JWT Token User Identity¶
Overview¶
This feature allows the use of JWT tokens to carry the user identity information required by Privacera to enforce access control. This works for certain connectors or use-cases where the data source may not be able to pass the user identity reliably to Privacera.
Connectors¶
The following connectors support the use of JWT tokens to carry user identity information:
- OLAC connectors
- AWS EMR (on EC2) Spark OLAC connector without Kerberos - JWT token user identity is the only supported way to enforce access control in a non-Kerberos EMR (on EC2) cluster.
- AWS EMR-Serverless Spark OLAC connector without Lake Formation - JWT token user identity allows you to use Privacera for access control in a non-Lake Formation EMR-Serverless cluster without using IAM roles for user identity.
- Databricks Standard Cluster OLAC connector - JWT token user identity is an additional way to pass user identity to Privacera for access control if you don't want to use the logged-in user identity.
- Apache Spark on EKS OLAC connector - JWT token user identity is the only supported way to enforce access control in Apache Spark on EKS cluster.
- FGAC connectors
- Databricks High Concurrency Cluster FGAC connector - JWT token user identity is an additional way to pass user identity to Privacera for access control if you don't want to use the logged-in user identity.
Supported Deployments¶
- PrivaceraCloud
- Self Managed Deployment
- PrivaceraCloud Data-plane Deployment
Prerequisites¶
You need to have a JWT token generation capability in your identity provider (IdP) to generate the JWT token. The JWT token is signed by your IdP and contains the user identity information. The user is configured in Privacera with the same username. The public key of the IdP is used to validate the JWT token. It is either configured statically in Privacera or provided dynamially through a JWKS endpoint which is configured in Privacera.
For OLAC use-case, you need to have Privacera Dataserver configured and running, to which we will add the additional configuration to validate JWT token.
Sample Flow for OLAC¶
sequenceDiagram
participant User
participant IdentityProvider
participant ComputeEnv as Compute Env + Privacera OLAC Plugin
participant PrivaceraDataServer
participant CloudStorage
User->>IdentityProvider: 1. Request JWT token
IdentityProvider-->>User: 2. Provide JWT token
User->>ComputeEnv: 3. Pass JWT token
ComputeEnv->>PrivaceraDataServer: 4. Send JWT token
PrivaceraDataServer->>PrivaceraDataServer: 5. Validate JWT token using static key or key from JWK endpoint
PrivaceraDataServer->>PrivaceraDataServer: 6. Generate Signed URL/STS token
PrivaceraDataServer-->>ComputeEnv: 7. Provide Signed URL/STS token
ComputeEnv->>CloudStorage: 8. Access data using Signed URL/STS token
CloudStorage-->>ComputeEnv: 9. Data retrieved
Diagram Explanation
- Request JWT Token: The user requests a JWT token from the Identity Provider (IdP).
- Provide JWT Token: The IdP provides the JWT token to the user.
- Pass JWT Token: The user passes the JWT token to the compute environment.
- Send JWT Token: The compute environment sends the JWT token to Privacera DataServer.
- Validate JWT Token: Privacera DataServer validates the JWT token signature by using either IdP public key that is statically configured or is obtained dynamically from IdP's JWKS endpoint.
- Generate Signed URL/STS Token: Privacera DataServer generates a Signed URL or STS token.
- Provide Signed URL/STS Token: Privacera DataServer provides the Signed URL or STS token to the compute environment.
- Access Data: The compute environment accesses data from cloud storage using the Signed URL or STS token.
- Data Retrieved: The data is retrieved from the cloud storage and provided to the compute environment.
Sample Flow for FGAC¶
sequenceDiagram
participant User
participant IdentityProvider
participant ComputeEnv as Compute Env + Privacera FGAC Plugin
participant CloudStorage
User->>IdentityProvider: 1. Request JWT token
IdentityProvider-->>User: 2. Provide JWT token
User->>ComputeEnv: 3. Pass JWT token
ComputeEnv->>ComputeEnv: 4. Privacera FGAC plugin validates JWT token using static key or key from JWK endpoint
ComputeEnv->>ComputeEnv: 5. Privacera FGAC plugin uses identity to enforce access control
ComputeEnv->>CloudStorage: 6. Access data using Compute Env native permissions (IAM role)
CloudStorage-->>ComputeEnv: 7. Data retrieved
Diagram Explanation
- Request JWT Token: The user requests a JWT token from the Identity Provider (IdP).
