Per-table access control for DuckLake lakehouses

Name: Per-table access control for DuckLake lakehouses
Availability: InStock
Author: deezypls

by deezypls·Mar 23, 2026·3 points·0 comments

Visit Project View on HN

AI Analysis

●●SolidNiche GemSolve My Problem

Postgres RLS plus S3 bucket policies in one CLI for DuckLake auth.

Strengths

•Wire-level policy sync across Postgres catalog and S3 bucket with single command
•Audit log tracks all grant changes for compliance requirements
•Solves DuckLake's actual gap: no authorization layer ships with it

Weaknesses

•Hetzner-only for now; AWS and Scaleway support still TODO
•Experimental with no security audit; README explicitly warns against production use

Post Description

DuckLake doesn't ship with an authorization layer. It works through the Postgres catalog, and by default you can query everything. If you have the S3 credentials, you can read every Parquet file in the bucket.

I wanted a cost-effective lakehouse on Hetzner that we can own in the EU. I wrote another repo (ducklake-hetzner) for a deployment under €15/month, but there's still a long way to go for the functionalities to come close to other data warehouses.

Hetzner's Object Storage is also not the easiest to work with, it runs Ceph, but doesn't expose IAM. That means any user has full access by default. You need to create a separate dummy project, and store the s3 credentials in there, and then use an "Allow" policy on those (as they're denied by default, this works).

To help others, I figured I'd package that into a single CLI:

dga allow alice --table customers --read-only

Does two things: PostgreSQL Row-Level Security on the DuckLake catalog, and scoped S3 bucket policies on the storage layer. Still alpha, but the core superuser/writer/reader pattern works.

Would love feedback or ideas, especially from anyone running DuckLake in production or dealing with similar access control gaps on non-AWS object storage.