Skip to content

Setup Access Management for AWS Redshift

This section outlines the steps to set up the AWS Redshift Connector in Privacera. Ensure that all prerequisites are met before proceeding.

Create Instance of AWS Redshift Connector

  1. SSH to the instance where Privacera Manger is installed.

  2. Run the following command to navigate to the /config directory.

    Bash
    1
    cd ~/privacera/privacera-manager/config

  3. Create a new directory for the AWS Redshift connector configuration.

    Note

    In the example below, instance1 is the name of the connector instance. You can change this name to uniquely identify your installed connector configuration. The connector instance name should consist of only hyphens and alphanumeric characters.

    Bash
    1
    mkdir -p custom-vars/connectors/redshift/instance1

  4. Copy the sample connector configuration file to your custom directory:

    Bash
    1
    cp -n sample-vars/vars.connector.redshift.yml custom-vars/connectors/redshift/instance1/

  5. Run the following command to open the .yml file to be edited:

    Bash
    1
    vi custom-vars/connectors/redshift/instance1/vars.connector.redshift.yml

  1. In PrivaceraCloud, navigate to Settings -> Applications.

  2. On the Applications screen, select Redshift application under Available connections.

  3. Enter the application Name and Description. Click Save. Name could be any name of your choice. Example, AWS Redshift Account 123456.

  4. Open the Redshift application.

  5. Enable the Access Management option with toggle button.

JDBC Connection Details

  1. Specify the JDBC URL of the Redshift cluster, without the database name at the end.
  2. Provide the JDBC username and password for the Redshift user with admin privileges which will be used by the connector.
  3. Specify the default database name for your Redshift cluster.

Replace the below example values with your actual values.

JDBC Password and Vault

The JDBC password should be stored in the Privacera Vault, and the variable commented out.

YAML
1
2
3
4
CONNECTOR_REDSHIFT_JDBC_URL: "jdbc:redshift://<redshift-cluster-name>.<region>.redshift.amazonaws.com:<port>"
CONNECTOR_REDSHIFT_JDBC_DB: "analytics_db"
CONNECTOR_REDSHIFT_JDBC_USERNAME: "privacera_user"
#CONNECTOR_REDSHIFT_JDBC_PASSWORD: "" # Stored in vault

Enter these fields under the BASIC tab:

  • Redshift JDBC URL : jdbc:redshift://<redshift-cluster-name>.<region>.redshift.amazonaws.com:<port>
  • Redshift JDBC username : privacera_user
  • Redshift JDBC password : Enter the password for the Redshift user.
  • Redshift default Database: analytics_db
  • Default password for new redshift user: Set a strong password which will be used as the default password for a new Redshift user. This is a mandatory field. It is used when the feature to provision users through the connector is enabled.

Managed Database Objects

Set these properties to enable access permission management for a subset of schemas:

  1. Enter the database name where you want to manage the access permissions. This can be a comma-separated list of database names.
  2. Enter a comma-separated list of schema names that you want to manage. The format is <db>.<schema>. You can use wildcards in the name.

Replace the below example values with your actual values.

YAML
1
2
CONNECTOR_REDSHIFT_MANAGE_DATABASE_LIST: "analytics_db"
CONNECTOR_REDSHIFT_MANAGE_SCHEMA_LIST: "analytics_db.privacera_test_schema"

Under the BASIC tab, enter the values for:

  • Databases to set access control polices : analytics_db

Under the ADVANCED tab, enter the values for:

  • Schemas to set access control polices : analytics_db.privacera_test_schema

Managed Users and Groups

Set these properties to enable access permission management for a subset of users and groups from Privacera. These users are expected to be in Redshift. The groups refer to Privacera groups.

  1. Enter a comma-separated list of usernames that you want to manage. You can use wildcards in the name.
  2. Enter a comma-separated list of group names that you want to manage. You can use patterns as well.

Replace the below example values with your actual values.

YAML
1
2
CONNECTOR_REDSHIFT_MANAGE_USER_LIST: "privacera_user1,privacera_user2,redshift_*"
CONNECTOR_REDSHIFT_MANAGE_GROUP_LIST: "privacera_group1,privacera_group2,redshift_group_*"

Under the ADVANCED tab, enter the values for:

  • Users to set access control policies : privacera_user1,privacera_user2,redshift_*

  • Groups to set access control policies : privacera_group1,privacera_group2,redshift_group_*

Enable the Connector

Set these properties to enable the Privacera Connector to manage the access permissions in AWS Redshift.

YAML
1
2
3
4
5
6
7
8
9
CONNECTOR_REDSHIFT_MANAGE_ENTITIES: "true"

CONNECTOR_REDSHIFT_CREATE_USER: "false"
CONNECTOR_REDSHIFT_CREATE_USER_ROLE: "true"

CONNECTOR_REDSHIFT_GRANT_UPDATES: "true"
CONNECTOR_REDSHIFT_ENABLE: "true"

CONNECTOR_REDSHIFT_AUDIT_ENABLE: "true"

Under the BASIC tab, enter the values for:

  • Enable policy enforcements and user/group/role management : Enable this option

  • Enable access audits : Enable this option

Under the ADVANCED tab, enter the values for:

  • Create users in redshift by privacera : Disable this option

  • Create user roles in redshift by privacera : Enable this option

  • Manage users from portal : Enable this option

  • Manage groups from portal : Enable this option

  • Manage roles from portal : Enable this option

Apply the Configuration

After all the changes are done you can start the connector by running the following instructions:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. Once all the required fields are filled, click Save.

  2. The configured AWS Redshift connector appears under Connected Applications.

  3. Once saved and enabled, the AWS Redshift connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

  4. Perform the following steps to restart the AWS Redshift connector application:

    1. Go to SettingsApplications → select the Redshift connector application .

    2. Edit the application by disabling the Access Management option with toggle button and then Save it.

    3. Open the same application again and then enable the Access Management option with toggle button and then Save it.

Comments