Skip to main content

Privacera Documentation

Configure JSON Web Tokens for Databricks

You can configure JSON Web Tokens (JWT) for Databricks.

Prerequisites
Procedure

To configure JSON Web Tokens (JWT) for Databricks, do the following:

  1. (Optional) Create a JWT. If you already have a token, skip this step. For more information, see JWT docs.

    1. Algorithm=RSA256

    2. When JWT_PARSER_TYPE is KEYCLOAKS (scope/group is space separator)

      {
      "scope": "jwt:role1 jwt:role2",
      "client_id": "privacera-test-jwt-user",
      "iss": "privacera","exp": <PLEASE_UPDATE>
      }
    3. When JWT_PARSER_TYPE is PING_IDENTITY (scope/group is array)

      {
      "scope": [
          "jwt:role1",
          "jwt:role1"
      ],
      "client_id": "privacera-test-jwt-user",
      "iss": "privacera",
      "exp": <PLEASE_UPDATE>
      }
    4. Paste public/private key in input box.

    5. Copy the generated JWT Token.

  2. Log in to the Databricks portal and write the following JWT file in a cluster file:

    %python
    JWT_TOKEN="<PLEASE_UPDATE>"
    TOKEN_LOCAL_FILE="/tmp/ptoken.dat"
    f = open(TOKEN_LOCAL_FILE, "w")
    f.write(JWT_TOKEN)
    f.close()

    The Privacera plugin can now read and perform access-control based on the token user.

Use case: Reading files from the cloud using JSON Web Token

  1. Read the files in the file explorer of your cloud provider from your notebook.

  2. Depending on your cloud provider, enter the location of your cloud files in the <path-to-your-cloud-files>:

    %python spark.read.csv("<path-to-your-cloud-files>").show()
  3. Check the audits. For more information, see Audits.

    You should get JWT user (privacera-test-jwt-user) which was specified in the payload while creating the JWT.

  4. To give permissions on a resource, create a group in the Privacera Portal similar to the scope of the JWT payload and give access to the group.

    Privacera plugin extracts the user-group mapping from the JWT payload and passes the group during access check.

    Note

    You do not need to create a user or do user-group mapping in Privacera.