate the registration of models?
-Unity Catalog allows the registration of models by referencing the same catalog and schema names used throughout the process. This ensures consistency and organization of models within the catalog.
What is the Catalog Explorer and how does it help in managing tables and models?
-The Catalog Explorer is a tool within Unity Catalog that allows users to view and manage all the tables and models within a specific catalog and schema. It helps in organizing and providing access to data assets.
How does Unity Catalog provide row and column-level security?
-Unity Catalog provides row and column-level security through the use of row filters and column masks. This allows for the control of access to specific rows of data and the masking of sensitive columns.
Outlines
π οΈ Data Governance with Unity Catalog
In this segment, Pearl introduces herself as a technical marketing engineer at Databricks and outlines the purpose of the video: to demonstrate how Unity Catalog manages and audits data access across workspaces. As the data governance leader, one has full admin capabilities to grant access to workspaces or metastores. The demonstration uses a Databricks ML Workshop notebook to showcase access controls within Unity Catalog. The video begins with setting up a catalog called 'niore catalog,' which is the first layer of Unity Catalog used for organizing data assets and setting permissions. The data science team has been granted privileges to use this catalog and create various data structures within it, such as schemas, volumes, and datasets. The setup includes defining catalog and schema names for consistency and setting up a shared cluster for data analysis. The process involves loading the 'Lending Club' dataset into a Delta table named 'Loan Data' for further analysis and model training.
π Row and Column Level Security in Unity Catalog
This paragraph delves into the advanced security features of Unity Catalog, focusing on row and column-level security through the use of row filters and column masks. The data science team, having full privileges, wishes to provide the data analyst team with access to the 'loan data' table but with certain restrictions due to sensitive data. To achieve this, SQL functions are created to mask the 'annual income' column and filter the data to show only homeowners with mortgages. The functions are applied to the 'loan data' table, ensuring that the data analyst team can access the necessary data without exposure to sensitive information. The video concludes by verifying the successful application of these security measures, demonstrating how Unity Catalog can centrally govern and audit data access across workspaces, ensuring data privacy and compliance.
Mindmap
Keywords
π‘Unity Catalog
π‘Technical Marketing Engineer
π‘Data Governance
π‘Catalog
π‘Schema
π‘Volume
π‘Data Science Team
π‘Feature Store
π‘MLflow
π‘Row and Column Level Security
π‘Data Analyst Team
Highlights
Unity Catalog centrally governs and audits data access across workspaces, providing full admin capabilities to the central governance team.
Catalogs are the first layer of Unity Catalog's three-level namespace, used for organizing data assets and permissioning.
Schemas, also known as databases, are the second layer of Unity Catalog, organizing tables, views, volumes, and models with permissioning capabilities.
Volumes, the third layer of Unity Catalog, contain directories and files for data stored in any format, providing non-tabular access to data.
Data access can be consistently referenced by defining catalog and schema names appropriately.
Two types of clusters are supported: shared clusters for fine-grained access control and single-user clusters for advanced use cases like GPU or distributed machine learning.
Data can be loaded from volumes and saved as Delta tables for future use, as demonstrated with the London Club dataset.
Feature store tables, like 'loan features test 2', are created to house features needed for model training and testing.
MLflow can be used to create training sets, test, train models, and register them in Unity Catalog.
Models and tables in Unity Catalog can be explored in the Catalog Explorer, showing their relationships and permissions.
Execute permissions can be set for models, allowing the data science team to use them when necessary.
Row and column-level security can be provided through row filters and column masks to protect sensitive data.
SQL functions can be created to mask specific columns, like annual income, and filter rows based on criteria, such as homeowners with mortgages.
Data analysts can utilize tables with applied row filters and column masks, ensuring access to only the necessary data without exposing sensitive information.
Unity Catalog enables centralized governance and auditing of data access, ensuring secure and controlled data usage across workspaces.
