Fine grained access control query on dedicated compute fails

Work with your network team to ensure ports 8443 and 8444 are open.

Written by manikandan.ganesan

Last published at: October 30th, 2025

Problem

You try to run a query using fine grained access control (FGAC) on dedicated compute. The query runs long and then fails with the following error. 

Py4JJavaError: An error occurred while calling o435.sql
: org.apache.spark.sql.connect.client.RetriesExceeded
at org.apache.spark.sql.connect.client.GrpcRetryHandler$Retrying.waitAfterAttempt(GrpcRetryHandler.scala:214)
at 

 

Cause

A failure occurred within the Apache Spark Connect client during a remote filtering operation. You can confirm by locating a stack trace line such as the following. 

com.databricks.spark.sql.remotefiltering.EmbeddedSparkConnectClientImpl.propagateLocalState(EmbeddedSparkConnectClientImpl.scala:537)

 

When using FGAC, remote filtering requests are made from the data plane to the control plane. Successful communication requires specific network ports, 8443 and 8444, to be open. 

 

When traffic to these ports is blocked or not properly configured, queries may hang and eventually fail when attempting to access views with row filters or column masks enabled. The queries cannot establish proper communication with the control plane to retrieve data.

 

Additional context

Port 8443 is used for internal calls from the Databricks compute plane to the Databricks control plane API. Port 8444 is used for Unity Catalog logging and lineage data streaming into Databricks.

 

Solution

Ensure that there are no network connectivity issues to ports 8443 and 8444. Work with your org’s network team to confirm that these ports are not blocked by firewall rules or other network policies.

 

Run the following network tests. Use your workspace’s fully qualified domain name (FQDN) in the commands.

%sh 
nslookup <workspace-fqdn> ## should resolve.
nc -zv <workspace-fqdn> 8443 ## should pass.

 

Then, validate with an OpenSSL test to ensure the nc test result is not a false positive.

%sh 
openssl s_client --connect <workspace-fqdn>:8443

 

In a non-working environment, the OpenSSL command may fail to show server certificates. This usually indicates that a firewall is blocking or interfering with the connection. Engage your org’s firewall or network team to review and resolve firewall issues.