Skip to content

Using a Databricks Service Principal as a User in Ranger Policies

This document explains how to use a databricks service principal as a user in ranger policies for the Databricks Unity Catalog Policysync connector.

Configuration Steps

Step 1: Create a Databricks Service Principal

Create a service principal in databricks and note its Service Principal ID.

Example:

Text Only
1
a9c2e4d1-7b8f-4f6a-9c3e-1d72b6e8a4f9

This ID will be used as the username in ranger policies.

Step 2: Add Service Principal as a Privacera User

  1. Log in to the Privacera Portal
  2. Navigate to Users → Add User
  3. Configure the user as shown below:
    Text Only
    1
    User Name: a9c2e4d1-7b8f-4f6a-9c3e-1d72b6e8a4f9
    Add the following attribute:
    Text Only
    1
2
    key   : databricks_service_principal
value : true
  4. Save the user

Regex Configuration

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. From the list of Connected Applications, select Databricks Unity Catalog.

  3. Click on the application name or the icon to edit. Then, go to the Access Management tab.

  4. Under ADVANCED tab, configure the following options:

    • To configure regex properties, scroll to the Regex to find special characters in user names section and Update the regex as following :

      Properties
      1
      [~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\/\\\\{}]
      This updated regex preserves the hyphen(-) while still removing unsupported special characters.

  5. Click SAVE to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to navigate to the .yml directory.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Add or update the following regex configuration:
    YAML
    1
    CONNECTOR_DATABRICKS_UNITY_CATALOG_USER_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\\\s^*()_%\\\\[\\\\]!\\\\/\\\\\\\\{}]"
    This updated regex preserves the hyphen(-) while still removing unsupported special characters.

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. Navigate to SettingsApplications in the PrivaceraCloud.

  2. From the list of Connected Applications, select Databricks Unity Catalog.

  3. Click on the application name or the icon to edit. Then, go to the Access Management tab.

  4. Under ADVANCED tab, configure the following options:

    • To configure regex properties, scroll to the Regex to find special characters in user names section and Update the regex as following :

      Properties
      1
      [~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\/\\\\{}]
      This updated regex preserves the hyphen(-) while still removing unsupported special characters.

  5. Click SAVE to apply the changes.