|
| 1 | +--- |
| 2 | +title: Databricks Setup |
| 3 | +beta: true |
| 4 | +plan: unify |
| 5 | +hidden: true |
| 6 | +--- |
| 7 | + |
| 8 | +> info "Linked Profiles is in public beta" |
| 9 | +> Linked Profiles (Data Graph, Linked Events, and Linked Audiences) is in public beta, and Segment is actively working on this feature. Some functionality may change before it becomes generally available. |
| 10 | +
|
| 11 | +On this page, you'll learn how to connect your Databricks data warehouse to the Segment Data Graph. |
| 12 | + |
| 13 | +## Set up Databricks credentials |
| 14 | + |
| 15 | +Sign in to Databricks with admin permissions to create new resources and provide the Data Graph with the necessary permissions. |
| 16 | + |
| 17 | +Segment assumes that you already have a workspace that includes the datasets you'd like to use for the Data Graph. Segment recommends setting up a new Service Principal user with only the permissions to access the required catalogs and schemas. |
| 18 | + |
| 19 | +### Step 1: Set up a Service Principal user |
| 20 | + |
| 21 | +Segment recommends that you set up a new Service Principal user. If you already have a Service Principal user you'd like to use, grant it "Can use" permissions for your data warehouse and proceed to [Step 2: Create a catalog for Segment to store checkpoint tables](#step-2-create-a-catalog-for-segment-to-store-checkpoint-tables). |
| 22 | + |
| 23 | +If you want to create a new Service Principal user, complete the following substeps: |
| 24 | + |
| 25 | +#### Substep 1: Create a new Service Principal user |
| 26 | +1. Log in to the Databricks UI as an Admin. |
| 27 | +2. Click **User Management**. |
| 28 | +3. Select the **Service principals** tab. |
| 29 | +4. Click **Add Service Principal**. |
| 30 | +5. Enter a Service Principal user name and click **Add**. |
| 31 | +6. Select the Service Principal user you just created and click **Generate secret**. |
| 32 | +7. Save the **Secret** and **Client ID** to a safe place. You'll need these values to connect your Databricks warehouse to Segment. |
| 33 | +8. Navigate to Workspaces and select your Workspace. |
| 34 | +9. Select the “Permissions” tab and click **Add Permissions**. |
| 35 | +10. Add the newly created Service Principal user and click **Save**. |
| 36 | + |
| 37 | +> success "" |
| 38 | +> If you already have a warehouse you'd like to use, you can move on to the next substep, [Substep 2: Add your Service Principal user to Warehouse User Lists](#substep-2-add-your-service-principal-user-to-warehouse-user-lists). If you need to create a new warehouse first, see the [Create a new warehouse](#create-a-new-warehouse) before completing the next substep. |
| 39 | +
|
| 40 | +#### Substep 2: Add your Service Principal user to Warehouse User Lists |
| 41 | +1. Log in to the Databricks UI as an Admin. |
| 42 | +2. Navigate to SQL Warehouses. |
| 43 | +3. Select your warehouse and click **Permissions**. |
| 44 | +4. Add the Service Principal user and grant them “Can use” access. |
| 45 | +5. Click **Add**. |
| 46 | + |
| 47 | +##### (Optional) Confirm Service Principal permissions |
| 48 | +Confirm that the Service Principal user that you're using to connect to Segment has "Can use" permissions for your warehouse. |
| 49 | + |
| 50 | +To confirm that your Service Principal user has "Can use" permission: |
| 51 | +1. In the Databricks console, navigate to SQL Warehouses and select your warehouse. |
| 52 | +2. Navigate to Overview and click **Permissions**. |
| 53 | +3. Verify that the Service Principal user has "Can use" permission. |
| 54 | + |
| 55 | +### Step 2: Create a catalog for Segment to store checkpoint tables |
| 56 | + |
| 57 | +> warning "Segment recommends creating an empty catalog for the Data Graph" |
| 58 | +> If you plan to use an existing catalog with Reverse ETL, follow the instructions in the [Update user access for Segment Reverse ETL catalog](#update-user-access-for-segment-reverse-etl-catalog) section. |
| 59 | + |
| 60 | +Segment requires write access to a catalog to create a schema for internal bookkeeping, and to store checkpoint tables for the queries that are executed. |
| 61 | + |
| 62 | +Segment recommends creating an empty catalog for this purpose by running the following SQL. This is also the catalog that you'll be required to specify when setting up your Databricks integration in the Segment app. |
| 63 | + |
| 64 | +```sql |
| 65 | +CREATE CATALOG IF NOT EXISTS `SEGMENT_LINKED_PROFILES_DB`; |
| 66 | +-- Copy the Client ID by clicking “Generate secret” for the Service Principal user |
| 67 | +GRANT USAGE ON CATALOG `SEGMENT_LINKED_PROFILES_DB` TO `${client_id}`; |
