Advanced Configuration for Access Management for Databricks all-purpose compute clusters with Object-Level Access Control (OLAC)¶
JWT Auth Configuration¶
By default, Privacera uses the Databricks login user for authorization. However, we also support JWT (JSON Web Token) integration, which utilizes the user/group information from the JWT payload instead of the Databricks login user.
Here are the steps to configure JWT token integration
To enable JWT authentication for Databricks, follow these steps:
-
Go to the Privacera Manager directory and edit the Databricks configuration file to enable JWT authentication.
-
Add following property to enable JWT for Databricks:
Bash -
After all the changes are done you need to update the helm chart, apply the changes and also run the post install steps
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.
Use Service Principal id for Authorization¶
By default, Privacera uses display name for Service Principal, If you want to use Service Principal Id then below configuration:
-
SSH to the instance where Privacera Manager is installed.
-
Run the following command to navigate to the /config directory and open Dataserver yml
- Modify/ADD the following properties:
Bash - Once the properties are configured, Run Privacera Manager setup and install actions Refer this
- In PrivaceraCloud, go to Settings -> Applications -> S3 -> S3
- Click on Access Management -> Advanced
- Under Add New Custom Properties put below properties
Bash
Ignore S3 Objects from Privacera Access Check¶
By default, the Dataserver is used to perform access control on all objects. However, if you want to ignore certain objects or entire buckets from Privacera Access Check and access them directly through the IAM role attached to the Databricks cluster, you can use the spark.hadoop.privacera.olac.ignore.paths
property.
The property needs to be included in the Databricks cluster configuration.
Note
- The property accepts a comma-separated list of paths to be excluded from Privacera Access Check.
- Paths to be ignored support all S3 file protocols, such as
s3://
,s3a://
, ands3n://
. - Ensure that the attached IAM role has the necessary permissions to access the specified paths..
- The property supports the wildcard character
*
in both the bucket name and object path.
Encrypt Sensitive Data in Signer Request and Response Payload¶
- SSH into the instance where Privacera Manager is installed.
- Run the following command to navigate to the
/config
directory.Bash - Run the following command to open the
vars.databricks.plugin.yml
file to be edited.Bash - Update the following property to redact sensitive data in debug logs at the root level:
- Once the properties are configured, update your Privacera Manager platform instance by following the Quickstart guide.
Advanced Configuration¶
Configuration | Description |
---|---|
Configure Bootstrap Script to Retrieve JWT Token | Configure bootstrap script to retrieve jwt token for OLAC in Databircks |
- Prev topic: Setup
- Next topic: Troubleshooting