Transcripts
00:00hi my name is Pearl uu and I am a
00:03technical marketing engineer here at
00:05data breaks in this video I'm going to
00:08share with you how Unity catalog
00:10centrally governs and audits data access
00:13across workspaces as the data governance
00:16leader of your organization you and your
00:18central governance team have been
00:20granted full admin capabilities and can
00:23grant access to workspaces or meta
00:25stores to users groups or service
00:29principles in your Organization for the
00:31purpose of this demo we will use the
00:33datab bricks ml Workshop notebook to see
00:36the power of access controls within
00:38Unity catalog and to get started we'll
00:41need some data to work with to do this
00:44the data science lead has created a
00:47catalog called niore catalog a catalog
00:51is the first layer of unity catalog thre
00:54level name space it's used to organize
00:57your data assets and permissioning has
01:00been set for the data science team to
01:02use the catalog within the catalog
01:05there's a schema titled default that has
01:08already been created by the data science
01:10lead as well a schema also called a
01:13database is the second layer of unity
01:16catalog three-level name space a schema
01:19organizes tables views volumes and
01:23models permissioning can also be set at
01:26the catalog level and in this case it's
01:29been set for the data science team to
01:31have privileges to use the schema create
01:34functions materialize views models
01:38tables and volumes within the schema
01:41within the schema there's a volume
01:43called NP volume again created by the
01:47data science lead a volume resides in
01:50the third layer of unity catalog
01:52three-level
01:53namespace volumes are organized under a
01:57schema in unity catalog volume volumes
02:00contain directories and files for data
02:02stored in any format and provide
02:06non-tabular access to
02:08data NP volume has a data set called
02:12Lending Club that the data science team
02:14will use by granting read and write
02:17privileges on volume
02:19access back in the notebook before we do
02:22anything we're going to make sure that
02:24we can consistently reference the
02:26catalog and scheme a name by defining
02:29them appropriately for the workshop
02:32we'll be referencing the catalog as ni
02:34catalog and another schema called user
02:38before any member of the data science
02:40team can even run this code we have to
02:43make sure that we have our cluster set
02:45up so let's create a new resource with
02:48unity catalog there are two different
02:50clusters that we support one is the
02:53shared cluster which is good for 90% of
02:55your use cases users can share it and we
02:59support all all of the fine grained
03:00access
03:01control then we have the single user
03:04clusters this is where if you want to do
03:07something slightly more advanced maybe
03:09you want to use a GPU or distributed
03:12machine learning then you can break out
03:14onto this cluster and safely isolate
03:17yourself for the purpose of this
03:19Workshop we're going to use a shared
03:22cluster then we're going to load our
03:25London Club data set from our volume and
03:28then save it as a Delta table called
03:30Loan Data for future
03:32use after doing some exploratory data
03:35analysis on this loan data set the data
03:38science team would like to reasonably
03:40estimate a specific loan status given
03:43the data provided in the loan data
03:46table to do this a feature store table
03:49will be created called loan features
03:52Test
03:532 this table will house the features
03:56needed for when the model is trained and
03:58tested as you can see this table is
04:02referencing the catalog and the schema
04:04we created earlier harnessing the power
04:07of unity catalog now we can create a
04:10training set using our features from the
04:12feature store and then test and train
04:15the model using ml flow then we'll
04:17register the model in unity catalog by
04:20referencing the same catalog schema name
04:24and the name of the model which in this
04:26case is loan estimator the configuration
04:29of the mlflow client to access models in
04:33unity catalog is referenced here now
04:37let's take a look at where all of the
04:38tables and models reside in the catalog
04:41Explorer under the Nico catalog and
04:45under the user schema that was
04:47referenced throughout the workshop we
04:49have our Loan Data which is our full
04:51Loan Data set we also have loan features
04:55test two which is the feature store
04:57table to hold our loan features and then
05:00below that as you can see we have our
05:02loan estimator model registered right
05:05here in our catalog as
05:08well if we click the model we can set
05:11execute permissions to our data science
05:14team giving them the ability to use the
05:16model when necessary similarly our
05:19tables also provide permissioning and we
05:22can showcase that by giving the data
05:24science team select privileges on the
05:28table speaking of tables let's see how
05:31Unity catalog provides row and column
05:34level security through row filters and
05:37column masks respectively the data
05:40science team knows that eventually the
05:43data analyst team might want to utilize
05:46the loan data table to generate
05:48reports however there might be some
05:51columns that may need to be masked due
05:53to the sensitive data that they hold or
05:56maybe rows would need to be filtered out
05:58so that the data analyst team can query
06:01a subset of the data that they need to
06:04do this it's very simple first we're
06:07going to see what our current data set
06:09looks like this is what the data science
06:12team will be able to see since they have
06:14full
06:15privileges they want to show the data
06:17analyst team only data where homeowners
06:20have a mortgage and where their income
06:22is hidden so let's create the SQL
06:25functions I'm going to Leverage The
06:28Power of unity catalog here here by
06:30using the catalog and the schema where
06:32my data set resides then I'll create a
06:35function that masks the annual income
06:39and only allows the data science team to
06:41see it next we'll set up a function that
06:44filters out the home ownership status to
06:47just homeowners with
06:49mortgages now we can verify that our
06:52functions have been set up correctly and
06:55then apply these newly created functions
06:57to the loan data table
07:00let's take a look at our new loan data
07:02table and here we can verify that our
07:06annual income column is masked to show
07:08the null value instead and the
07:11homeowners are all mortgages this table
07:13can now be utilized by the data analyst
07:16team as needed without any concerns
07:18surrounding sensitive data and with that
07:21you've learned how Unity catalog
07:23centrally governs and audits data access
07:26across workspaces
5.0 / 5 (0 votes)