| 68 | +GRANT CREATE ON CATALOG `SEGMENT_LINKED_PROFILES_DB` TO `${client_id}`; |
| 69 | +GRANT SELECT ON CATALOG `SEGMENT_LINKED_PROFILES_DB` TO `${client_id}`; |
| 70 | +``` |
| 71 | + |
| 72 | +### Step 3: Grant read-only access to the Profiles Sync catalog |
| 73 | + |
| 74 | +Run the following SQL to grant the Data Graph read-only access to the Profiles Sync catalog: |
| 75 | + |
| 76 | +```sql |
| 77 | +GRANT USAGE, SELECT, USE SCHEMA ON CATALOG `${profiles_sync_catalog}` TO `${client_id}`; |
| 78 | +``` |
| 79 | + |
| 80 | +### Step 4: Grant read-only access to additional catalogs for the Data Graph |
| 81 | +Run the following SQL to grant your Service Principal user read-only access to any additional catalogs you want to use for the Data Graph: |
| 82 | + |
| 83 | +```sql |
| 84 | +-- Run this command for each catalog you want to use for the Segment Data Graph |
| 85 | +GRANT USAGE, SELECT, USE SCHEMA ON CATALOG `${catalog}` TO `${client_id}`; |
| 86 | +``` |
| 87 | + |
| 88 | +### (Optional) Restrict read-only access to schemas |
| 89 | + |
| 90 | +Restrict access to specific schemas by running the following SQL: |
| 91 | + |
| 92 | +```sql |
| 93 | +GRANT USAGE ON CATALOG `${catalog}` TO `${client_id}`; |
| 94 | +USE CATALOG `${catalog}`; |
| 95 | +GRANT USAGE, SELECT ON SCHEMA `${schema_1}` TO `${client_id}`; |
| 96 | +GRANT USAGE, SELECT ON SCHEMA `${schema_2}` TO `${client_id}`; |
| 97 | +... |
| 98 | + |
| 99 | +``` |
| 100 | + |
| 101 | +### (Optional) Restrict read-only access to tables |
| 102 | +Restrict access to specific tables by running the following SQL: |
| 103 | + |
| 104 | +```sql |
| 105 | +GRANT USAGE ON CATALOG `${catalog}` TO `${client_id}`; |
| 106 | +USE CATALOG `${catalog}`; |
| 107 | +GRANT USAGE ON SCHEMA `${schema_1}` TO `${client_id}`; |
| 108 | +USE SCHEMA `${schema_1}`; |
| 109 | +GRANT SELECT ON TABLE `${table_1}` TO `${client_id}`; |
| 110 | +GRANT SELECT ON TABLE `${table_2}` TO `${client_id}`; |
| 111 | +... |
| 112 | + |
| 113 | +``` |
| 114 | + |
| 115 | +### Step 5: Validate the permissions of your Service Principal user |
| 116 | + |
| 117 | +Sign in to the [Databricks CLI with your Client ID secret](https://docs.databricks.com/en/dev-tools/cli/authentication.html#oauth-machine-to-machine-m2m-authentication){:target="_blank”} and run the following SQL to verify the Service Principal user has the correct permissions for a given table. |
| 118 | + |
| 119 | +> success "" |
| 120 | +> If this command succeeds, you can view the table. |
| 121 | +
|
| 122 | +```sql |
| 123 | +USE DATABASE ${linked_read_only_database} ; |
| 124 | +SHOW SCHEMAS; |
| 125 | +SELECT * FROM ${schema}.${table} LIMIT 10; |
| 126 | +``` |
| 127 | + |
| 128 | +### Step 6: Connect your warehouse to Segment |
| 129 | + |
| 130 | +Segment requires the following settings to connect to your Databricks warehouse. You can find these details in your Databricks workspace by navigating to **SQL Warehouse > Connection details**. |
| 131 | + |
| 132 | +- **Hostname**: The address of your Databricks server |
| 133 | +- **Http Path**: The address of your Databricks compute resources |
| 134 | +- **Port**: The port used to connect to your Databricks warehouse. The default port is 443, but your port might be different. |
| 135 | +- **Catalog**: The catalog you designated in [Step 2: Create a catalog for Segment to store checkpoint tables](#step-2-create-a-catalog-for-segment-to-store-checkpoint-tables) |
| 136 | +- **Service principal client ID**: The client ID used to access to your Databricks warehouse |
| 137 | +- **OAuth secret**: The OAuth secret used to connect to your Databricks warehouse |
| 138 | + |
| 139 | +After identifying the following settings, continue setting up the Data Graph by following the instructions in [Connect your warehouse to the Data Graph](/docs/unify/linked-profiles/data-graph/#step-2-connect-your-warehouse-to-the-data-graph). |
| 140 | + |
| 141 | +## Additional set up for warehouse permissions |
| 142 | + |
| 143 | +### Update user access for Segment Reverse ETL catalog |
| 144 | +Run the following SQL if you run into an error on the Segment app indicating that the user doesn’t have sufficient privileges on an existing `_segment_reverse_etl` schema. |
| 145 | + |
| 146 | +If Segment Reverse ETL has ever run in the catalog you are configuring as the Segment connection catalog, a Segment-managed schema is already created and you need to provide the new Segment user access to the existing schema. Update the Databricks table permissions by running the following SQL: |
| 147 | + |
| 148 | +```sql |
| 149 | +GRANT ALL PRIVILEGES ON SCHEMA ${segment_internal_catalog}.__segment_reverse_etl TO `${client_id}`; |
| 150 | +``` |
0 commit comments