FabricFabricHarness
Databricks

Enterprise Databricks controls

Identity propagation, Unity Catalog enforcement, approvals, audit lineage, durable state, cost controls, secret handling, and deployment hardening.

Fabric Harness adds runtime controls around Databricks calls. Those controls are defense in depth: Unity Catalog and Databricks resource permissions remain authoritative.

Identity modes

ModeUseFabric API
App service principalDatabricks Apps and unattended production workloadsappServicePrincipalFromEnv()
OAuth M2MExternal services acting as one applicationdatabricksIdentity({ kind: 'service-principal' })
On-behalf-of userPreserve the signed-in user's grantsonBehalfOfFromHeaders()
Personal access tokenLocal development or controlled single-user testingkind: 'pat'

Token providers are resolved at call time and refresh before expiry. Identity labels, not tokens, are placed in actors, submissions, lineage, and cost records.

For Databricks Apps ingress, use databricksAppsOidcAuthenticator() as the Node server authenticate hook. It validates workspace JWT signatures, issuer, audience, expiry, and signing-key rotation before mapping the forwarded user email to both the Fabric actor and Unity Catalog principal. See Authentication and RBAC.

Enforcement flow

Rendering diagram...

Controls to configure

  1. Use a least-privilege service principal or a user OBO token for each request.
  2. Restrict outbound network policy to the workspace host and any explicitly required services.
  3. Add catalog allowlists as defense in depth; do not treat them as a substitute for UC grants.
  4. Route write and execute tools to a data-steward approval audience.
  5. Persist sessions, submissions, and streams in Lakebase for restart recovery.
  6. Send governed tool lineage to an audit sink, MLflow, OpenTelemetry, or Lakebase telemetry tables.
  7. Apply estimated and actual-cost tenant budgets, then reconcile against system-table usage.
  8. Keep secrets in Databricks App resources, environment-backed secret references, or an external secret manager. Never put credentials in prompts, tool inputs, or lineage labels.
  9. Build with provenance and SBOM output, inspect the v2 manifest, and require an API token on production artifact routes.

Lakebase credential exchange

lakebaseClient() does not use a workspace OAuth token as the Postgres password. It exchanges the workspace token for a database credential using the endpoint resource name, refreshes that credential early with jitter, single-flights concurrent refreshes, and supplies it to the connection pool.

const app = databricksApp();
const server = await startDevServer({
  host: '0.0.0.0',
  port: Number(process.env.DATABRICKS_APP_PORT ?? 8080),
  ...(await app.serverOptions()),
});

serverOptions() injects the Lakebase session, submission, and conversation-stream stores into the shared Node server. See Lakebase for configuration.