Databricks SQL#

This topic shows how to configure access control in Databricks SQL.

Prerequisites#

Ensure the following prerequisite is met:

Create an endpoint in Databricks SQL with a user having admin privileges. For more information, refer to Create an endpoint in Databricks SQL.
As you configure the endpoint using the link provided above, get the following values:
- Host URL
- JDBC URL
- JDBC password
- Database List

CLI Configuration#

SSH to the instance where Privacera is installed.

Run the following commands.

cd ~/privacera/privacera-manager/config
cp sample-vars/vars.policysync.databricks.sql.analytics.yml custom-vars/
vi config/custom-vars/vars.policysync.databricks.sql.analytics.yml

Set the properties for your specific installation. For property details and description, see the Configuration Properties section that follows.

Note

Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, see Databricks SQL Connector.

Run the following commands.

cd ~/privacera/privacera-manager
./privacera-manager.sh update

Configuration Properties#

Property	Mandatory	Description	Default Value	Example
`DATABRICKS_SQL_ANALYTICS_V2_ENABLE`	Yes	Property to enable/disable the Databricks SQL Analytics.	`true`	`true`/`false`
`DATABRICKS_SQL_ANALYTICS_JDBC_URL`	Yes	Get its value from the Prerequisites section. This property used to set JDBC URL which can be used to connect to Databricks SQL endpoint. JDBC URL must follow below convention: jdbc:spark://:443/;transportMode=http;ssl=1;AuthMech=3;httpPath=/sql/1.0/endpoints/1234567890		`jdbc:spark://example.cloud.databricks.com:443/default;transportMode=http;ssl=1;AuthMech=3;httpPath=/sql/1.0/endpoints/1234567890`
`DATABRICKS_SQL_ANALYTICS_JDBC_DB`	Yes	This property used to set JDBC database to be used to make initial connection to Databricks SQL endpoint.	`default`
`DATABRICKS_SQL_ANALYTICS_JDBC_USERNAME`	Yes	Get its value from the Prerequisites section. This property is used to specify the jdbc username that will be used to connect to the databricks sql endpoint. This is simply an email address used to access Databricks and manage the SQL endpoint.
`DATABRICKS_SQL_ANALYTICS_JDBC_PASSWORD`	Yes	Get its value from the Prerequisites section. This is a personal access token used to access the Databricks SQL endpoint, which is created in Databricks in SQL endpoints > Create a personal access token.		`dapi71fxxxxxxxxxxxxxa10ba8d53`
`DATABRICKS_SQL_ANALYTICS_HOST_URL`	Yes	Get its value from the Prerequisites section. This property is used to make a call to SQL analytics API for users/groups/audits. It must be the base URL of Databricks.		`https://example.cloud.databricks.com`
`DATABRICKS_SQL_ANALYTICS_OWNER_ROLE`	Yes	This property is used to specify who owns the resources managed by PolicySync. The specified user will become the owner of all managed resources and will have complete control over them. We allow you to change the owner of your database, tables, and views. Note: If the owner role is left blank, ownership will not change, and users who create tables/views or other objects will be the owners of those objects, and PolicySync will not be able to control access to those objects.
`DATABRICKS_SQL_ANALYTICS_MANAGE_DATABASE_LIST`	Yes	This property specifies a comma-separated list of database names for which PolicySync manages access control. If you want to manage all databases, you can skip this property. This also accepts wildcards. The manage database list takes precedence over the ignore database list. For example, `testdb1, testdb2, sales db*`		`testdb1, testdb2, sales db*`
`DATABRICKS_SQL_ANALYTICS_MANAGE_ENTITIES`	Yes	Property to enable/disable manage user/group/role.	`false`	`false`
`DATABRICKS_SQL_ANALYTICS_GRANT_UPDATES`	Yes	This property determines whether actual grant/revoke and create/update/delete queries for user/group/role must be run on Databricks SQL.	`false`	`false`
`DATABRICKS_SQL_ANALYTICS_MANAGE_ENTITY_PREFIX`		Property to put the prefix for user/group/roles to be managed, so only user/group/roles with specified prefixes will be managed. Keep it commented to manage all user/group/roles present in Ranger.	`dev_,sa_`
`DATABRICKS_SQL_ANALYTICS_ENTITY_ROLE_PREFIX`		Property to set the prefixes for roles to be created in the database.	`priv_`
`DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST`		This property specifies a comma-separated list of user names for which PolicySync manages access control. If you want to manage all users, you can skip this property. This also works with wildcards. The ignore users list takes precedence over the manage users list. For example, `user1,user2,dev_user*`		`user1,user2,dev_user*`
`DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST`		This property specifies a comma-separated list of group names for which PolicySync manages access control. If you want to manage all groups, you can skip this property. This also works with wildcards. The ignore group list takes precedence over the manage groups list. For example, `group1,group2,dev_group*`		`group1,group2,dev_group*`
`DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST`		This property specifies a comma-separated list of role names for which PolicySync manages access control. If you want to manage all roles, you can skip this property. This also accepts wildcards. The manage role list takes precedence over the ignore role list. For example, `role1,role2,dev_role*`		`role1,role2,dev_role*`
`DATABRICKS_SQL_ANALYTICS_IGNORE_USER_LIST`		This property specifies a comma-separated list of user names for which PolicySync does not manage access control. If you do not want to ignore any users, you can leave this property blank. This also accepts wildcards. This takes precedence over the list of users to manage. For example, `user1,user2,dev_user*`		`user1,user2,dev_user*`
`DATABRICKS_SQL_ANALYTICS_IGNORE_GROUP_LIST`		This property specifies a comma-separated list of group names for which PolicySync does not manage access control. If you do not want to ignore any groups, you can leave this property blank. This also accepts wildcards. This takes precedence over the list of manage groups. For example, `group1,group2,dev_group*`		`group1,group2,dev_group*`
`DATABRICKS_SQL_ANALYTICS_IGNORE_ROLE_LIST`		This property specifies a comma-separated list of role names for which PolicySync does not manage access control. If you do not want to ignore any roles, you can leave this property blank. This also works with wildcards. This takes precedence over the manage roles list. For example, `role1,role2,dev role*`		`role1,role2,dev_role*`
`DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_GROUP`		Set this property to `true` if you only want to manage users who belong to the groups specified in the `DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST` property.	`false`
`DATABRICKS_SQL_ANALYTICS_MANAGE_GROUPS`		This property determines whether PolicySync manages a group in the Databricks SQL endpoint when groups are retrieved from Ranger.	`true`
`DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_MASKING`		Set this property to `true`, if you want to enable secure view-based masking in Databricks SQL PolicySync. Note:- Databricks SQL does not support native masking. It is recommended to use view-based masking.	`true`	`true`/`false`
`DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_ROW_FILTER`		Set this property to `true`, if you want to enable secure view-based row filter in Databricks SQL PolicySync. Note:- Databricks SQL supports native row filters, but due to some limitations, it is recommended to use view-based row filter.		`true`
`DATABRICKS_SQL_ANALYTICS_USE_HIVE_ACCESS_POLICIES`		Uncomment and set this property to `true` to use privacera_hive service instead of privacera_databricks_sql_analytics. After setting the PM property the policysync will start syncing the policies from privacera_hive and the only highlight will be the deny and exclude from allow/deny will not work as expected. Because the policysync only support Allow condition for now.	`true`	`true`/`false`