- Provide JWT Token: The IdP provides the JWT token to the user.
- Pass JWT Token: The user passes the JWT token to the compute environment.
- Validate JWT Token: Privacera FGAC plugin validates the JWT token signature by using either IdP public key that is statically configured or is obtained dynamically from IdP's JWKS endpoint.
- Enforce Access Control: Privacera FGAC plugin uses the user identity to enforce access control.
- Access Data: The compute environment accesses data from cloud storage using the compute environments native permissions (IAM role).
- Data Retrieved: The data is retrieved from the cloud storage and provided to the compute environment.
Concepts¶
JWT Token Format¶
A JSON Web Token (JWT) consists of three Base64 strings separated by dots (.
). These 3 parts are header, payload and signature. The header and payload are JSON objects, and the signature is a computed over the header and payload using a secret key. The signature is used to confirm the identity of the issuer and the integrity of the JWT token.
The header contains the algorithm used to sign the JWT token. An example JWT header JSON is shown below. All the values are examples and should not be used as is.
The fields in the header are as follows,
- The
alg
field is the algorithm used to sign the JWT token. Privacera supports only RSA256 and ECDSA256 algorithms for JWT token signature, which correspond to RS256 and ES256 as values of this field. - The
typ
field is the type of the token. This is a literal value and is alwaysJWT
. - The
kid
field is the key id of the public key used to sign the JWT token. This is an optional field. It is present if JWKS endpoint is used to fetch the public key.
The payload contains the claims. An example JWT payload JSON is shown below. All the values are examples and should not be used as is.
JSON | |
---|---|
- The
iss
field is the issuer of the JWT token. This value is configured in Privacera so that it can be used to obtain the configuration for validating the JWT token. This is a mandatory field. Typically, it is in the format of a URL, but it is a literal value and no connection attempt will be made to this URL. - The
sub
field is the subject of the JWT token. This is the user identity that Privacera should use to enforce access control. This is a mandatory field. You can configure another key in the payload to be used as the user identity. - The
iat
field is the issued at time of the JWT token. This is the time when the token was issued in Unix time. This is a mandatory field. The token is rejected if current time is before this time. - The
exp
field is the expiration time of the JWT token. This is the expiry time of the token in Unix time. This is a mandatory field. The token is rejected if the current time is after this time. - The
aud
field is the audience of the JWT token. This is the intended recipient of the token, which is Privacera Dataserver. This is a string that is configured in Privacera and Privacera will use the token only if it matches. This is an optional field. - The
scope
field is used to carry additional list of groups. This is an optional field. You can configure another key in the payload to be used as the group list. The groups can be either space separated or comma separated. These groups can be used to override the user's groups that are configured in Privacera or to add additional groups. TODO: need the properties
All other fields in the payload will be ignored by Privacera.
Token Duration
For OLAC jobs, the token duration can be short as it is used only during the startup of the job to pass the identity to the Privacera Dataserver. For FGAC jobs, the token duration should be long enough to cover the duration of the job.
JWT Signature Verification¶
JWT Signature verification is done using the public key of the IdP. The public key can be configured statically in Privacera or dynamically fetched from the IdP's JWKS endpoint.
Privacera supports only RSA256 and ECDSA256 algorithms for JWT token signature.
In case of dynamic public key configuration, the public key is fetched from the IdP's JWKS (JSON Web Key Set) endpoint using the kid
field in the JWT header. The JWKS service returns a set of keys containing public keys used to verify the JWT token. The endpoint could return a set of keys or one specific key given the kid
field in the JWT header.
Here is an example of JWKS with RSA JWK returned by the JWKS service -
JSON | |
---|---|
alg
- Algorithm used to sign the JWT token. It is either RS256 or HS256.kty
- Key type. It is either RSA or EC.use
- Use of the key. It is either sig or enc.x5c
- X.509 certificate chain. It is an array of base64 encoded X.509 certificates.n
- RSA modulus. It is a base64 encoded string.e
- RSA exponent. It is a base64 encoded string.kid
- Key ID. It is a string identifier.x5t#S256
- X.509 certificate SHA-1 thumbprint. It is a base64 encoded string.exp
- Expiration time of the key. It is a Unix time.
