Advanced Configuration for Access Management for Databricks all-purpose compute clusters with Object-Level Access Control (OLAC)¶

JWT Auth Configuration¶

By default, Privacera uses the Databricks login user for authorization. However, we also support JWT (JSON Web Token) integration, which utilizes the user/group information from the JWT payload instead of the Databricks login user.

Here are the steps to configure JWT token integration

To enable JWT authentication for Databricks, follow these steps:

Go to the Privacera Manager directory and edit the Databricks configuration file to enable JWT authentication.
Bash
1 2
cd ~/privacera/privacera-manager vi config/custom-vars/vars.databricks.plugin.yml
Add following property to enable JWT for Databricks:
Bash
1
DATABRICKS_JWT_OAUTH_ENABLE: "true"
After all the changes are done you need to update the helm chart, apply the changes and also run the post install steps

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1 2
cd ~/privacera/privacera-manager ./pm_with_helm.sh upgrade
Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh post-install

Use Service Principal id for Authorization¶

By default, Privacera uses display name for Service Principal, If you want to use Service Principal Id then below configuration:

Self Managed and Data PlanePrivaceraCloud

SSH to the instance where Privacera Manager is installed.

Run the following command to navigate to the /config directory and open Dataserver yml

Bash
cd ~/privacera/privacera-manager/config
vi custom-vars/vars.dataserver.aws.yml 

Modify/ADD the following properties:

Bash
1	`DATASERVER_DBX_OLAC_USE_DISPLAY_NAME: "false"`

Once the properties are configured, Run Privacera Manager setup and install actions Refer this

In PrivaceraCloud, go to Settings -> Applications -> S3 -> S3
Click on Access Management -> Advanced
Under Add New Custom Properties put below properties
Bash
1
dataserver.dbx.olac.use.displayname=false

Ignore S3 Objects from Privacera Access Check¶

By default, the Dataserver is used to perform access control on all objects. However, if you want to ignore certain objects or entire buckets from Privacera Access Check and access them directly through the IAM role attached to the Databricks cluster, you can use the spark.hadoop.privacera.olac.ignore.paths property.

The property needs to be included in the Databricks cluster configuration.

Note

The property accepts a comma-separated list of paths to be excluded from Privacera Access Check.
Paths to be ignored support all S3 file protocols, such as s3://, s3a://, and s3n://.
Ensure that the attached IAM role has the necessary permissions to access the specified paths..
The property supports the wildcard character * in both the bucket name and object path.

Encrypt Sensitive Data in Signer Request and Response Payload¶

Self Managed and Data Plane

SSH into the instance where Privacera Manager is installed.
Run the following command to navigate to the /config directory.
Bash
1
cd ~/privacera/privacera-manager/config
Run the following command to open the vars.databricks.plugin.yml file to be edited.
Bash
1
vi custom-vars/vars.databricks.plugin.yml

Update the following property to redact sensitive data in debug logs at the root level:

Bash
1 2	# uncomment to encrypt sensitive data in spark-plugin request/response payload. Default: `false`. # DATABRICKS_SPARK_ENCRYPT_SENSITIVE_PAYLOAD_DATA_ENABLED: "true"

Once the properties are configured, update your Privacera Manager platform instance by following the Quickstart guide.

Advanced Configuration¶

Configuration	Description
Configure Bootstrap Script to Retrieve JWT Token	Configure bootstrap script to retrieve jwt token for OLAC in Databircks

Prev topic: Setup
Next topic: Troubleshooting