Skip to main content

Privacera Documentation

Table of Contents

Databricks SQL connector properties for PolicySync on Privacera Platform

These Databricks SQL connector properties can be set for PolicySync in Privacera Platform.

The properties are grouped by general function, such as JDBC connection properties, properties for user, group, and role management, and other functions.

The properties are also categorized as BASIC or ADVANCED:

  • BASIC pertains to the most fundamental aspects of the connector, such as authentication.

  • ADVANCED indicates additional features beyond the BASICs, such as row-filtering or group member handling.

Start by setting the BASIC fields described here and then examine the ADVANCED fields to determine which of these features you might want to enable.

For a general process to migrate values from old YAML files to the new YAML files, see Migration to PolicySync v2 on Privacera Platform 7.2.

Category

Property name

Description

Default

Allowable values

JDBC configuration properties

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_JDBC_URL

This property is used to set jdbc jdbc url which can be used to connect to Databricks sql endpoint. JDBC URL should follow below convention jdbc:spark://<WORKSPACE_URL>:443/<DATABASE>;transportMode=http;ssl=1;AuthMech=3;httpPath=/sql/1.0/endpoints/1234567890 Example: jdbc:spark://example.cloud.databricks.com:443/default;transportMode=http;ssl=1;AuthMech=3;httpPath=/sql/1.0/endpoints/1234567890

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_JDBC_USERNAME

This property is used to set jdbc Username to be used to make connection to Databricks sql endpoint. This is just an email used to log in to Databricks to manage the SQL endpoint. (ex. eric.yuan@privacera.com)

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_JDBC_PASSWORD

This is a personal access token used to access the Databricks sql endpoint, that is created in Databricks by going to SQL endpoints and then "Create a personal access token". It should look like this: dapi71f8493d87bce9847d09e17a10ba8d53

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_JDBC_DB

This property is used to set jdbc database to be used to make initial connection to Databricks sql endpoint.

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_OWNER_ROLE

This property is used to set ownership for all the resources managed by PolicySync. The specified user will become owner for all managed resources and will have full control on those resources.We support changing owners of database, tables and views.

Note

If owner role is kept as blank, then ownership will not change and users who creates tables/views or any other object will be the owner of those objects and PolicySync won't be able to do access control on that object

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_HOST_URL

This property is used to make a call to SQL analytics API for users/groups/audits. It should simply be the base url of Databricks, for example https://db1.cloud.databricks.com/

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_DEFAULT_USER_PASSWORD

This property is used to set password which will be used for every new user creation by PolicySync.

Resources management

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_DATABASE_LIST

This property is used to set comma separated database names which access control should be managed by PolicySync. If you want to manage all databases then you can skip specifying this property. This supports wildcards as well. The ignore database list has precedence over manage database list. Eg. testdb1,testdb2,sales_db*.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_TABLE_LIST

This property is used to set comma separated table/view Fqdn which access control should be managed by PolicySync. If you want to manage all tables/views then you can skip specifying this property. This supports wildcards as well. The ignore table list has precedence over manage table list. Example: testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_IGNORE_DATABASE_LIST

This property is used to set comma separated database names which access control you don't want to be managed by PolicySync. If you don't want to ignore any database then you can skip specifying this property. This supports wildcards as well. This has precedence over manage database list. Example: testdb1,testdb2,sales_db*.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_IGNORE_TABLE_LIST

This property is used to set comma separated table/view Fqdn which access control you don't want to be managed by PolicySync. If you don't want to ignore any tables/views then you can skip specifying this property. This supports wildcards as well. This has precedence over manage table list. Example: testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*.

Note

Values for this property are case-sensitive.

Users/Groups/Roles management

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified user name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified user name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a group name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified group name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a role name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified role name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading user from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading group from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading role from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_CREATE_USER

This property controls whether we should create user in Databricks sql endpoint for users fetched from ranger.

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USERS

This property controls whether we should create role in Databricks sql endpoint for users fetched from ranger.

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_DELETE_USERS

When this property is set to true, PolicySync will delete users in Databricks when they are deleted in Portal. The property is set to false by default, as deleting users in Databricks wipes out their access tokens and other info.

false

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_GROUPS

This property controls whether we should create role in Databricks sql endpoint for groups fetched from ranger.

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_ROLES

This property controls whether we should create role in Databricks sql endpoint for roles fetched from ranger.