Here is an example of JWKS with ECDSA JWK returned by the JWKS service -
JSON | |
---|---|
kty
- Key type. It is either RSA or EC.crv
- Curve used for the key. It is a string.x
- X coordinate of the key. It is a base64 encoded string.y
- Y coordinate of the key. It is a base64 encoded string.kid
- Key ID. It is a string identifier.exp
- Expiration time of the key. It is a Unix time.
The Privacera Dataserver will obtain the key from the JWKS service endpoint when a JWT token with key id is received. This key will be cached for it's expiration duration.
Using JWT Token User Identity Feature in Privacera¶
To use this feature you need to do the following:
- For OLAC supported connectors
- Configure Privacera Dataserver to use JWT tokens
- Configure EMR, Databricks or Apache Spark plugin to use JWT token
- At runtime, generate JWT token and pass it to the Spark job
- For FGAC supported connectors
- Configure the Databricks Spark plugin to use JWT token
- At runtime, generate JWT token and pass it to the Spark job
Using JWT Tokens¶
For OLAC supported connectors¶
User will pass the JWT token string in a Spark configuration variable to the Spark job. Here is an example -
Bash | |
---|---|
Token Visibility in logs
If the JWT token is passed as a Spark configuration variable on command line then the value is redacted by Apache Spark running on EMR, Databricks and Apache Spark since the variable contains the word token
.
For FGAC supported connectors¶
User will copy the JWT token string to a file and pass the file path in a Spark configuration variable to the Spark job. The difference is the methodology is because FGAC clusters support SparkSQL and it is not possible to pass JWT in Spark configuration variable.
Global User
When this feature is used FGAC cluster, then the logged-in user identity is not considered and everyone will be treated as the user in the JWT token. This is only recommended for job clusters where you want to enforce FGAC.
Here is an example -
Properties | |
---|---|
You can copy the JWT token file to Spark cluster using the following steps:
Python | |
---|---|
Configuring Privacera for JWT Token User Identity¶
You need to enable and configure the JWT token User Identity feature in Privacera. This is a common configuration for
- OLAC and FGAC connectors on Self Managed and Data Plane deployments
- OLAC connectors on PrivaceraCloud
The configuration maps the token issuer value to a set of configurations that are used to validate the JWT token. You can configure multiple token issuers in Privacera.
Setup for JWT public key configuration¶
On the host where Privacera Manager is installed, do the following steps:
Bash | |
---|---|
JWT_CONFIGURATION_LIST
as given in next section. Location of public key files for static public key configuration
For static public key configuration, the public key should be copied in a file in PEM format to the config/custom-properties
directory.
After all the changes are done, run the Privacera Manager by following these steps.
Fallback for Databricks OLAC and FGAC connectors
Copying the vars.jwt-auth.yaml
to the config/custom-vars
directory will enable JWT User Identity for all OLAC and FGAC connectors. If you want to continue using the logged-in user identity for Databricks OLAC and FGAC connectors, then you need to set this property by creating a new files in the config/custom-properties/privacera_spark_custom.properties
directory.
Bash | |
---|---|
true
. Properties | |
---|---|
To enable JWT token for User Identity in PrivaceraCloud, you need to add below properties in s3 application.
Navigate to Goto Settings
>> Applications
>> s3
>> Click on edit
Now click on Access Management
from pop-up and navigate to Advanced properties
section
Add the properties given in the next section and click on save button.
Static public key configuration¶
For static public key configuration, here are some sample configurations that you can put in the vars.jwt-auth.yaml
file. Typically you will have only one configuration, but in some cases you may have multiple configurations. The meaning of these properties is explained in the Reference section .
Dynamic public key configuration¶
Dynamic public key configuration (Without Basic Authentication)¶
YAML | |
---|---|
Reference for JWT_CONFIGURATION_LIST¶
Reference
These properties configure the payload of the JWT token:
-
index
- Description: Index of the JWT configuration. This is a unique identifier for the JWT configuration.
- Required: Yes
- Supported Values: 0, 1, 2, 3 etc.
