Skip to main content

Privacera Documentation

Configure multiple JWTs for EMR

You can configure multiple JSON Web Tokens (JWTs) for EMR. For information about connecting EMR to PrivaceraCloud, see Connect Elastic MapReduce from Amazon application to PrivaceraCloud.Connect Elastic MapReduce from Amazon application to PrivaceraCloud

  1. Create a privacera_emr_custom_conf.sh file with below index based properties, where {index} start from 0 .

    JWT_OAUTH_ENABLE="true"
    JWT_{index}_ISSUER="<PLEASE_CHANGE>"
    JWT_{index}_PUBLICKEY="<PLEASE_CHANGE>"
    JWT_{index}_SUBJECT="<PLEASE_CHANGE>"
    JWT_{index}_SECRET="<PLEASE_CHANGE>"
    JWT_{index}_USERKEY="<PLEASE_CHANGE>"
    JWT_{index}_GROUPKEY="<PLEASE_CHANGE>"
    JWT_{index}_PARSER_TYPE="<PLEASE_CHANGE>"

    For example, for two configurations:

    JWT_OAUTH_ENABLE="true"
    
    JWT_0_ISSUER="https://mydomain.com/issuer"
    JWT_0_SUBJECT=”principal1”
    JWT_0_SECRET=”shkl-XXXX-XXXX-XXXX”
    JWT_0_USERKEY="client_id"
    JWT_0_GROUPKEY="scope"
    JWT_0_PARSER_TYPE="PING_IDENTITY"
    JWT_1_ISSUER="https://mydomain.com/issuer"
    JWT_1_PUBLICKEY=”https://mydomain.com/jwt_public_key.pem”
    JWT_1_USERKEY="client_id"
    JWT_1_GROUPKEY="scope"
    JWT_1_PARSER_TYPE="KEYCLOAK"
  2. Upload the privacera_emr_custom_conf.sh file to your S3 bucket. The custom configuration file URL should be accessible from EMR.

  3. Update the bootstrap action with the export EMR_CUSTOM_CONF_URL variable:

    export EMR_CUSTOM_CONF_URL=<emr_custom_conf_url> ; wget 
    ${PrivaceraDownloadUrl}/privacera_emr.sh ; chmod +x ./privacera_emr.sh ; sudo -E ./privacera_emr.sh spark-fgac

    The <emr_custom_conf_url> is a URL of the privacera_emr_custom_conf.sh file which is uploaded in in step 2 above. The URL should be downloaded by the EMR node (supported URLs are: http://, https:// or pm://).

    Note

    Use pm:// as a protocol instead of s3://, as s3:// is not supported in EMR bootstrap action. Internally its will be considered as s3://

    For example: 

    If the path is: s3://<bucketName>/path/privacera_emr_custom_conf.sh

    then use:

    export EMR_CUSTOM_CONF_URL=pm://<bucketName>/path/privacera_emr_custom_conf.sh

Validations with JSON Web Tokens (JWTs)

  1. Create a JSON Web Token, see Authenticate Privacera Platform services using JSON Web Tokens.

  2. SSH to the EMR master node.

  3. Use the Spark application as follows:

    JWT_TOKEN=eyJhbGciOiJSU-XXXXXX–X2BAIGWTbywHkfTxxw
    
    spark-sql --conf "spark.hadoop.privacera.jwt.token.str=${JWT_TOKEN}" --conf "spark.hadoop.privacera.jwt.oauth.enable=true"