Skip to content

Setup Tag Sync for Collibra

This section outlines the steps to set up the Collibra connector in Privacera. Ensure that all prerequisites are met before proceeding.

Best practice

Start with a single connection and a test catalog, confirm that tags appear in the expected Ranger tag service, and then expand the mappings to your full set of connections and engines.

Create an Instance of the Collibra Connector

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to navigate to the /config directory.

    Bash
    1
    cd ~/privacera/privacera-manager/config

  3. Create a new directory for the Collibra connector configuration.

    Note

    Replace instance1 with a unique name for your connector (use only alphanumeric characters and hyphens).

    Bash
    1
    mkdir -p custom-vars/connectors/collibra/instance1

  4. Copy the sample connector configuration file to your custom directory:

    Bash
    1
    cp -n sample-vars/vars.connector.collibra.yml custom-vars/connectors/collibra/instance1/

  5. Open the .yml file for editing:

    Bash
    1
    vi custom-vars/connectors/collibra/instance1/vars.connector.collibra.yml

Configure Connection Details

Update the following properties in your vars.connector.collibra.yml file:

  1. Specify the Collibra URL, for example https://your-org.collibra.com.
  2. Provide the Collibra username and password used for HTTP Basic authentication. A read-only account is sufficient.
  3. Enable the connector.

Replace the below example values with your actual values.

YAML
1
2
3
4
CONNECTOR_COLLIBRA_URL: "https://your-org.collibra.com"
CONNECTOR_COLLIBRA_USER: "<collibra-username>"
CONNECTOR_COLLIBRA_PASSWORD: "<collibra-password>"
CONNECTOR_COLLIBRA_ENABLE: "true"

Configure Tag Routing

Tag routing is driven by two mandatory mapping properties. They tell the connector which engine each Collibra connection belongs to, and which Ranger tag service each engine should be pushed to.

  1. connection.to.service.mapping — maps each Collibra connection name to its default engine. Format: connectionName:engine, comma-separated for multiple connections.
  2. ranger.service.mapping — maps each engine to its Ranger tag service. Format: engine:rangerService, comma-separated for multiple engines.

Both mappings are mandatory

Tag sync does not run unless both mapping properties are set. Connection names are matched case-sensitively; engine keys are lowercased.

YAML
1
2
3
4
5
# Collibra connection name -> default engine
CONNECTOR_COLLIBRA_CONNECTION_TO_SERVICE_MAPPING: "sbtconnection:trino,snowflakeconnection:snowflake"

# engine -> Ranger tag service
CONNECTOR_COLLIBRA_RANGER_SERVICE_REPO_MAPPING: "hive:privacera_hive,trino:privacera_trino,snowflake:privacera_snowflake"

Example routing:

  • Connection sbtconnection has default engine trino.
  • A catalog named hive under it is auto-routed to the Hive engine → privacera_hive.
  • A catalog named iceberg uses the connection default → Trinoprivacera_trino.

So one Collibra connection can produce tags for two different Ranger tag services in a single run.

Apply the Configuration

After completing the configuration, start the connector by running the following instructions:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Once the connector starts, it runs an initial tag sync (when tag.sync.at.restart.enable is true) and then repeats on the configured interval. To confirm tags are flowing, check the Troubleshooting page for the log lines to look for, and verify the tags appear in the target Ranger tag service.

Next: enforce the tags

After the tags are synced to Ranger, create tag-based policies in Privacera and ensure the corresponding access connectors (Hive, Trino, Snowflake, etc.) are configured to enforce them.