### Create a user in Unity Catalog and grant access to a table.

In [1]:
import asyncio
import duckdb
import requests
from unitycatalog import client as uc

from auth import get_bearer_token, get_admin_token, TokenType
from user import get_or_create_user, grant

#### Define the required endpoints


In [2]:
unity_endpoint = "http://uc:8080"
idp_token_endpoint = "https://nginx/oauth2/token"
catalog_endpoint = f"{unity_endpoint}/api/2.1/unity-catalog"
control_endpoint = f"{unity_endpoint}/api/1.0/unity-control"
uc_token_endpoint = f"{control_endpoint}/auth/tokens"
user_endpoint = f"{control_endpoint}/scim2/Users"

#### Exchange admin token for a bearer token

In [4]:
token_file = "/app/unitycatalog/etc/conf/token.txt"
admin_token = get_admin_token(token_file)
admin_bearer_token = get_bearer_token(url=uc_token_endpoint, token=admin_token, scope="admin", token_type=TokenType.TOKEN_EXCHANGE)

#### Create the user

In [5]:
test_user = get_or_create_user(username="12345abcde",  # Don't adjust this username
                        display_name="Test User",
                        access_token=admin_bearer_token,
                        )

print(test_user)

id='09e3989a-e24e-44ef-874b-94966afabf72' userName='12345abcde' displayName='Test User' emails=[Email(value='12345abcde')] active=True meta=Meta(resourceType='User', created='2025-01-07T11:53:02.693+00:00', lastModified='2025-01-07T11:53:02.696+00:00') schemas=['urn:ietf:params:scim:schemas:core:2.0:User'] photos=[Photo(value='')]


#### Get access token for the user

In [6]:
idp_token = requests.post(idp_token_endpoint, data= {'username': test_user.userName,'scope': 'user'}, verify=False).json()
user_bearer_token = get_bearer_token(url=uc_token_endpoint, token=idp_token['id_token'], scope="user", token_type=TokenType.TOKEN_EXCHANGE)

#### Setup connection between DuckDB and Unity Catalog

In [7]:
conn = duckdb.connect()
conn.sql(f"""
        INSTALL uc_catalog from core_nightly;
        INSTALL delta from core;
        LOAD delta;
        LOAD uc_catalog;
        CREATE SECRET (
            TYPE UC,
            TOKEN '{user_bearer_token}',
            ENDPOINT '{unity_endpoint}',
            AWS_REGION 'not-set'
        );
        """)

conn.sql("ATTACH DATABASE 'unity' as unity (TYPE UC_CATALOG);")


#### List tables in Unity Catalog.

In [8]:
conn.sql("SHOW ALL TABLES;")

┌──────────┬─────────┬─────────┬──────────────┬──────────────┬───────────┐
│ database │ schema  │  name   │ column_names │ column_types │ temporary │
│ varchar  │ varchar │ varchar │  varchar[]   │  varchar[]   │  boolean  │
├──────────┴─────────┴─────────┴──────────────┴──────────────┴───────────┤
│                                 0 rows                                 │
└────────────────────────────────────────────────────────────────────────┘

No tables shown, because the user has not been granted access to any table.


To access a table, the user needs to have the following privileges:
- USE_CATALOG on the catalog
- USE_SCHEMA on the schema
- SELECT on the table

#### Grant privileges to the user.

In [9]:
api_client = uc.ApiClient(configuration=uc.Configuration(host=catalog_endpoint))
grants_api = uc.GrantsApi(api_client)
header = {'Authorization': f'Bearer {admin_bearer_token}'}

await asyncio.gather(
    grant(full_name="unity", user=test_user, privileges=[uc.Privilege.USE_CATALOG], securable_type=uc.SecurableType.CATALOG, grants_api=grants_api, headers=header),
    grant(full_name="unity.default", user=test_user, privileges=[uc.Privilege.USE_SCHEMA], securable_type=uc.SecurableType.SCHEMA, grants_api=grants_api, headers=header),
    grant(full_name="unity.default.numbers", user=test_user, privileges=[uc.Privilege.SELECT], securable_type=uc.SecurableType.TABLE, grants_api=grants_api, headers=header)
)

[PermissionsList(privilege_assignments=[PrivilegeAssignment(principal='12345abcde', privileges=[<Privilege.USE_CATALOG: 'USE CATALOG'>])]),
 PermissionsList(privilege_assignments=[PrivilegeAssignment(principal='12345abcde', privileges=[<Privilege.USE_SCHEMA: 'USE SCHEMA'>])]),
 PermissionsList(privilege_assignments=[PrivilegeAssignment(principal='12345abcde', privileges=[<Privilege.SELECT: 'SELECT'>])])]

#### Access the table

In [10]:
conn.sql("DETACH DATABASE unity;")
conn.sql("ATTACH DATABASE 'unity' as unity (TYPE UC_CATALOG);")
conn.sql("SHOW ALL TABLES;")

┌──────────┬─────────┬─────────┬─────────────────────┬───────────────────┬───────────┐
│ database │ schema  │  name   │    column_names     │   column_types    │ temporary │
│ varchar  │ varchar │ varchar │      varchar[]      │     varchar[]     │  boolean  │
├──────────┼─────────┼─────────┼─────────────────────┼───────────────────┼───────────┤
│ unity    │ default │ numbers │ [as_int, as_double] │ [INTEGER, DOUBLE] │ false     │
└──────────┴─────────┴─────────┴─────────────────────┴───────────────────┴───────────┘

In [11]:
conn.sql("select * from unity.default.numbers")

┌────────┬────────────────────┐
│ as_int │     as_double      │
│ int32  │       double       │
├────────┼────────────────────┤
│    564 │ 188.75535598441473 │
│    755 │  883.6105633023361 │
│    644 │  203.4395591086936 │
│     75 │  277.8802190765611 │
│     42 │   403.857969425109 │
│    680 │  797.6912200731077 │
│    821 │  767.7998537403159 │
│    484 │ 344.00373976089304 │
│    477 │  380.6785614543262 │
│    131 │  35.44373222835895 │
│    294 │ 209.32243623208947 │
│    150 │ 329.19730274053694 │
│    539 │ 425.66102859000944 │
│    247 │   477.742227230588 │
│    958 │  509.3712727285101 │
├────────┴────────────────────┤
│ 15 rows           2 columns │
└─────────────────────────────┘

#### Summary
In this notebook, we demonstrated how to authenticate a user in Unity Catalog and grant access to a table. Please contact us if you have any questions or need further assistance.