Skip to content

OAuth Authentication

The default authentication mechanism in the Unity Catalog connector is token-based, but it also provides the option to enable OAuth. To generate OAuth credentials for the Databricks Unity Catalog, follow the instructions in the Databricks documentation.

Prerequisites

Given below is the instructions to generate OAuth credentials for the Databricks Unity Catalog. The instructions might change, so it is recommended to refer to the latest Databricks documentation

It is important to note that the service principal should have the necessary permissions to manage the policies in the Databricks Unity Catalog.

  1. Generate OAuth token: Refer to the Databricks documentation on how to use a service principal to authenticate with Databricks
  2. Note down the Secret and Client ID during the OAuth Secret generation.

  3. To ensure the generated service principal has the necessary permissions, follow these steps:

    1. Add the service principal to the Admin Group in Databricks.
    2. Login into Databricks Unity Catalog Workspace URL
    3. Go to settings “Identity and access” → Management and permissions → Groups → Click on Manage.
    4. Locate the Admin Group and add your service principal.
    5. Grant the service principal Metastore admin access.
    6. Ensure the service principal has access to the system catalog.

  4. Ensure that the service principal you create is added to the Admin Group Role in Databricks and has metastore admin access.

  5. It must have access to the system catalog.

Setup

Replace <CLIENT_ID> and <CLIENT_SECRET> with the actual values.

To enable OAuth authentication, update the following properties in Privacera Manager:

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Set the following properties to enable OAuth authentication for the Databricks Unity Catalog Connector:

    YAML
    1
2
3
    CONNECTOR_DATABRICKS_UNITY_CATALOG_AUTH_MECHANISM: "oauth"
CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_ID: "<CLIENT_ID>"
CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_SECRET: "<CLIENT_SECRET>"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks Unity Catalog.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab.

  5. Add the following properties under Add New Custom Properties:

    Bash
    1
2
3
    ranger.policysync.connector.0.jdbc.auth.mechanism=oauth
ranger.policysync.connector.0.oauth.client.id=<CLIENT_ID>
ranger.policysync.connector.0.oauth.client.secret=<CLIENT_SECRET>

  6. Click SAVE to apply the changes.

Comments