JSON Web Tokens#
This topic shows how to authenticate Privacera services using JSON web tokens (JWT).
Supported services:
- Databricks plugin (OLAC/FGAC)
- Open Spark plugin (OLAC/FGAC)
- Dataserver API to generate signature for spark OLAC plugin
Prerequisites#
Ensure the following prerequisites are met:
- Get the identity provider URL that is allowed in the issuer claim of a JWT.
- Get the public key from the provider that Privacera services can use to validate JWT.
Configuration#
-
SSH to the instance as USER.
-
Copy the public key in
~/privacera/privacera-manager/config/custom-properties
folder. -
Run the following commands.
cd ~/privacera/privacera-manager/config cp sample-vars/vars.jwt-auth.yaml custom-vars vi custom-vars/vars.jwt-auth.yaml
-
Edit the properties.
Property Description Example JWT_OAUTH_ENABLE Property to enable JWT auth in Privacera services. TRUE JWT_PUBLIC_KEY_FILE_NAME Enter the name of the file copied in step 2 above. jwttoken.pub JWT_ISSUER Property to enter the URL of the identity provider. https://your-idp-domain.com JWT_SUBJECT Subject of the JWT (the user) api-token JWT_SECRET If the JWT token has been encrypted using secret, use this property to set the secret. privacera-api JWT_USERKEY Property to define a unique userkey. client_id JWT_GROUPKEY Property to define a unique group key. scope JWT_PARSER_TYPE Assign one of the following values: - PING_IDENTITY: When scope/group is array
- KEYCLOAKS: When scope/group is space separator
PING_IDENTITY -
Run the update.
cd ~/privacera/privacera-manager/ ./privacera-manager.sh update
JWT for Databricks#
Configure#
To configure JWT for Databricks, do the following:
-
Enable JWT. To enable JWT, refer Configuration.
-
(Optional) Create a JWT, if you do not have one. Skip this step, if you already have an existing token.
To create a token, see JWT and use the following details. For more details, refer the JWT docs.
-
Algorithm=RSA256
-
When JWT_PARSER_TYPE is KEYCLOAKS (scope/group is space separator)
{ "scope": "jwt:role1 jwt:role2", "client_id": "privacera-test-jwt-user", "iss": "privacera", "exp": <PLEASE_UPDATE> }
-
When JWT_PARSER_TYPE is PING_IDENTITY (scope/group is array)
{ "scope": [ "jwt:role1", "jwt:role1" ], "client_id": "privacera-test-jwt-user", "iss": "privacera", "exp": <PLEASE_UPDATE> }
-
Paste public/private key in input box.
-
Copy the generated JWT Token.
-
-
Log in to Databricks portal and write the following JWT file in a cluster file. Then the Privacera plugin can read and perform access-control based on the token user.
%python JWT_TOKEN="<PLEASE_UPDATE>" TOKEN_LOCAL_FILE="/tmp/ptoken.dat" f = open(TOKEN_LOCAL_FILE, "w") f.write(JWT_TOKEN) f.close()
Use Case#
Reading files from the cloud using JWT token
-
Read the files in the file explorer of your cloud provider from your notebook. Depending on your cloud provider, enter the location of your cloud files in the
<path-to-your-cloud-files>
.%python spark.read.csv("<path-to-your-cloud-files>").show()
-
Check the audits. To learn how to check the audits, click here.
You should get JWT user (privacera-test-jwt-user) which was specified in the payload while creating the JWT.
-
To give permissions on a resource, create a group in Privacera Portal similar to the scope of the JWT payload and give access to the group, It's not necessary to create a user.
Privacera plugin extracts the JWT payload and passes the group during access check. In other words, it takes user-group mapping from JWT payload itself, so it's not required to do user-group mapping in Privacera.