Gitroom - Libraries

Lakekeeper

0

Lakekeeper is an Apache-Licensed, secure, fast and easy to use Apache Iceberg REST Catalog written in Rust.

Analytics

lakehouse
iceberg
data-lake
catalog

Lakekeeper Catalog for Apache Iceberg

Website Discord Docker on quay Helm Chart Artifact Hub

License Unittests Spark Integration Pyiceberg Integration Trino Integration Starrocks Integration

Please visit https://docs.lakekeeper.io for Documentation!

This is Lakekeeper: An Apache-Licensed, secure, fast and easy to use implementation of the Apache Iceberg REST Catalog specification based on apache/iceberg-rust. If you have questions, feature requests or just want a chat, we are hanging around in Discord!

Quickstart

A Docker Container is available on quay.io. We have prepared a minimal docker-compose file to demonstrate how to use the Lakekeeper catalog with common query engines.

git clone https://github.com/lakekeeper/lakekeeper.git
cd lakekeeper/examples/minimal
docker compose up

Then open your browser and head to localhost:8888 to load the example Jupyter notebooks or head to localhost:8181 for the Lakekeeper UI.

For more information on deployment, please check the Getting Started Guide.

Scope and Features

The Iceberg Catalog REST interface has become the standard for catalogs in open Lakehouses. It natively enables multi-table commits, server-side deconflicting and much more. It is figuratively the (TIP) of the Iceberg.

  • Written in Rust: Single all-in-one binary - no JVM or Python env required.
  • Storage Access Management: Lakekeeper secures access to your data using Vended-Credentials and remote signing for S3. All major Hyperscalers (AWS, Azure, GCP) as well as on-premise deployments with S3 are supported.
  • Openid Provider Integration: Use your own identity provider for authentication, just set LAKEKEEPER__OPENID_PROVIDER_URI and you are good to go.
  • Native Kubernetes Integration: Use our helm chart to easily deploy high available setups and natively authenticate kubernetes service accounts with Lakekeeper. Kubernetes and OpenID authentication can be used simultaneously. A Kubernetes Operator is currently in development.
  • Change Events: Built-in support to emit change events (CloudEvents), which enables you to react to any change that happen to your tables.
  • Change Approval: Changes can also be prohibited by external systems. This can be used to prohibit changes to tables that would invalidate Data Contracts, Quality SLOs etc. Simply integrate with your own change approval via our ContractVerification trait.
  • Multi-Tenant capable: A single deployment of Lakekeeper can serve multiple projects - all with a single entrypoint. Each project itself supports multiple Warehouses to which compute engines can connect.
  • Customizable: Lakekeeper is meant to be extended. We expose the Database implementation (Catalog), SecretsStore, Authorizer, Events (CloudEventBackend) and ContractVerification as interfaces (Traits). This allows you to tap into any access management system of your company or stream change events to any system you like - simply by implementing a handful methods.
  • Well-Tested: Integration-tested with spark, pyiceberg, trino and starrocks.
  • High Available & Horizontally Scalable: There is no local state - the catalog can be scaled horizontally easily.
  • Fine Grained Access (FGA): Lakekeeper's default Authorization system leverages OpenFGA. If your company already has a different system in place, you can integrate with it by implementing a handful of methods in the Authorizer trait.

If you are missing something, we would love to hear about it in a Github Issue.

Status

Supported Operations - Iceberg-Rest

OperationStatusDescription
NamespacedoneAll operations implemented
TabledoneAll operations implemented - additional integration tests in development
ViewsdoneRemove unused files and log entries
MetricsopenEndpoint is available but doesn't store the metrics

Storage Profile Support

StorageStatusComment
S3 - AWSsemi-donevended-credentials & remote-signing, assume role missing
S3 - Customdonevended-credentials & remote-signing, tested against Minio
Azure ADLS Gen2done
Azure Blobopen
Microsoft OneLakeopen
Google Cloud Storagedone

Details on how to configure the storage profiles can be found in the Docs.

Supported Catalog Backends

BackendStatusComment
Postgresdone>=15
MongoDBopen

Supported Secret Stores

BackendStatusComment
Postgresdone
kv2 (hcp-vault)doneuserpass auth

Supported Event Stores

BackendStatusComment
Natsdone
Kafkadone

Supported Operations - Management API

OperationStatusDescription
Warehouse ManagementdoneCreate / Update / Delete a Warehouse
AuthZopenManage access to warehouses, namespaces and tables
More to come!open

Auth(N/Z) Handlers

OperationStatusDescription
OIDC (AuthN)doneSecure access to the catalog via OIDC
Custom (AuthZ)doneIf you are willing to implement a single rust Trait, the AuthZHandler can be implement to connect to your system
OpenFGA (AuthZ)openInternal Authorization management

License

Licensed under the Apache License, Version 2.0