Klairr connects to Databricks via a SQL Warehouse using a Personal Access Token. Unity Catalog grants control read access; no write privileges are required.
Prerequisites
- A Databricks workspace with at least one SQL Warehouse running
- Unity Catalog enabled (or hive metastore)
- A user (or service principal) with
USE CATALOG,USE SCHEMA, andSELECTon the target tables
Step 1: Provision read access
In Databricks SQL editor, run:
GRANT USE CATALOG ON CATALOG main TO `[email protected]`;
GRANT USE SCHEMA ON SCHEMA main.default TO `[email protected]`;
GRANT SELECT ON SCHEMA main.default TO `[email protected]`;Use a service principal in production. Klairr explicitly does not request MODIFY, INSERT, UPDATE, DELETE, or OWNERSHIP.
Step 2: Generate a Personal Access Token
In the Databricks UI: User settings → Access tokens → Generate new token. Copy the value (it cannot be retrieved later) and choose a 90-day lifetime to enforce rotation.
Step 3: Add the connector
| Field | Example |
|---|---|
| Workspace hostname | dbc-xxxx.cloud.databricks.com |
| SQL warehouse HTTP path | /sql/1.0/warehouses/abc123 |
| Personal access token | dapi… |
| Catalog | main |
| Schema | default |
The HTTP path is shown in the SQL Warehouse details page under Connection details → HTTP path.
Notes
- Klairr probes write permission at connect time by attempting
CREATE TABLEwith a synthetic name. Read-only roles reject; over-permissioned roles are rejected by Klairr. - Schema introspection uses Unity Catalog’s
information_schema. Row counts are not surfaced (Databricks does not expose cheap counts). - M2M OAuth is on the roadmap; PAT is the v1 path.