Lakekeeper Catalog for Apache Iceberg

Please visit https://docs.lakekeeper.io for Documentation!

This is Lakekeeper: An Apache-Licensed, secure, fast and easy to use implementation of the Apache Iceberg REST Catalog specification based on apache/iceberg-rust. If you have questions, feature requests or just want a chat, we are hanging around in Discord!

<p align="center"> <img src="assets/lakekeeper.gif" alt="Lakekeeper UI" width="480px"> </p> <br/> <p align="center"> <img src="https://github.com/lakekeeper/lakekeeper/raw/main/assets/Lakekeeper-Overview.png" width="500"> </p>

Quickstart

A Docker Container is available on quay.io. We have prepared a minimal docker-compose file to demonstrate how to use the Lakekeeper catalog with common query engines.

git clone https://github.com/lakekeeper/lakekeeper.git
cd lakekeeper/examples/minimal
docker compose up

Then open your browser and head to localhost:8888 to load the example Jupyter notebooks or head to localhost:8181 for the Lakekeeper UI.

For more information on deployment, please check the Getting Started Guide.

Scope and Features

The Iceberg Catalog REST interface has become the standard for catalogs in open Lakehouses. It natively enables multi-table commits, server-side deconflicting and much more. It is figuratively the (TIP) of the Iceberg.

• Written in Rust: Single all-in-one binary - no JVM or Python env required.
• Storage Access Management: Lakekeeper secures access to your data using Vended-Credentials and remote signing for S3. All major Hyperscalers (AWS, Azure, GCP) as well as on-premise deployments with S3 are supported.
• Openid Provider Integration: Use your own identity provider for authentication, just set LAKEKEEPER__OPENID_PROVIDER_URI and you are good to go.
• Native Kubernetes Integration: Use our helm chart to easily deploy high available setups and natively authenticate kubernetes service accounts with Lakekeeper. Kubernetes and OpenID authentication can be used simultaneously. A Kubernetes Operator is currently in development.
• Change Events: Built-in support to emit change events (CloudEvents), which enables you to react to any change that happen to your tables.
• Change Approval: Changes can also be prohibited by external systems. This can be used to prohibit changes to tables that would invalidate Data Contracts, Quality SLOs etc. Simply integrate with your own change approval via our ContractVerification trait.
• Multi-Tenant capable: A single deployment of Lakekeeper can serve multiple projects - all with a single entrypoint. Each project itself supports multiple Warehouses to which compute engines can connect.
• Customizable: Lakekeeper is meant to be extended. We expose the Database implementation (Catalog), SecretsStore, Authorizer, Events (CloudEventBackend) and ContractVerification as interfaces (Traits). This allows you to tap into any access management system of your company or stream change events to any system you like - simply by implementing a handful methods.
• Well-Tested: Integration-tested with spark, pyiceberg, trino and starrocks.
• High Available & Horizontally Scalable: There is no local state - the catalog can be scaled horizontally easily.
• Fine Grained Access (FGA): Lakekeeper's default Authorization system leverages OpenFGA. If your company already has a different system in place, you can integrate with it by implementing a handful of methods in the Authorizer trait.

If you are missing something, we would love to hear about it in a GitHub Issue.

Status

Storage Profile Support

| Storage | Status | Comment | |----------------------|:-------:|---------------------------------------------| | S3 - AWS | | vended-credentials & remote-signing with optional role assumption, support for session Tags | | S3 - Custom | | vended-credentials & remote-signing | | Azure ADLS Gen2 | | | | Microsoft OneLake | | | | Google Cloud Storage | | Support for GCS with and without hierarchical namespace |

Details on how to configure the storage profiles can be found in the Docs.

Supported Catalog Backends

| Backend | Status | Comment | |----------|:-------:|---------| | Postgres | | >=15 |

Supported Secret Stores

| Backend | Status | Comment | |-----------------|:-------:|---------------| | Postgres | | | | kv2 (hcp-vault) | | userpass auth |

Supported Event Stores

| Backend | Status | Comment | |---------|:-------:|---------| | NATS | | | | Kafka | | |

Supported Operations

Operations outside of the Iceberg REST specification that are supported by Lakekeeper.

| Operation | Status | Description | |-----------------------|:-------:|--------------------------------------------| | Project Management | | | | Warehouse Management | | | | Soft Deletion | | Configurable on Warehouse level | | Deletion Protection | | Deletion Protection for Warehouses, Namespaces, Tables and Views | | Recursive Drop | | Recursively drop all items inside Namespaces | | Search | | Fuzzy search for Tables on Warehouse level | | Task Management | | | | User Management | | User discovery and management for permission assignment. Includes fuzzy search functionality. Note: Lakekeeper does not serve as an identity provider | | Role Management | | | | Permission Management | | Table level, Requires OpenFGA |

Auth(N/Z) Handlers

| Operation | Status | Description | |-----------------|:-------:|--------------------------------------------------| | OIDC (AuthN) | | Secure access to the catalog via OIDC | | Custom (AuthZ) | | If you are willing to implement a single rust Trait, the AuthZHandler can be implement to connect to your system | | OpenFGA (AuthZ) | | Internal Authorization management | | Cedar | | Available in Lakekeeper+ |

Contributing

See DEVELOPMENT.md for some tips.

License

Licensed under the Apache License, Version 2.0