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST

This property is used to set comma separated user names which access control should be managed by PolicySync. If you want to manage all users then you can skip specifying this property. This supports wildcards as well. The ignore users list has precedence over manage users list. Eg. user1,user2,dev_user*

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST

This property is used to set comma separated group names which access control should be managed by PolicySync. If you want to manage all group then you can skip specifying this property. This supports wildcards as well. The ignore group list has precedence over manage group list. Eg. group1,group2,dev_group*

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST

This property is used to set comma separated role names which access control should be managed by PolicySync. If you want to manage all role then you can skip specifying this property. This supports wildcards as well. The ignore role list has precedence over manage role list. Eg. role1,role2,dev_role*

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_IGNORE_USER_LIST

This property is used to set comma separated user names which access control you don't want to be managed by PolicySync. If you don't want to ignore any users then you can skip specifying this property. This supports wildcards as well. This has precedence over manage users list. Eg. user1,user2,dev_user*

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_IGNORE_GROUP_LIST

This property is used to set comma separated group names which access control you don't want to be managed by PolicySync. If you don't want to ignore any groups then you can skip specifying this property. This supports wildcards as well. This has precedence over manage groups list. Eg. group1,group2,dev_group*

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_IGNORE_ROLE_LIST

This property is used to set comma separated role names which access control you don't want to be managed by PolicySync. If you don't want to ignore any roles then you can skip specifying this property. This supports wildcards as well. This has precedence over manage roles list. Eg. role1,role2,dev_role*

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in Databricks sql endpoint for group from ranger. For example if you have group named dev in ranger and you have defined prefix as test_group_ then the role which we create for dev in Databricks sql endpoint will have name test_group_dev.

Note

This property does not exist for users because users are using emails instead of usernames to log in.

priv_group_

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in Databricks sql endpoint for role from ranger. For example if you have role named finance in ranger and you have defined prefix as test_role_ then the role which we create for finance in Databricks sql endpoint will have name test_role_finance.

Note

This property does not exist for users because users are using emails instead of usernames to log in.

priv_role_

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_USE_NATIVE_PUBLIC_GROUP

Set this property to true, if you want PolicySync to use the "public" group in Databricks for access grants whenever there is policy created referring to public group inside it.

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_GROUP

Set this property to true, if you want to manage only the users who belongs to the groups defined in manage groups list property.

false

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_ROLE

Set this property to true, if you want to manage only the users who belongs to the roles defined in manage roles list property.

false

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_USE_EMAIL_AS_SERVICE_NAME

This Property is used to map the username as email address while grant/revoke

true

Access control management

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view based masking in Databricks PolicySync.

Note

Databricks does not support native masking, so it is recommended to use view based masking.

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view based tr filter in Databricks PolicySync.

Note

Databricks does not support native tr filters,so it is recommended to use view based tr filters.

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all tables as well all view which were created by end users. This will create secure view for resource regardless whether there any masking/tr filter policy exists in ranger.

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns

0

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_MASKED_TEXT_VALUE

This property is used to specify the default masking value for text/string columns

<MASKED>'

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_PREFIX

By default view-based tr filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_NAME_POSTFIX

By default view-based tr filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_PREFIX

By default view-based tr filter and masking related secure views have the same schema name as the table database name. If you want to change the secure view database name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view database name will be in this format : {prefix}{view_database_name}{postfix}

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_SECURE_VIEW_DATABASE_NAME_POSTFIX

By default view-based tr filter and masking related secure views have the same database name as the table database name. If you want to change the secure view database name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view database name will be in this format : {prefix}{view_database_name}{postfix}

_secure

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_GRANT_UPDATES

This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Databricks sql endpoint.

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_ENABLE_DATA_ADMIN

This property is used to enable data admin feature, with data admin feature enabled you can create all the policies on table/native view and by default respective grants will be made on secure view of table table or native view. And this secure view will have tr filter and masking capability as well. In case if you need permission on table then you can select the permission you want plus dataadmin in the policy, In this case that permissions will be granted on both, the table/native view and its secure view as well

true

Access audits management

BASIC

CONNECTOR_DATABRICKS_SQL_ANALYTICS_AUDIT_ENABLE

This property is used to enable access audit fetching from Databricks sql endpoint

true

ADVANCED

CONNECTOR_DATABRICKS_SQL_ANALYTICS_AUDIT_EXCLUDED_USERS

This property is used to exclude the users while pushing the audits logs to ranger access audits. Recommended to set this as JDBC user name as there will be audits from PolicySync application.

{{DATABRICKS_SQL_ANALYTICS_JDBC_USERNAME}}