Skip to content

Manage Resources List

You can configure the AWS Redshift connector manage access permissions for a subset of databases, schemas, and tables in Redshift. You can also exclude specific resources from access management. The connector supports both an include and exclude list for resources. The connector will manage the access control policies for resources on the include list and ignore those on the exclude list. Resources on the exclude list will not be managed by the connector, regardless of whether they are included in the include list.

The following properties are used to specify comma-separated lists of databases, schemas, and tables whose access control should be managed by PolicySync. If you wish to manage all resources, you can skip specifying these properties. Wildcards (*) are supported to match multiple schemas or tables.

Example:

  • Database: test_db
  • Schema: test_db.schema1, test_db.schema2, test_db.schema_*
  • Table: test_db.schema1.table1, test_db.schema3.table_*

Setup

Warning

  • Values are case-sensitive.
  • Provide fully qualified names for schema and table names.
  • Replace the example values with your actual resource names.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/redshift/instance1/vars.connector.redshift.yml

  3. Set the following properties to enable the connector to manage the permissions for databases, schemas, and tables.

    YAML
    1
2
3
    CONNECTOR_REDSHIFT_MANAGE_DATABASE_LIST: "test_db"
CONNECTOR_REDSHIFT_MANAGE_SCHEMA_LIST: "test_db.schema1"
CONNECTOR_REDSHIFT_MANAGE_TABLE_LIST: "test_db.schema1.table1"

  4. For excluding resources, set the following properties:

    The ignore list takes precedence over the manage list. If a database, schema or table is in both lists, it will be ignored.

    YAML
    1
2
3
    CONNECTOR_REDSHIFT_IGNORE_DATABASE_LIST: "test_db"
CONNECTOR_REDSHIFT_IGNORE_SCHEMA_LIST: "test_db.schema2"
CONNECTOR_REDSHIFT_IGNORE_TABLE_LIST: "test_db.schema3.table2"

  5. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. Navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Redshift application.

  3. Click the edit icon, click on Access Management -> ADVANCED tab.

  4. For including resources, enter the following values in the respective fields:

    • Schemas to set access control policies: test_db.schema1
    • Tables to set access control policies: test_db.schema1.table1

  5. For excluding resources, enter the following values in the respective fields:

    • Databases to ignore while setting access control policies: test_db
    • Schemas to ignore while setting access control policies: test_db.schema2
    • Add New Custom Properties: ranger.policysync.connector.0.ignore.table.list=test_db.schema3.table2

  6. Click Save to apply the changes.

Warning

If you change the settings such that previously managed objects are no longer managed by the connector, their permissions will not be automatically updated. You must manually remove any grants that were previously given to those objects by the connector.

Comments