Skip to content

Advanced Configuration for Access Management for Databricks all-purpose compute clusters with Object-Level Access Control (OLAC)

JWT Auth Configuration

By default, Privacera uses the Databricks login user for authorization. However, we also support JWT (JSON Web Token) integration, which utilizes the user/group information from the JWT payload instead of the Databricks login user.

Here are the steps to configure JWT token integration

Use Service Principal id for Authorization

By default, Privacera uses display name for Service Principal, If you want to use Service Principal Id then below configuration:

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to navigate to the /config directory and open Dataserver yml

    Bash
    1
2
    cd ~/privacera/privacera-manager/config
vi custom-vars/vars.dataserver.aws.yml

  3. Modify/ADD the following properties:
    Bash
    1
    DATASERVER_DBX_OLAC_USE_DISPLAY_NAME: "false"
  4. Once the properties are configured, Run Privacera Manager setup and install actions Refer this
  1. In PrivaceraCloud, go to Settings -> Applications -> S3 -> S3
  2. Click on Access Management -> Advanced
  3. Under Add New Custom Properties put below properties
    Bash
    1
    dataserver.dbx.olac.use.displayname=false

Ignore S3 Objects from Privacera Access Check

By default, the Dataserver is used to perform access control on all objects. However, if you want to ignore certain objects or entire buckets from Privacera Access Check and access them directly through the IAM role attached to the Databricks cluster, you can use the spark.hadoop.privacera.olac.ignore.paths property.

The property needs to be included in the Databricks cluster configuration.

Note

  • The property accepts a comma-separated list of paths to be excluded from Privacera Access Check.
  • Paths to be ignored support all S3 file protocols, such as s3://, s3a://, and s3n://.
  • Ensure that the attached IAM role has the necessary permissions to access the specified paths..
  • The property supports the wildcard character * in both the bucket name and object path.

Encrypt Sensitive Data in Signer Request and Response Payload

  1. SSH into the instance where Privacera Manager is installed.
  2. Run the following command to navigate to the /config directory.
    Bash
    1
    cd ~/privacera/privacera-manager/config
  3. Run the following command to open the vars.databricks.plugin.yml file to be edited.
    Bash
    1
    vi custom-vars/vars.databricks.plugin.yml
  4. Update the following property to redact sensitive data in debug logs at the root level:
    Bash
    1
2
    # uncomment to encrypt sensitive data in spark-plugin request/response payload. Default: `false`.
# DATABRICKS_SPARK_ENCRYPT_SENSITIVE_PAYLOAD_DATA_ENABLED: "true"
  5. Once the properties are configured, update your Privacera Manager platform instance by following the Quickstart guide.

Comments