-
issuer
- Description: Issuer of the JWT Payload. This is a string identifier. The JWT tokens that contain this value in the
iss
field will be validated using this configuration. - Required: Yes
- Description: Issuer of the JWT Payload. This is a string identifier. The JWT tokens that contain this value in the
-
subject
- Description: Subject of the JWT Payload. This is a string identifier. The JWT tokens that contain this value in the
sub
field will be used to enforce access control. - Required: Optional
- Sample Value:
infra_test_user
- Description: Subject of the JWT Payload. This is a string identifier. The JWT tokens that contain this value in the
-
secret
- Description: Secret key to validate the JWT token. This is a string identifier. JWT tokens that include this value in their
secret
field will be validated using this configuration. This is specifically applicable when the JWT token is signed and encrypted using theHS256
algorithm. - Required: Optional
- Sample Value:
mysecret
- Description: Secret key to validate the JWT token. This is a string identifier. JWT tokens that include this value in their
-
userKey
- Description: JWT Payload key for the username.
- Required: Optional
- Default:
client_id
-
groupKey
- Description: JWT Payload key for the group name.
- Required: Optional
- Default:
scope
-
parserType
- Description: Specifies how the scope or group is formatted. Choose one of the following values:
PING_IDENTITY
: Use when scope/group is an array. Example:KEYCLOAK
: Use when scope/group is space separated. Example:
- Required: Yes
- Description: Specifies how the scope or group is formatted. Choose one of the following values:
-
audience
- Description: Audience for whom the JWT token has been issued. This is a string identifier. The JWT tokens that contain this value in the
aud
field will be validated using this configuration. - Required: Optional
- Description: Audience for whom the JWT token has been issued. This is a string identifier. The JWT tokens that contain this value in the
For Static public key configuration
- publickey
- Description: JWT file name that you copied in previous steps. (in this case use Algorithm RS256)
- Required: Required only for Static public Key
For Dynamic Public Key, here are the additional properties. Note that we are providing both the Privacera Manager property | PrivaceraCloud property
.
-
pubKeyProviderEndpoint | privacera.jwt.0.token.publickey.provider.url
- Description: API URL by which we will return public key.
- Format:
https://my-sat-server/<api-to-get-public-key-by-kid>/
orhttps://my-sat-server/<api-to-get-public-key-by-kid>/?kid=
- Privacera code will add
<kid>
at the end above URL and it will become like thishttps://my-sat-server/<api-to-get-public-key-by-kid>/<kid>
orhttps://my-sat-server/<api-to-get-public-key-by-kid>/?kid=<kid>
and that API should return public key of specific key id (kid) mentioned in JWT.
- Format:
- Required: Yes
- Description: API URL by which we will return public key.
-
pubKeyProviderAuthType | privacera.jwt.0.token.publickey.provider.auth.type
- Description: Authorization type as per API URL (
BASIC
/NONE
) - Required: Optional
- Default:
NONE
- Description: Authorization type as per API URL (
-
pubKeyProviderAuthUserName | privacera.jwt.0.token.publickey.provider.auth.username
- Description: Username for JWKS Provider
- Required: Required When
pubKeyProviderAuthType=BASIC
-
pubKeyProviderAuthTypePassword | privacera.jwt.0.token.publickey.provider.auth.password
- Description: Password for JWKS Provider
- Required: Required When
pubKeyProviderAuthType=BASIC
-
pubKeyProviderJsonResponseKey | privacera.jwt.0.token.provider.response.key
- Description: JWKS Response JSON Key to get Public Key
- Required: Yes
- Default: x5c
-
jwtTokenProviderKeyId | privacera.jwt.0.token.provider.key.id
- Description: JWT Headers Key to get public key id to retrieve from JWKS Provider
- Required: Yes
Configuring OLAC and FGAC Connectors¶
Configuring AWS EMR (on EC2) and EMR-Serverless Spark OLAC connector¶
Open the vars.emr.yml file:
Add following property to enable JWT for EMR:
Bash | |
---|---|
Configuring Databricks Standard Cluster OLAC connector¶
No additional configuration is required for Databricks Standard Cluster OLAC connector when using Self Managed, Data Plane and PrivaceraCloud deployments.
