Skip to content

Advanced Configuration

Multiple instances of connector

Goal

You have multiple Redshift clusters for which you want to manage access permissions using Privacera Connector for AWS Redshift. Examples of such scenarios are:

  • Redshift cluster per department
  • Redshift cluster per environment (dev, test, prod)

The database objects would be different in these clusters, and you need to create different policies for each cluster.

In this case, you will need to create an instance of the connector per Redshift cluster in Privacera Manager. And you will need to create a Resource policy Service for each instance of the connector in Privacera portal.

Prerequisites

  • You have installed Privacera Manager and have the base installation working. Preferably you have configured the connector for one Redshift cluster.
  • You have to come up with a name for your new instance of the connector.
  • You have all the prerequisites for your new instance of the connector as per the prerequisites.

Steps

Resource Policy Service instance

Create a new Resource Policy service instance in the REDSHIFT service repo in the Portal. The same steps apply for PrivaceraCloud and Self Managed and Data Plane.

  1. Navigate to the Access Management -> Resource Policies page in the Privacera portal.
  2. In the REDSHIFT tile, click on the three-dot icon and select Add Service. Enter the following fields:
    1. Service Name: Enter a unique name for the new instance of the connector. For example, privacera_redshift_instance2.
    2. Display Name: You can use a display name that helps you identify the instance. For example, Redshift Instance 2.
    3. Description: Enter a description for the new instance.
    4. Active Status: Toggle it to On state.
    5. Select Tag Service: Select privacera_tag or your tag service, if you have configured a different tag service.
  3. Click on the Save button.

New Connector instance

  • Configure the new connector in Privacera Manager

    1. SSH to the instance where Privacera Manager is installed.
    2. Copy and edit the sample vars file to configure the AWS Redshift connector for the new instance. Assuming you already have an instance named instance1, we are going to create an instance named instance2. You can name it as per your choice.
      Bash
      1
      2
      3
      4
      5
      6
      7
      8
      cd ~/privacera/privacera-manager/config
      mkdir -p custom-vars/connectors/redshift/instance2
      
      cp -n sample-vars/vars.connector.redshift.yml \
         custom-vars/connectors/redshift/instance2/
      
      vi \
      custom-vars/connectors/redshift/instance2/vars.connector.redshift.yml
      
    3. Add or modify this variable in the YAML file:
      YAML
      CONNECTOR_REDSHIFT_RANGER_SERVICE_NAME: "privacera_redshift_instance2"
      
      Continue to modify other variables as needed. Refer to the setup guide for more details.
  1. Log in to your account in PrivaceraCloud portal using your credentials.
  2. Go to the Settings -> Applications tab.
  3. Click on the Redshift icon in the Connected Applications section.
  4. Click on the CONNECT NEW APPLICATION button.

Filter database, schema, and tables from access management

Goal

  1. You want to manage access permissions for a specific database, schema and table in Redshift.
  2. You want to exclude specific database, schema and table from access management in Redshift.
  3. You want to manage access permissions for all schemas and tables in Redshift.

Prerequisites

  1. You have installed Privacera Manager and have the base installation working.
  2. You have configured the connector for Redshift or are planning to do so
  3. If you have a multiple connectors configured for Redshift, then you need to know which connector you want to modify

Steps

Warning

All the values shown below are for example purpose. You should replace them with your actual values.

Modify the following properties in the vars.connector.redshift.yml file in the instance directory of the connector.

