Skip to content

Creating and Managing Principals in Databricks SQL

This section describes how to create and manage principals in Databricks SQL.

The Databricks SQL Connector allows you to create and manage principals—users, groups, and roles—in Databricks SQL. These principals can be granted permissions to access resources within Databricks SQL. This feature is optional and can be configured to manage only users, only groups, only roles or all three types of principals.

Setup

By default, the setting for creating and managing principals in Databricks SQL is set to true. However, it is recommended to explicitly define this value as either true or false in the connector configuration file. Explicit configuration ensures consistent behavior, even if the default value changes in future releases. These configuration properties control whether the Privacera Databricks SQL connector is permitted to create users, groups, and roles in Databricks SQL.

  • Set the value to true to allow the connector to create the corresponding principal if it does not already exist.

By default, principal names are converted to lowercase when created. However, the connector provides configuration options to control case sensitivity and name normalization.

Persist Case Sensitivity:

  • When case sensitivity is retained (true): Principal names (users, groups, roles) are stored and managed exactly as provided, preserving the original casing—including both uppercase and lowercase letters.

  • When case sensitivity is not retained (false, default behavior): Principal names are automatically converted to lowercase when stored and managed in Databricks SQL.

Case Conversion Options:

  • lower (default): Principal names (users, groups, roles) are converted to lowercase.
  • upper: Principal names are converted to uppercase.
  • none: Principal names are preserved exactly as provided, without any case conversion.
Case conversion properties apply only when case sensitivity is not persisted:

  • Self Managed (YAML Configuration) deployments:

    • CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_PERSIST_CASE_SENSITIVITY
    • CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_PERSIST_CASE_SENSITIVITY
    • CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_PERSIST_CASE_SENSITIVITY

  • PrivaceraCloud deployments:

    • Disable the following in Access Management → ADVANCED tab of the Databricks SQL application:
      • Persist case sensitivity of user names
      • Persist case sensitivity of group names
      • Persist case sensitivity of role names

Warning

  • Replace the example values with your actual values.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-sql-analytics/instance1/vars.connector.databricks.sql.analytics.yml

  3. Set the following property for enabling/disabling the connector to create principals in the Databricks SQL:

    YAML
    1
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_CREATE_USER: "true"

  4. To customize the role name prefix, set the following property:

    YAML
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_ROLE_PREFIX: "priv_user_dev"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_ROLE_PREFIX: "priv_group_dev"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_ROLE_PREFIX: "priv_role_dev"

  5. To retain the case of the principal names, set the following properties:

    YAML
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_PERSIST_CASE_SENSITIVITY: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_PERSIST_CASE_SENSITIVITY: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_PERSIST_CASE_SENSITIVITY: "true"

  6. To use the case conversion, set the following properties:

    YAML
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_CASE_CONVERSION: "upper"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_CASE_CONVERSION: "upper"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_CASE_CONVERSION: "none"

  7. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks SQL.

  3. Click on the icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab

  5. For creating and managing principals in the Databricks SQL, enable the following option:

    • Create users in Databricks SQL Endpoint by privacera

  6. To customize the role name prefix, enter the prefix in the Role Name Prefix field.

    • Prefix of Databricks SQL Endpoint roles for portal groups: priv_group_dev
    • Prefix of Databricks SQL Endpoint roles for portal roles: priv_role_dev

  7. To retain the case of the principal names, enable the following options:

    • Persist case sensitivity of user names
    • Persist case sensitivity of group names
    • Persist case sensitivity of role names

  8. To use the case conversion, add the following properties under Add New Custom Properties section:

    Bash
    1
2
3
    ranger.policysync.connector.0.user.name.case.conversion=upper
ranger.policysync.connector.0.group.name.case.conversion=upper
ranger.policysync.connector.0.role.name.case.conversion=none

  9. Click SAVE to apply the changes.

Comments