JSON Web Tokens
This topic shows how to authenticate Privacera services using JSON web tokens (JWT).
Supported services:
- Databricks plugin (OLAC/FGAC)
- Open Spark plugin (OLAC/FGAC)
- Dataserver API to generate signature for spark OLAC plugin
Prerequisites
Ensure the following prerequisites are met:
- Get the identity provider URL that is allowed in the issuer claim of a JWT.
- Get the JWT public key from the provider that Privacera services can use to validate JWT.
Configuration
-
SSH to the instance as USER.
-
Copy the JWT public key in
~/privacera/privacera-manager/config/custom-properties
folder. If you are configuring more than one JWT, then copy all the public keys associated with the JWT tokens to the same path. -
Run the following commands.
cd ~/privacera/privacera-manager/config cp sample-vars/vars.jwt-auth.yaml custom-vars vi custom-vars/vars.jwt-auth.yaml
-
Edit the properties.
Property Description Example JWT_OAUTH_ENABLE Property to enable JWT auth in Privacera services. TRUE JWT_CONFIGURATION_LIST
Property to set multiple JWT configurations.
- issuer: URL of the identity provider.
- subject: Subject of the JWT (the user).
- secret: If the JWT token has been encrypted using secret.
- publickey: JWT file name that you copied in step 2 above.
- userKey: Define a unique userkey.
- groupKey: Define a unique group key.
- parserType: Assign one of the following values.
- PING_IDENTITY: When scope/group is array.
- KEYCLOAK: When scope/group is space separator.
JWT_CONFIGURATION_LIST: - index: 0 issuer: "https://your-idp-domain.com/websec" subject: "api-token" secret: "tprivacera-api" publickey: "jwttoken.pub" userKey: "client_id" groupKey: "scope" parserType: "KEYCLOAK" - index: 1 issuer: "https://your-idp-domain.com/websec2" publickey: "jwttoken2.pub" parserType: "PING_IDENTITY" - index: 2 issuer: "https://your-idp-domain.com/websec3" publickey: "jwttoken3.pub"
-
Run the update.
cd ~/privacera/privacera-manager/ ./privacera-manager.sh update
JWT for Databricks
Configure
To configure JWT for Databricks, do the following:
-
Enable JWT. To enable JWT, refer Configuration.
-
(Optional) Create a JWT, if you do not have one. Skip this step, if you already have an existing token.
To create a token, see JWT and use the following details. For more details, refer the JWT docs.
-
Algorithm=RSA256
-
When JWT_PARSER_TYPE is KEYCLOAKS (scope/group is space separator)
{ "scope": "jwt:role1 jwt:role2", "client_id": "privacera-test-jwt-user", "iss": "privacera", "exp": <PLEASE_UPDATE> }
-
When JWT_PARSER_TYPE is PING_IDENTITY (scope/group is array)
{ "scope": [ "jwt:role1", "jwt:role1" ], "client_id": "privacera-test-jwt-user", "iss": "privacera", "exp": <PLEASE_UPDATE> }
-
Paste public/private key in input box.
-
Copy the generated JWT Token.
-
-
Log in to Databricks portal and write the following JWT file in a cluster file. Then the Privacera plugin can read and perform access-control based on the token user.
%python JWT_TOKEN="<PLEASE_UPDATE>" TOKEN_LOCAL_FILE="/tmp/ptoken.dat" f = open(TOKEN_LOCAL_FILE, "w") f.write(JWT_TOKEN) f.close()
Use Case
Reading files from the cloud using JWT token
-
Read the files in the file explorer of your cloud provider from your notebook. Depending on your cloud provider, enter the location of your cloud files in the
<path-to-your-cloud-files>
.%python spark.read.csv("<path-to-your-cloud-files>").show()
-
Check the audits. To learn how to check the audits, click here.
You should get JWT user (privacera-test-jwt-user) which was specified in the payload while creating the JWT.
-
To give permissions on a resource, create a group in Privacera Portal similar to the scope of the JWT payload and give access to the group, It's not necessary to create a user.
Privacera plugin extracts the JWT payload and passes the group during access check. In other words, it takes user-group mapping from JWT payload itself, so it's not required to do user-group mapping in Privacera.