Skip to content

Advanced Configuration for Access Management for Databricks all-purpose compute clusters with Object-Level Access Control (OLAC)

JWT Auth Configuration

By default, Privacera uses the Databricks login user for authorization. However, we also support JWT (JSON Web Token) integration, which utilizes the user/group information from the JWT payload instead of the Databricks login user.

Here are the steps to configure JWT token integration

To enable JWT authentication for Databricks, follow these steps:

  1. Go to the Privacera Manager directory and edit the Databricks configuration file to enable JWT authentication.

    Bash
    cd ~/privacera/privacera-manager
    vi config/custom-vars/vars.databricks.plugin.yml
    

  2. Add following property to enable JWT for Databricks:

    Bash
    DATABRICKS_JWT_OAUTH_ENABLE: "true"
    

  3. After all the changes are done you need to update the helm chart, apply the changes and also run the post install steps

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    cd ~/privacera/privacera-manager
    ./privacera-manager.sh setup
    
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    cd ~/privacera/privacera-manager
    ./pm_with_helm.sh upgrade
    
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    cd ~/privacera/privacera-manager
    ./privacera-manager.sh post-install
    

Use Service Principal id for Authorization

By default, Privacera uses display name for Service Principal, If you want to use Service Principal Id then below configuration:

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to navigate to the /config directory and open Dataserver yml

    Bash
    cd ~/privacera/privacera-manager/config
    vi custom-vars/vars.dataserver.aws.yml 
    

  3. Modify/ADD the following properties:
    Bash
    DATASERVER_DBX_OLAC_USE_DISPLAY_NAME: "false"
    
  4. Once the properties are configured, Run Privacera Manager setup and install actions Refer this
  1. In PrivaceraCloud, go to Settings -> Applications -> S3 -> S3
  2. Click on Access Management -> Advanced
  3. Under Add New Custom Properties put below properties
    Bash
    dataserver.dbx.olac.use.displayname=false  
    

Ignore S3 Objects from Privacera Access Check

By default, the Dataserver is used to perform access control on all objects. However, if you want to ignore certain objects or entire buckets from Privacera Access Check and access them directly through the IAM role attached to the Databricks cluster, you can use the spark.hadoop.privacera.olac.ignore.paths property.

The property needs to be included in the Databricks cluster configuration.

Note

  • The property accepts a comma-separated list of paths to be excluded from Privacera Access Check.
  • Paths to be ignored support all S3 file protocols, such as s3://, s3a://, and s3n://.
  • Ensure that the attached IAM role has the necessary permissions to access the specified paths..
  • The property supports the wildcard character * in both the bucket name and object path.

Encrypt Sensitive Data in Signer Request and Response Payload

  1. SSH into the instance where Privacera Manager is installed.
  2. Run the following command to navigate to the /config directory.
    Bash
    cd ~/privacera/privacera-manager/config
    
  3. Run the following command to open the vars.databricks.plugin.yml file to be edited.
    Bash
    vi custom-vars/vars.databricks.plugin.yml
    
  4. Update the following property to redact sensitive data in debug logs at the root level:
    Bash
    # uncomment to encrypt sensitive data in spark-plugin request/response payload. Default: `false`.
    # DATABRICKS_SPARK_ENCRYPT_SENSITIVE_PAYLOAD_DATA_ENABLED: "true"
    
  5. Once the properties are configured, update your Privacera Manager platform instance by following the Quickstart guide.

Advanced Configuration

Configuration Description
Configure Bootstrap Script to Retrieve JWT Token Configure bootstrap script to retrieve jwt token for OLAC in Databircks

Comments