YAML
1
2
3
4
5
6
7
CONNECTOR_REDSHIFT_MANAGE_DATABASE_LIST: "analytics_db"
CONNECTOR_REDSHIFT_MANAGE_SCHEMA_LIST: "analytics_db.schema1, analytics_db.schema2, analytics_db.finance_*"
CONNECTOR_REDSHIFT_MANAGE_TABLE_LIST: "analytics_db.schema1.customer_table, analytics_db.schema3.finance_*"

CONNECTOR_REDSHIFT_IGNORE_DATABASE_LIST: "test_db"
CONNECTOR_REDSHIFT_IGNORE_SCHEMA_LIST: "test_db.confidential_*, test_db.sandbox_*"
CONNECTOR_REDSHIFT_IGNORE_TABLE_LIST: "*.*.test_*"

On BASIC tab, modify the values in these fields:

  • Databases to set access control policies: analytics_db

On ADVANCED tab, modify the values in these fields:

  • Schemas to set access control policies: analytics_db.schema1, analytics_db.schema2, analytics_db.finance_*

  • Tables to set access control policies: analytics_db.schema1.customer_table, analytics_db.schema3.finance_*

  • Databases to ignore while setting access control policies: test_db

  • Schemas to ignore while setting access control policies: test_db.confidential_*, test_db.sandbox_*

  • Add New Custom Properties: ignore.table.list: "*.*.test_*"

The MANAGE list will include the objects to be managed by the connector while the IGNORE list will exclude the objects. These are the rules for the values you can set:

  1. You can provide a comma-separated list of database, schema, and table names.
  2. You can use * as a wildcard character.
  3. For schema, the format is <db>.<schema>.
  4. For table, the format is <db>.<schema>.<table>.
  5. The ignore list has a precedence over the manage list. If a database, schema or table is in both lists, it will be ignored.
  6. These are case sensitive
  7. If you set a MANAGE list value to empty then it will manage all the objects of that type. You can use this to manage all objects in a database.

Additional Information

Warning

If you change the settings such that objects that were managed previously are no longer managed by the connector then the permissions on those objects are not changed. You will have to manually remove any grants that were given to those objects by the connector.

Filtering Privacera user, group, and role names

Goal

You want to manage access permissions for a specific set of Privacera users, groups, and roles in your Redshift cluster.

Prerequisites

  1. You have installed Privacera Manager and have the base installation working.
  2. You have configured the connector for Redshift or are planning to do so
  3. If you have a multiple connectors configured for Redshift, then you need to know which connector you want to modify

Steps

Warning

All the values shown below are for example purpose. You should replace them with your actual values.

Modify the following properties in the vars.connector.redshift.yml file in the instance directory of the connector.

YAML
1
2
3
4
5
6
7
CONNECTOR_REDSHIFT_MANAGE_USER_LIST: "privacera_user1, privacera_user2, redshift_*"
CONNECTOR_REDSHIFT_MANAGE_GROUP_LIST: "privacera_group1, privacera_test_group_*"
CONNECTOR_REDSHIFT_MANAGE_ROLE_LIST: "privacera_role1, privacera_test_role_*"

CONNECTOR_REDSHIFT_IGNORE_USER_LIST: "test_user1"
CONNECTOR_REDSHIFT_IGNORE_GROUP_LIST: "test_group1"
CONNECTOR_REDSHIFT_IGNORE_ROLE_LIST: "test_role1"

On BASIC tab, modify the values in these fields:

  • Users to set access control policies: privacera_user1, privacera_user2, redshift_*
  • Groups to set access control policies: privacera_group1, privacera_test_group_*
  • Roles to set access control policies: privacera_role1, privacera_test_role_*
  • Users to ignore while setting access control policies: test_user1
  • Groups to ignore while setting access control policies: test_group1
  • Roles to ignore while setting access control policies: test_role1

You can set the MANAGE list to include user, group or role from Privacera to be managed by the connector. The IGNORE list will exclude the user, group or role from being managed by the connector. These are the rules for the values you can set:

  1. You can provide a comma-separated list of user, group, and role names.
  2. You can use * as a wildcard character.
  3. The ignore list has a precedence over the manage list. If a user, group or role is in both lists, it will be ignored.
  4. If you want to manage all users then you can skip specifying these properties.

Additional Information

  • Use of Redshift public group

Managing users in redshift

  • user, group, role;
  • filter by managed group and role;
  • replacing special characters in user names;
  • prefix of redshift roles

Sync intervals

Object ownership

Redshift Spectrum

Redshift Spectrum limitations

Comments