Setup for Access Management for Databricks all-purpose compute clusters with Fine-Grained Access Control (FGAC)¶

Configure¶

Self Managed and Data PlanePrivaceraCloud

Perform the following steps to configure Databricks FGAC:

SSH to the instance where Privacera Manager is installed.
Run the following command to navigate to the /config directory.
Bash
1
cd ~/privacera/privacera-manager/config
Run the following command to copy the databricks FGAC plugin yml file from sample-vars, if it's not already present in custom-vars:
Bash
1
cp -n sample-vars/vars.databricks.plugin.yml custom-vars/vars.databricks.plugin.yml

Update the following properties in the vars.databricks.plugin.yml file:

Bash
vi custom-vars/vars.databricks.plugin.yml

DATABRICKS_HOST_URL: "<PLEASE_UPDATE>"
DATABRICKS_TOKEN: "<PLEASE_UPDATE>"

Once the properties are configured, run the Privacera Manager post-install action Refer this

Enable Databricks Application¶

In PrivaceraCloud, go to Settings -> Applications.
On the Applications screen, select Databricks.
Select Platform Type
Enter the application Name and Description. Click Save. The name can be any name of your choice, e.g., Databricks.
Open the Databricks application.
Enable the Access Management option with toggle button.
Click on save button

Download Script from PrivaceraCloud¶

Open the Databricks application.
Click on Access Management
Click on Download Script
Save the script locally as privacera_databricks.sh

Create Init script in Databricks Workspace File¶

Login Databricks Web UI
Click on the Workspace sidebar
Click on the Workspace folder
Click on Create -> Folder
Name the folder privacera
Click on Create
Go inside the privacera folder
Click on Create -> File
Enter the new file name as privacera_databricks.sh
Copy the content of the local privacera_databricks.sh and paste it into the workspace file privacera_databricks.sh

Create Databricks cluster policy¶

We recommend to use Databricks cluster policy to control cluster configuration. Here are the steps to create cluster policy:

Log in to Databricks Web UI
Click on the Compute icon on the sidebar
Click on the Policies tab
Click on the Create policy button
Provide a name to the policy i.e privacera-fgac-cluster-policy

Add below policy definition, and replace with your actual instance-profile-arn

Bash
{
  "spark_conf.spark.databricks.isv.product": {
    "type": "fixed",
    "value": "privacera"
  },
  "spark_conf.spark.driver.extraJavaOptions": {
    "type": "fixed",
    "value": "-javaagent:/databricks/jars/privacera-agent.jar"
  },
  "spark_conf.spark.databricks.repl.allowedLanguages": {
    "type": "fixed",
    "value": "sql,python,r"
  },
  "spark_conf.spark.databricks.delta.formatCheck.enabled": {
    "type": "fixed",
    "value": "false"
  },
  "aws_attributes.instance_profile_arn": {
    "type": "fixed",
    "value": "<instance-profile-arn>"
  },
  "spark_conf.spark.sql.extensions": {
    "type": "fixed",
    "value": "com.privacera.spark.agent.SparkSQLExtension"
  },
  "spark_conf.spark.databricks.pyspark.dbconnect.enableProcessIsolation": {
    "type": "fixed",
    "value": "true"
  },
  "spark_conf.spark.databricks.pyspark.enableProcessIsolation": {
    "type": "fixed",
    "value": "true"  
  },
  "spark_conf.spark.databricks.pyspark.enablePy4JSecurity": {
    "type": "fixed",
    "value": "true"
  },
  "spark_conf.spark.hadoop.privacera.custom.current_user.udf.names": {
    "type": "fixed",
    "value": "current_user()"
  }
}

Create Databricks cluster¶

Here are the steps to create Databricks cluster with Privacera plugin (FGAC):

Log in to Databricks Web UI
Click on the Compute icon on the sidebar
Click the Create Compute button.
Fill in the cluster configuration details.
Under the Cluster Policies dropdown, select the policy you created in the previous step (i.e., privacera-fgac-cluster-policy)
Under the Advanced option :
- Select Workspace as the source for init scripts.
- Specify the Workspace file path:
  - Self Managed and Data Plane
    - /privacera/{DEPLOYMENT_ENV_NAME}/ranger_enable.sh
  - PrivaceraCloud
    - /privacera/{DEPLOYMENT_ENV_NAME}/privacera_databricks.sh
Click the Add button.
Click Create Compute to create the cluster.

Validation¶

To confirm the successful association of an access management policy with data in your Databricks installation, follow these steps:

Prerequisites:
- A running Databricks cluster secured using the steps mentioned above.
- At least one resource policy associated with your data that grants a user access to the database.
- This resource policy must not be for Databrick's default database. Configure the policy for any database other than the default.
- Sample Resource Policy:
  - Policy Name: Employee Details
  - Hive Database: sample_db
  - Hive Table: employees
  - Permissions: CREATE, UPDATE, SELECT, DROP
  - Select User: emily

Steps to Validate Policy:

Login to Databricks as a user who is defined in the resource policy.
Create or open an existing notebook. Associate the Notebook with the running Databricks cluster.
Select the database to which you have associated the policy.

In the notebook, run following SQL commands to Create a sample table, Insert and Select the data:

SQL
USE sample_db;

CREATE TABLE IF NOT EXISTS employees (
Emp_Id INT,
First_name STRING,
Last_name STRING
);

INSERT INTO employees (Emp_Id, First_name, Last_name) VALUES (1, 'John', 'Doe'), 
(2, 'Jane', 'Smith'), (3, 'Alice', 'Johnson');

SELECT * FROM employees;

On Privacera portal, go to Access Management -> Audits
Check for the success or failure of the resource policy. A successful access is indicated as Allowed and failure is indicated as Denied.
Sample Audit Logs:

Prev topic: Prerequistes
Next topic: Advanced Configuration