Skip to content

Users, Groups, and Roles Management

Privacera's Dremio connector provides the ability to control which users, groups, and roles are managed within Dremio. This is achieved by explicitly specifying which entities should be included or excluded from management by the connector.

This section outlines how to configure these settings to manage users, groups, and roles according to your requirements.

Managing Users, Groups, and Roles

These properties control whether users, groups, and roles fetched from Ranger are managed in Dremio. When enabled, Privacera can create, update, and delete these entities within Dremio based on the data retrieved from Ranger.

  • Manage Users, Groups, and Roles:
    Specifies whether the Privacera Dremio connector should manage users, groups, and roles in Dremio.

    • When enabled (true), the connector automatically manages the creation, update, and deletion of principals.
    • It also grants and revokes privileges based on policies retrieved from Ranger.
    • This setting is enabled by default to support automated access and identity management.

  • Filter Specific Users, Groups, and Roles:
    Use these properties to selectively manage specific identities—users, groups, and roles—in Dremio.

    • Provide a comma-separated list of exact names or wildcard prefixes (e.g., group_prefix*, role_prefix*) to target specific principals.
    • To manage all principals, leave the property empty or set it to *.
    These filter properties only apply if general management is enabled:

    • Self Managed (Portal Configuration) deployments:

      • Enable the following in Access Management → ADVANCED tab of the Dremio application:
        • Manage users from portal
        • Manage groups from portal
        • Manage roles from portal

    • Self Managed (YAML Configuration) deployments:

      • CONNECTOR_DREMIO_MANAGE_USERS
      • CONNECTOR_DREMIO_MANAGE_GROUPS
      • CONNECTOR_DREMIO_MANAGE_ROLES

  • Ignore Specific Identities:

    • Use this property to exclude specific users, groups, or roles from being managed by the Privacera Dremio connector.
    • Ignored identities take precedence over any included or managed identities.

  • User Filtering Based on Groups or Roles:

    • This option allows you to restrict which users are managed by the connector based on their group or role membership.
    • Only users who belong to the specified groups or roles will be considered for management.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/dremio/instance1/vars.connector.dremio.yml

  3. Set the following properties:

    YAML
    1
2
3
    CONNECTOR_DREMIO_MANAGE_USERS: "true"
CONNECTOR_DREMIO_MANAGE_GROUPS: "true"
CONNECTOR_DREMIO_MANAGE_ROLES: "true"

  4. If you want to manage only specific users, groups, and roles, specify them in the corresponding properties below.

    YAML
    1
2
3
    CONNECTOR_DREMIO_MANAGE_USER_LIST: "user1, user2"
CONNECTOR_DREMIO_MANAGE_GROUP_LIST: "group1, group2, group_prefix*"
CONNECTOR_DREMIO_MANAGE_ROLE_LIST: "role1, role2, role_prefix*"

  5. To exclude specific users, groups, and roles from the Dremio, set the following properties.

    YAML
    1
2
3
    CONNECTOR_DREMIO_IGNORE_USER_LIST: "user_a, user_b"
CONNECTOR_DREMIO_IGNORE_GROUP_LIST: "group_a, group_b, group_prefix*"
CONNECTOR_DREMIO_IGNORE_ROLE_LIST: "role_a, role_b, role_prefix*"

  6. You can configure the connector to manage Dremio group members by enabling the following property:

    Bash
    1
2
    CONNECTOR_DREMIO_MANAGE_GROUP_MEMBERS: "true"
CONNECTOR_DREMIO_MANAGE_ROLE_MEMBERS: "true"

  7. To further filter users based on the groups and roles they belong to, use the following properties:

    YAML
    1
2
3
4
5
    # Enable to manage only users belonging to the specified groups in the managed groups list.
CONNECTOR_DREMIO_MANAGE_USER_FILTERBY_GROUP: "false"

# Enable to manage only users belonging to the specified roles in the managed roles list.
CONNECTOR_DREMIO_MANAGE_USER_FILTERBY_ROLE: "false"

  8. Once the properties are configured,

Name Replacement for Users, Groups, and Roles

Replace Name from Regex

  • This property allows you to find and replace specific characters in user, group, or role names using a regular expression (regex). If left blank, no replacement is performed.
  • Default value:
    Text Only
    1
    [~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]
    This regex matches special characters such as spaces, punctuation, and symbols, ensuring that user, group, and role names comply with Dremio naming conventions.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/dremio/instance1/vars.connector.dremio.yml

  3. Set the following properties:

    YAML
    1
2
3
    CONNECTOR_DREMIO_USER_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"
CONNECTOR_DREMIO_GROUP_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"
CONNECTOR_DREMIO_ROLE_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Replace to String

This property specifies the replacement string for regex matches. If left blank, no find-and-replace operation is performed.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/dremio/instance1/vars.connector.dremio.yml

  3. Set the following properties:

    YAML
    1
2
3
    CONNECTOR_DREMIO_USER_NAME_REPLACE_TO_STRING: "_"
CONNECTOR_DREMIO_GROUP_NAME_REPLACE_TO_STRING: "_"
CONNECTOR_DREMIO_ROLE_NAME_REPLACE_TO_STRING: "_"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Comments