I wanted a cost-effective lakehouse on Hetzner that we can own in the EU. I wrote another repo (ducklake-hetzner) for a deployment under €15/month, but there's still a long way to go for the functionalities to come close to other data warehouses.
Hetzner's Object Storage is also not the easiest to work with, it runs Ceph, but doesn't expose IAM. That means any user has full access by default. You need to create a separate dummy project, and store the s3 credentials in there, and then use an "Allow" policy on those (as they're denied by default, this works).
To help others, I figured I'd package that into a single CLI:
dga allow alice --table customers --read-only
Does two things: PostgreSQL Row-Level Security on the DuckLake catalog, and scoped S3 bucket policies on the storage layer. Still alpha, but the core superuser/writer/reader pattern works.
Would love feedback or ideas, especially from anyone running DuckLake in production or dealing with similar access control gaps on non-AWS object storage.