Configuring Apache Spark on EKS OLAC connector¶
No additional configuration is required for Databricks Standard Cluster OLAC connector when using Self Managed, Data Plane and PrivaceraCloud deployments.
Configuring Databricks High Concurrency Cluster FGAC connector¶
No additional configuration is required for Databricks Standard Cluster OLAC connector when using Self Managed, Data Plane and PrivaceraCloud deployments.
End to end setup¶
We will walk you through an end to end setup using Python script for generating JWT token and using a Python JWKS server. These utilities are for helping you do an end to end flow. These should not be used in a production environment.
Generating JWT token using Python script¶
Create Python virtual environment and install libraries
-
Create a folder to store the script and Python virtual environment.
-
Create a requirements file to download libraries required by the script. These are open source libraries commonly used for signing and JWT creation
Add the following content to the file.Bash -
Create a Python virtual environment. This is a one time step.
Bash -
Activate the virtual environment so that you can use the virtual environment. This step is required to be done everytime you start a new shell.
Bash -
Install the required libraries. This is a one time step.
Bash -
You can deactivate the Python virtual environment when are you done.
Bash | |
---|---|
Generate RSA 256 and EC 256 key-pairs for test purpose
-
We are going to generate a RSA 256 key-pair and an EC 256 key-pair. These are for test purpose to show you how to use RSA and EC keys. Typically, you will be using only one type of signing algorithm in yours setup.
-
Generate a RSA 256 key-pair. This will be used to sign the JWT token. The private key will be encrypted using a password. You need this if you want to sign the token using a RSA 256 key.
-
Generate an EC 256 key pair. This will be used to sign the JWT token. The private key will be encrypted using a password. You need this if you want to sign the token using an EC 256 key.
Create the Python script for generating JWT token
-
Create a Python script to generate the JWT token. This script will generate a JWT token and sign it using the private key from the keypairs that we have generated. It will take a command line argument to choose the keypair to use.
Bash -
Before running the script, you can change the user_name variable to the user that you want to use. This user should be present in Privacera. You can also change the groups in the token variable. Run the script and copy the JWT token that is printed. You can generate the token using RSA or EC key by passing the argument to the script.
Bash Use the encoded value from the output of the script as the JWT_TOKEN in the EMR, Databricks or Apache Spark clusterBash -
Static key configuration Copy the public key files to the Privacera Manager configuration directory.
Configure static key JWT configuration in Privacera Manager or PrivaceraCloud
- Configure the static JWT configuration in Privacera
Use the following properties in the vars.jwt-auth.yaml
file to configure the public keys for Self Managed and Data Plane.
Use the following properties in the s3
application in PrivaceraCloud.
Test JWT configuration in Privacera Dataserver
- Now you should be able to test OLAC using the JWT token and Dataserver endpoint by using the following curl command. This is available for Self Managed and Data Plane in Privacera 9.3.0.1 onwards. Not available on PrivaceraCloud. The response will be a JSON object with the status of the token validation.
Http Status code
Text Only | |
---|---|
1 2 |
|
Content type: application/json
Response format for Valid Token
JSON | |
---|---|
Response format for Invalid Token
Response format if empty payload OR empty jwt token
Configure and test OLAC or FGAC plugin using the generated JWT token
- You can configure the OLAC and FGAC plugins and verify using the generated JWT token. You will need to have user named 'infra_test_user' in Privacera and create Access policies for that user in
privacera_s3
service repo for OLAC plugin, and inprivacera_hive
service repo for FGAC plugin.
Create Python script to run as JWKS server
-
For testing the dynamic public key configuration, you can use the following script to serve the public key using JWKS endpoint.
