Skip to content

Databricks SQL#

This topic shows how to configure access control in Databricks SQL.

Prerequisites#

Ensure the following prerequisite is met:

  • Create an endpoint in Databricks SQL with a user having admin privileges. For more information, refer to Create an endpoint in Databricks SQL.

  • As you configure the endpoint using the link provided above, get the following values:

    • Host URL
    • JDBC URL
    • JDBC password
    • Database List

CLI Configuration#

  1. SSH to the instance where Privacera is installed.

  2. Run the following commands.

    cd ~/privacera/privacera-manager/config
    cp sample-vars/vars.policysync.databricks.sql.analytics.yml custom-vars/
    vi config/custom-vars/vars.policysync.databricks.sql.analytics.yml
    
  3. Set the properties for your specific installation. For property details and description, see the Configuration Properties section that follows.

    Note

    Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, see Databricks SQL Connector.

  4. Run the following commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Configuration Properties#

Property Mandatory Description Default Value Example
DATABRICKS_SQL_ANALYTICS_V2_ENABLE Yes Property to enable/disable the Databricks SQL Analytics. true true/false
DATABRICKS_SQL_ANALYTICS_JDBC_URL Yes

Get its value from the Prerequisites section.

This property used to set JDBC URL which can be used to connect to Databricks SQL endpoint.

JDBC URL must follow below convention:
jdbc:spark://:443/;transportMode=http;ssl=1;AuthMech=3;httpPath=/sql/1.0/endpoints/1234567890

jdbc:spark://example.cloud.databricks.com:443/default;transportMode=http;ssl=1;AuthMech=3;httpPath=/sql/1.0/endpoints/1234567890
DATABRICKS_SQL_ANALYTICS_JDBC_DB Yes This property used to set JDBC database to be used to make initial connection to Databricks SQL endpoint. default
DATABRICKS_SQL_ANALYTICS_JDBC_USERNAME Yes

Get its value from the Prerequisites section.

This property is used to specify the jdbc username that will be used to connect to the databricks sql endpoint.
This is simply an email address used to access Databricks and manage the SQL endpoint.

   
DATABRICKS_SQL_ANALYTICS_JDBC_PASSWORD Yes

Get its value from the Prerequisites section.

This is a personal access token used to access the Databricks SQL endpoint, which is created in Databricks in SQL endpoints > Create a personal access token.

  dapi71fxxxxxxxxxxxxxa10ba8d53
DATABRICKS_SQL_ANALYTICS_HOST_URL Yes

Get its value from the Prerequisites section.

This property is used to make a call to SQL analytics API for users/groups/audits. It must be the base URL of Databricks.

https://example.cloud.databricks.com
DATABRICKS_SQL_ANALYTICS_OWNER_ROLE Yes

This property is used to specify who owns the resources managed by PolicySync. The specified user will become the owner of all managed resources and will have complete control over them. We allow you to change the owner of your database, tables, and views.

Note: If the owner role is left blank, ownership will not change, and users who create tables/views or other objects will be the owners of those objects, and PolicySync will not be able to control access to those objects.

DATABRICKS_SQL_ANALYTICS_MANAGE_DATABASE_LIST Yes This property specifies a comma-separated list of database names for which PolicySync manages access control.
If you want to manage all databases, you can skip this property.
This also accepts wildcards.
The manage database list takes precedence over the ignore database list.
For example, testdb1, testdb2, sales db*
testdb1, testdb2, sales db*
DATABRICKS_SQL_ANALYTICS_MANAGE_ENTITIES Yes Property to enable/disable manage user/group/role. false false
DATABRICKS_SQL_ANALYTICS_GRANT_UPDATES Yes

This property determines whether actual grant/revoke and create/update/delete queries for user/group/role must be run on Databricks SQL.

false false
DATABRICKS_SQL_ANALYTICS_MANAGE_ENTITY_PREFIX

Property to put the prefix for user/group/roles to be managed, so only user/group/roles with specified prefixes will be managed.

Keep it commented to manage all user/group/roles present in Ranger.

dev_*,sa_*
DATABRICKS_SQL_ANALYTICS_ENTITY_ROLE_PREFIX Property to set the prefixes for roles to be created in the database. priv_
DATABRICKS_SQL_ANALYTICS_MANAGE_USER_LIST This property specifies a comma-separated list of user names for which PolicySync manages access control.
If you want to manage all users, you can skip this property.
This also works with wildcards.
The ignore users list takes precedence over the manage users list.
For example, user1,user2,dev_user*

user1,user2,dev_user*
DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST This property specifies a comma-separated list of group names for which PolicySync manages access control.
If you want to manage all groups, you can skip this property.
This also works with wildcards.
The ignore group list takes precedence over the manage groups list.
For example, group1,group2,dev_group*

group1,group2,dev_group*
DATABRICKS_SQL_ANALYTICS_MANAGE_ROLE_LIST This property specifies a comma-separated list of role names for which PolicySync manages access control.
If you want to manage all roles, you can skip this property.
This also accepts wildcards.
The manage role list takes precedence over the ignore role list.
For example, role1,role2,dev_role*
role1,role2,dev_role*
DATABRICKS_SQL_ANALYTICS_IGNORE_USER_LIST This property specifies a comma-separated list of user names for which PolicySync does not manage access control.
If you do not want to ignore any users, you can leave this property blank.
This also accepts wildcards.
This takes precedence over the list of users to manage.
For example, user1,user2,dev_user*
user1,user2,dev_user*
DATABRICKS_SQL_ANALYTICS_IGNORE_GROUP_LIST This property specifies a comma-separated list of group names for which PolicySync does not manage access control.
If you do not want to ignore any groups, you can leave this property blank.
This also accepts wildcards.
This takes precedence over the list of manage groups.
For example, group1,group2,dev_group*
group1,group2,dev_group*
DATABRICKS_SQL_ANALYTICS_IGNORE_ROLE_LIST This property specifies a comma-separated list of role names for which PolicySync does not manage access control.
If you do not want to ignore any roles, you can leave this property blank.
This also works with wildcards.
This takes precedence over the manage roles list.
For example, role1,role2,dev role*
role1,role2,dev_role*
DATABRICKS_SQL_ANALYTICS_MANAGE_USER_FILTERBY_GROUP Set this property to true if you only want to manage users who belong to the groups specified in the DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_LIST property. false
DATABRICKS_SQL_ANALYTICS_MANAGE_GROUPS This property determines whether PolicySync manages a group in the Databricks SQL endpoint when groups are retrieved from Ranger. true
DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view-based masking in Databricks SQL PolicySync.

Note:- Databricks SQL does not support native masking. It is recommended to use view-based masking.

true true/false
DATABRICKS_SQL_ANALYTICS_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view-based row filter in Databricks SQL PolicySync.

Note:- Databricks SQL supports native row filters, but due to some limitations, it is recommended to use view-based row filter.

true
DATABRICKS_SQL_ANALYTICS_USE_HIVE_ACCESS_POLICIES

Uncomment and set this property to true to use **privacera_hive** service instead of **privacera_databricks_sql_analytics**. After setting the PM property the policysync will start syncing the policies from privacera_hive and the only highlight will be the deny and exclude from allow/deny will not work as expected. Because the policysync only support Allow condition for now.

true true/false