PrivaceraCloud Documentation

Table of Contents

How to configure multiple JSON Web Tokens (JWTs) for EMR
:

Multiple JWTs can be configured for EMR Spark (Fine-Grained Access Control).

  1. Create a privacera_emr_custom_conf.sh file with below index based properties, where {index} start from 0 .

    JWT_OAUTH_ENABLE="true"
    JWT_{index}_ISSUER="<PLEASE_CHANGE>"
    JWT_{index}_PUBLICKEY="<PLEASE_CHANGE>"
    JWT_{index}_SUBJECT="<PLEASE_CHANGE>"
    JWT_{index}_SECRET="<PLEASE_CHANGE>"
    JWT_{index}_USERKEY="<PLEASE_CHANGE>"
    JWT_{index}_GROUPKEY="<PLEASE_CHANGE>"
    JWT_{index}_PARSER_TYPE="<PLEASE_CHANGE>"

    For example, for two configurations:

    JWT_OAUTH_ENABLE="true"
    
    JWT_0_ISSUER="https://mydomain.com/issuer"
    JWT_0_SUBJECT=”principal1”
    JWT_0_SECRET=”shkl-XXXX-XXXX-XXXX”
    JWT_0_USERKEY="client_id"
    JWT_0_GROUPKEY="scope"
    JWT_0_PARSER_TYPE="PING_IDENTITY"
    JWT_1_ISSUER="https://mydomain.com/issuer"
    JWT_1_PUBLICKEY=”https://mydomain.com/jwt_public_key.pem”
    JWT_1_USERKEY="client_id"
    JWT_1_GROUPKEY="scope"
    JWT_1_PARSER_TYPE="KEYCLOAK"
  2. Upload the privacera_emr_custom_conf.sh file to your S3 bucket. Note that the custom configuration file URL should be accessible from EMR.

  3. Update the bootstrap action with the export EMR_CUSTOM_CONF_URL variable:

    export EMR_CUSTOM_CONF_URL=<emr_custom_conf_url> ; wget 
    ${PrivaceraDownloadUrl}/privacera_emr.sh ; chmod +x ./privacera_emr.sh ; sudo -E ./privacera_emr.sh spark-fgac

    The <emr_custom_conf_url> is a URL of the privacera_emr_custom_conf.sh file which is uploaded in in step 2 above. The URL should be downloaded by the EMR node (supported URLs are: http://, https:// or pm://).

    Note

    Use pm:// as a protocol instead of s3://, as s3:// is not supported in EMR bootstrap action. Internally its will be considered as s3://

    For example: 

    If the path is: s3://<bucketName>/path/privacera_emr_custom_conf.sh

    then use:

    export EMR_CUSTOM_CONF_URL=pm://<bucketName>/path/privacera_emr_custom_conf.sh

Validations with JSON Web Tokens (JWTs)
  1. Create a JSON Web Token, see JSON Web Tokens (JWT).JSON Web Tokens (JWT)

  2. SSH to the EMR master node.

  3. Use the Spark application as follows:

    JWT_TOKEN=eyJhbGciOiJSU-XXXXXX–X2BAIGWTbywHkfTxxw
    
    spark-sql --conf "spark.hadoop.privacera.jwt.token.str=${JWT_TOKEN}" --conf "spark.hadoop.privacera.jwt.oauth.enable=true"