Paste the following code in the file.Bash Start the server and keep it running.Python 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
import base64 import json from datetime import datetime, timedelta from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization, hashes import cryptography.hazmat.primitives.asymmetric.rsa as rsa import cryptography.hazmat.primitives.asymmetric.ec as ec from flask import Flask, request, jsonify from flask_httpauth import HTTPBasicAuth def compute_sha256_thumbprint(public_key_pem): # Load the PEM encoded public key public_key = serialization.load_pem_public_key( public_key_pem, backend=default_backend() ) # Compute SHA-256 hash of the DER encoding of the public key der_encoding = public_key.public_bytes( encoding=serialization.Encoding.DER, format=serialization.PublicFormat.SubjectPublicKeyInfo ) sha256_hash = hashes.Hash(hashes.SHA256(), backend=default_backend()) sha256_hash.update(der_encoding) thumbprint = sha256_hash.finalize() return thumbprint def int_to_base64(n): # Determine the number of bytes required to represent the integer num_bytes = (n.bit_length() + 7) // 8 # Convert the integer to bytes int_bytes = n.to_bytes(num_bytes, byteorder='big') # Encode the bytes using base64 base64_bytes = base64.b64encode(int_bytes) # Convert the base64 bytes to a string base64_string = base64_bytes.decode('utf-8') return base64_string def get_response(kid, pem_file_path, expiry_time_delta): # Read the public key from a PEM file with open(pem_file_path, "rb") as pem_file: public_key_pem = pem_file.read() # Remove BEGIN and END headers and footers pem_lines = public_key_pem.decode('utf-8').split('\n') pem_contents = (''.join(pem_lines) .replace('-----BEGIN PUBLIC KEY-----', '') .replace('-----END PUBLIC KEY-----', '')) # Load the PEM encoded public key public_key = serialization.load_pem_public_key( public_key_pem, backend=default_backend() ) print(f"type={type(public_key)}") # Extract SHA-256 thumbprint thumbprint = compute_sha256_thumbprint(public_key_pem) thumbprint_hex = thumbprint.hex() print("PEM File (Single String without Headers and Footers):") print(pem_contents) # Check the type of the public key if isinstance(public_key, rsa.RSAPublicKey): # Extract modulus and exponent from the public key modulus = public_key.public_numbers().n exponent = public_key.public_numbers().e response = { "kty": "RSA", "use": "sig", "e": int_to_base64(modulus), "n": int_to_base64(exponent), "x5t#S256": thumbprint_hex, "x5c": [pem_contents], "kid": kid, "exp": (datetime.utcnow() + expiry_time_delta).timestamp(), } print(json.dumps(response, indent=4)) return response elif isinstance(public_key, ec.EllipticCurvePublicKey): ec_numbers = public_key.public_numbers() # Extract x and y coordinates x = ec_numbers.x y = ec_numbers.y response = { "kty": "EC", "use": "sig", "x": int_to_base64(x), "y": int_to_base64(y), "x5t#S256": thumbprint_hex, "x5c": [pem_contents], "kid": kid, "exp": (datetime.utcnow() + expiry_time_delta).timestamp(), } return response else: return "Unknown" def main(): USERNAME = 'admin' PASSWORD = 'Welcome@123' kid_dict = { 'kid_1': 'jwt-rs256-public.pem', 'kid_2': 'jwt-ec256-public.pem' } app = Flask(__name__) auth = HTTPBasicAuth() # Verify username and password for basic authentication @auth.verify_password def verify_password(username, password): return username == USERNAME and password == PASSWORD # GET API to retrieve public key by kid @app.route('/get_public_key', methods=['GET']) @auth.login_required def get_public_key(): kid = request.args.get('kid') public_key = kid_dict.get(kid) if public_key is None: return jsonify({'error': 'Public key not found'}), 404 else: return get_response(kid, public_key, timedelta(days=30)) app.run(host="0.0.0.0", port=9090, debug=True) if __name__ == "__main__": print("starting main") main() print("ending main")
Bash -
You can test this endpoint using a curl command as follows, from another shell,
Bash JSON Bash
Configure Dynamic public key using the Python JWKS server endpoint
- You can now configure the dynamic public key configuration in Privacera. You have to remove the private key files of the static key from the
~/privacera/privacera-manager/config/custom-properties
folder as the JWKS endpoint will be used by Privacera Dataserver and Databricks FGAC plugin to get the public key to verify the JWT signature.
Use the following properties in the vars.jwt-auth.yaml
file to configure the public keys for Self Managed and Data Plane.
use the following properties in the s3
application in PrivaceraCloud.
After Privacera Manager has been run so that it restarts the Privacera Dataserver, you can use the dataserver test endpoint as given above. You can then test the OLAC plugin. Similarly, you will have to upload the newly generated FGAC plugin configuration and us it to test the FGAC plugin.